Skip to main content
Topic: Security conundrum (Read 863 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

Re: Security conundrum

Reply #15
Recently I saw this new distribution called unknownOS.  Among all government and evil corporate blocking they do on their list they also had riseup.net
This threw me a bit off and I haven't really seen or read anything that would make them a target.  Ausie gov. agencies were among the many blocked off. 

Re: Security conundrum

Reply #16
@#######

Thanks for the investigation there, it does clear things up a bit, and although I have QuoVadis as a CA I don't have anything from DarkMatter on any browser, so I guess that is OK for now.

Strange that they  should appear on a very recent pending list though - with today's date!

Re: Security conundrum

Reply #17
In case anyone is still interested in the topic, this is what protonmail have to say about the DarkMatter/QuoVadis  situation:

https://protonmail.com/blog/dark-matter-quo-vadis/

It more or less confirms what others have said in this topic.

Re: Security conundrum

Reply #18
Yes, that confirms what I had been looking at elsewhere too. It seems that if you have the master private key you can theoretically use it in a MITM attack, the intermediate certificate provided to Dark Matter allowed them to use it to issue their own certificates, but gives them no access to Quo Vadis, in fact it was Quo Vadis that they had to trust.
On the Dark Matter website they say:
We are currently serving a number of UAE based customers from both the public and private sector.
So unless you are dealing with the UAE - which is one of the wealthiest countries in the world, where you can find the cities Abu Dhabi and Dubai, and is generally well respected btw - then you might not encounter these certificates anyway.
This is of much wider relevance than encrypted email though, as certificates are used for https in general, which means passwords, logins and all secure web communication rely on them. I think it is understandable the UAE would not want their web traffic under European 'oversight' although for them to have their own system approved they will need to show their data protection and privacy policies are compatible and properly implemented, which the Project Raven report questions.