Mozilla, Microsoft yank TrustCor’s root certificate authority after U.S. contractor revelations

Comment

Major browsers moved Wednesday to stop using a mystery software company that certified websites were secure, three weeks after The Washington Post reported its ties to a US military contractor.

Mozilla Firefox and Microsoft’s Edge said they would stop relying on new certificates from TrustCor Systems that guaranteed the legitimacy of websites accessed by their users, capping weeks of online arguments between their technology experts, outside researchers and TrustCor, which said it had no lasting bonds of care. Other tech companies are expected to follow suit.

“Certified Authorities have very trusted roles in the Internet ecosystem and it is unacceptable for a CA to be closely tied, through ownership and operation, to a company involved in the distribution of malware,” Mozilla’s Kathleen Wilson wrote to a browser security mailing list. experts “Trustcor’s responses through its Vice President of CA operations further demonstrate the factual basis for Mozilla’s concerns.”

A mysterious company with government ties plays a key online role

The Post reported Nov. 8 that TrustCor’s Panamanian registry records showed the same list of officers, agents and associates as a spy maker identified this year as a subsidiary of Arizona-based Packet Forensics, which sold communications interception services to U.S. government agencies. agencies for more than a decade. One of those contracts listed the “place of action” as Fort Meade, Md., the home of the National Security Agency and the Pentagon’s Cyber ​​Command.

The case has put a new spotlight on the obscure systems of trust and checks that allow people to trust the internet for most purposes. Browsers usually have more than a hundred authorities approved by default, including government and small companies, to perfectly certify that secure websites are what they claim to be.

Also Read :  Sydneysiders can now gift gadgets in a guilt-free & sustainable way

TrustCor has a small staff in Canada, where it is officially based at a UPS Store mail drop, the company’s managing director Rachel McPherson told Mozilla in the email discussion thread. She said employees there work remotely, though she acknowledged the company has infrastructure in Arizona as well.

McPherson said that some of the same holding companies invested in TrustCor and Packet Forensics but that ownership in TrustCor was transferred to employees. Packet Forensics also said it had no ongoing business relationship with TrustCor.

Several technologists in the discussion said they found TrustCor evasive about basic issues like legal domicile and ownership, which they said was inappropriate for a company using the power of a root certificate authority that not only claims that a secure, https website is not. impostor but can override other certificate issuers to do the same.

The Post report built on the work of two researchers who first located the company’s corporate records, Joel Reardon of the University of Calgary and Serge Egelman of the University of California at Berkeley. Those two and others also conducted experiments on a secure email offering from TrustCor called MsgSafe.io. They found that contrary to MsgSafe’s public claims, emails sent through its system were not end-to-end encrypted and could be read by the company.

Also Read :  Genoox partners with Thermo Fisher Scientific to automate cytogenetic research data interpretation and reporting with AI

McPherson said the various technology experts weren’t using the right version or didn’t configure it correctly.

In announcing Mozilla’s decision, Wilson cited the past overlaps in officers and operations between TrustCor and MsgSafe and between TrustCor and Measurement Systems, a Panamanian spyware company with previously reported ties to Packet Forensics.

The Pentagon did not respond to a request for comment.

There have been sporadic efforts to make the certification process more accountable, sometimes following revelations of suspicious activity.

In 2019, a security company controlled by the government of the United Arab Emirates, which was known as DarkMatter, requested to be upgraded to a top-level root authority from a middle authority with less independence. This followed revelations that DarkMatter hacked dissidents and even some Americans; Mozilla denied it root power.

In 2015, Google withdrew the root authority from the China Internet Network Information Center (CNNIC) after it allowed an intermediate authority to issue fake certificates for Google sites.

Reardon and Egelman earlier this year found that Packet Forensics was connected to the Panamanian company Measurement Systems, which paid programmers to include code in various programs to record and transmit phone numbers, email addresses and precise locations of users. They estimated that those apps have been downloaded more than 60 million times, including 10 million downloads of Islamic prayer apps.

The Measurement Systems website was registered by Vostrom Holdings, according to historical domain name records. Vostrom filed papers in 2007 to do business as Packet Forensics, according to Virginia state records.

Also Read :  Heel-clad hetero 'influencer' says queer people make his life "worse" and the Internet has thoughts

After the researchers shared their findings, Google pulled all apps with the spy code from its Play app store.

They also found that a version of that code was included in a test version of MsgSafe. McPherson told the email list that a developer included that without getting it cleared by executives.

Packet Forensics first attracted attention from privacy advocates a dozen years ago.

In 2010, researcher Chris Soghoian attended an invitation-only industry conference nicknamed the Wiretapper’s Ball and obtained a Packet Forensics brochure aimed at law enforcement and intelligence clients.

The brochure was for hardware to help buyers read network traffic that parties deemed secure. But it wasn’t.

“IP communication dictates the need to screen encrypted traffic at will,” the brochure read, according to a report in Wired. “Your investigative staff will gather its best evidence while users are lulled into a false sense of security provided by web, email or VOIP encryption,” the brochure added.

Researchers thought at the time that the most likely way the box was used was with a certificate issued by an authority for money or under a court order that would guarantee the authenticity of a fraudulent communications site.

They did not conclude that an entire certificate authority itself could be compromised.

Reardon and Egelman alerted Google, Mozilla and Apple to their research on TrustCor in April. They said they heard little until The Post published its report.

Source

Leave a Reply

Your email address will not be published.

Related Articles

Back to top button