QuoVadis Limited

[John connor]

Is this an issue for Pale Moon? I see the Certs are in there. Not sure if I need to remove them or not and if I do will there be any consequences? https://www.ghacks.net/2019/02/24/how-t ... tificates/

[billmcct]

Pretty sure they are already "Untrusted".
Check to see. In "Certificate Manager" highlight and press "Edit Trust button".

[Tomaso]

Pretty sure they are already "Untrusted".

nope..
https://github.com/MoonchildProductions/UXP/issues/983/

[Moonchild]

Also, instead of just "nope" you could have taken a second to copy/paste the relevant info here.

TL;DR: There is no conclusive evidence to support the article's call for distrust.

[Tomaso]

After refering to GitHub posts, I've been warned for quoting them here before.

[John connor]

What kinda of possible breakage would I get if I remove the Certs?

[Moonchild]

What kinda of possible breakage would I get if I remove the Certs?

Since they are "builtins" you can't actually remove them, but you can distrust them (which is effectively the same).

Possible breakage would be the inability to visit (or load content from) any and all websites secured by the distrusted certificates. This may also break unrelated sites if they load resources from domains secured with the relevant distrusted root(s).

[John connor]

Okay, that makes sense then. Thanks. I'll leave 'em be.

[billmcct]

Some more reading.
https://www.bleepingcomputer.com/news/s ... n-firefox/

[John connor]

And all deleted. Fuck this shit. And why is Startcom still there? I thought they went belly up?

[John connor]

Just discovered Proton email uses QuoVadis Limited of all mail hosts. So I sent them an email and they told me that they are closely following the issue. If I were them I'd ditch that Cert, especially since your business is centered around privacy and security. I may make mention of this on my own website and Twitter. They had better switch Certs.

[John connor]

What Proton email says: https://protonmail.com/blog/dark-matter-quo-vadis/

[Moonchild]

Let me quote some things from that very article which sums it up nicely and pretty much closes this discussion:

The fact that QuoVadis has issued a certificate to DarkMatter has led some people to call for everyone to delete QuoVadis certificates from their browser. This rash action is unwarranted and could lead to many websites not working, including ProtonMail and ProtonVPN.

These rumors and allegations are mostly arising from people who do not understand how the CA system works or have incorrect information.

Then:

QuoVadis is not DarkMatter

Contrary to what some people have alleged, QuoVadis is not owned or controlled by DarkMatter. QuoVadis is owned by DigiCert, another independent CA. [...] It handles certificates and cybersecurity for some of the world’s best-known corporations, including PayPal and Cloudflare.

and:

An intermediate certificate is not a root certificate

DarkMatter has an intermediate certificate issued by QuoVadis, and not a root certificate. This means that ultimately, DigiCert has oversight over all of the certificates which are issued using the intermediate certificate in question.

[athenian200]

It sounds to me like revoking all QuoVadis certificates over this is probably overkill. As far as I know (and I could be wrong), certificate authorities basically grant their certificates in exchange for money, the audits are mostly just a formality, and it doesn't really constitute an endorsement. I'm sure they aren't responsible for what DarkMatter does with that certificate after they grant it, and probably haven't had much of a chance to review the potential threat they present.

From what I gather, this is what basically happened. QuoVadis granted an intermediate certificate to DarkMatter, and was then acquired by DigiCert afterwards. Which means DigiCert will have to get around to reviewing a decision QuoVadis made without their input before acquisition, which is probably straining the bureaucracy at that company because it's an unusual situation. Now everyone is talking about whether sub-CAs should be scrutinized more and not be automatically granted authority based on their certificates being cross-signed by someone already trusted. In other words, it sounds like this situation has brought them to a point where they're questioning the entire mechanism that causes DarkMatter's certificates to be trusted merely because QuoVadis signs them. Some are saying that any sub-CA should have to be audited by the people running the root stores directly before their certificates are trusted/included, regardless of what an existing trusted CA says. A lot of people aren't happy with the fact that QuoVadis unilaterally made this decision to make DarkMatter's certificates trusted without broad consent. Most of the certificates they granted are uncontroversial and valid, but this one particular one is a mess.

If anything does come of this, there will be an overhaul to the entire way trust works on the Internet, because right now it's too easy for a dodgy sub-CA to be granted signing authority, or for a previously trusted CA to suddenly be acquired by an untrustworthy entity, and it's not easy to block/revoke it without also revoking all the legitimate certificates signed by the people who granted it to them. This situation has underscored what many are now seeing as a terrible weakness in the system, and they're saying it's similar to something that came up previously with CNNIC and TeliaSonera.