DarkMatter, the notorious cyber-mercenary firm based in the United Arab Emirates, is seeking to become approved as a top-level certificate authority in Mozilla’s root certificate program. Giving such a trusted position to this company would be a very bad idea. DarkMatter has a business interest in subverting encryption, and would be able to potentially decrypt any HTTPS traffic they intercepted. One of the things HTTPS is good at is protecting your private communications from snooping governments—and when governments want to snoop, they regularly hire DarkMatter to do their dirty work. [...] Browsers rely on this list of authorities, which are trusted to verify and issue the certificates that allow for secure browsing, using technologies like TLS and HTTPS. Certificate Authorities are the basis of HTTPS, but they are also its greatest weakness. Any of the dozens of certificate authorities trusted by your browser could secretly issue a fraudulent certificate for any website (such as google.com or eff.org.) A certificate authority (or other organization, such as a government spy agency,) could then use the fraudulent certificate to spy on your communications with that site, even if it is encrypted with HTTPS. [...] The companies on your browser’s trusted CA list rarely commit such fraud, since not issuing malicious certificates is the foremost responsibility for a certificate authority. But it can and does still happen. The concern in this case is that DarkMatter has made its business spying on internet communications, hacking dissidents’ iPhones, and other cyber-mercenary work. DarkMatter’s business objectives directly depend on intercepting end-user traffic on behalf of snooping governments. Giving DarkMatter a trusted root certificate would be like letting the proverbial fox guard the henhouse. [...] Other organizations have used this fact to game the system in the past and worm their way into our browsers. In 2009, Mozilla allowed CNNIC, the Chinese state certification authority, into the root CA program, after CNNIC assured Mozilla and the larger community that it would not abuse this power to create fake certificates and break encryption. In 2015 CNNIC was caught in a scandal when an intermediate CA authorized by CNNIC issued illegitimate certificates for several google-owned domains. Google, Mozilla, and others quickly revoked CNNIC’s authority in their browsers and operating systems after learning about the breach of trust. CNNIC is not the only example of this. In 2013 Mozilla considered dropping the Swedish company Teliasonera after accusations that it had helped enable government spying. Teliasonera ultimately did not get dropped, but it continues to have security problems to this day. https://www.eff.org/deeplinks/2019/02/cyber-mercenary-groups-shouldnt-be-tru... ____ Insomma, agli USA non piace la concorrenza! :-D Ma... usate HTTPS! HTTPS everywhere! HTTPS è sicuro! Let's Encrypt! :-D Giacomo PS: chi non sa quando NON usare uno strumento, non ha le competenze per usarlo.