Where does PM get it's list of trusted CA's?

General discussion and chat (archived)
Thehandyman1957

Where does PM get it's list of trusted CA's?

Unread post by Thehandyman1957 » 2019-02-24, 02:58

Was doing some reading this evening when I ran across this article.
Cyber-Mercenary Groups Shouldn't be Trusted in Your Browser or Anywhere Else
https://www.blacklistednews.com/article ... where.html

In it, they talk about a shady company getting trusted CA's with the likes of F.F. and the
cost of that decision.

My question is, does PM get their CA's from Mozilla? Or do we get them from somewhere else.
Forgive me if I am not using the right terminology here. :think:

Michaell
Lunatic
Lunatic
Posts: 282
Joined: 2018-05-26, 18:13

Re: Where does PM get it's list of trusted CA's?

Unread post by Michaell » 2019-02-24, 04:12

Not answer to your question, but....
Mozilla and other root certificate database maintainers (Microsoft, Google, and Apple)
:silent: :sick: :evil: :twisted: :cry: :!:

Years ago after Firefox update, I would go in and delete all but a few more trusted CAs.

Now I don't even bother using them most of the time.
Win10home(1709), PM33.0.0-portable as of Feb 1, '24

User avatar
Tomaso
Board Warrior
Board Warrior
Posts: 1622
Joined: 2015-07-23, 16:09
Location: Norway

Re: Where does PM get it's list of trusted CA's?

Unread post by Tomaso » 2019-02-24, 12:29

How to distrust DarkMatter certificates in Pale Moon:
1) Navigate to 'Tools' (or 'Pale Moon' button) > 'Preferences' > 'Advanced' > 'Certificates', and click on the "View Certificates" button.
2) Scroll down, and highlight all "QuoVadis Root" certificates.
3) Click on the "Delete or Distrust" button, and confirm distrust by clicking "OK".

Article @ gHacks:
https://www.ghacks.net/2019/02/24/how-t ... tificates/
A Reuter's article links DarkMatter to the United Arab Emirates government and surveillance operations.
One such operation, called Karma, saw the team hack iPhones of "hundreds of activists, political leaders, and suspected terrorists" according to Reuters.
--

EDIT:
Issue report @ GitHub:
https://github.com/MoonchildProductions/UXP/issues/983/
Last edited by Tomaso on 2019-02-24, 12:50, edited 4 times in total.

User avatar
hujan86
Fanatic
Fanatic
Posts: 194
Joined: 2017-09-27, 06:50

Re: Where does PM get it's list of trusted CA's?

Unread post by hujan86 » 2019-02-24, 12:39

DarkMatter controls an intermediary certificate already called QuoVadis. QuoVadis is owned by DigiCert which means that there is some oversight in place currently.
I'm speechless. :wtf:
Avatar's Source: yereverluvinuncleber

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35481
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Where does PM get it's list of trusted CA's?

Unread post by Moonchild » 2019-02-24, 18:36

Issue wontfixed.

To answer the question, root certificates in the trust store are part of NSS (i.e. we normally do not manage this ourselves but delegate this to the NSS team).
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
Moonraker
Board Warrior
Board Warrior
Posts: 1878
Joined: 2015-09-30, 23:02
Location: uk.

Re: Where does PM get it's list of trusted CA's?

Unread post by Moonraker » 2019-02-24, 23:27

Just a cautionary note.disabling ir deleting these certs will cause issues with some known sites like twitter and protonmail seems to be affected also.
user of multiple puppy linuxes..upup,fossapup.scpup,xenialpup..... :thumbup:

Pale moon 29.4.1

Locked