“Certificate Authorities have highly trusted roles in the Internet ecosystem and it is unacceptable for a Certificate Authority to be closely tied, by ownership and operation, to a company engaged in the distribution of malware,” said writes Kathleen Wilson of Mozilla to a browser security mailing list. experts. “Trustcor’s responses via their VP of CA Operations further support the factual basis for Mozilla’s concerns.”
The Post reported Nov. 8 that TrustCor’s Panamanian registration records showed the same list of officers, agents and partners as a spyware maker identified this year as a subsidiary of Arizona-based Packet Forensics. , which sold communication interception services to US government agencies. for over a decade. One of those contracts stated that the “place of performance” was Fort Meade, Maryland, the headquarters of the National Security Agency and the Pentagon’s Cyber Command.
The case brought to light the murky systems of trust and control that allow people to rely on the internet for most needs. Browsers typically have over a hundred trusted authorities by default, including government and small business ones, to transparently certify that secure websites are what they’re supposed to be.
TrustCor has a small team in Canada, where it is officially based at a UPS Store, company executive Rachel McPherson told Mozilla in the email thread. She said employees were working remotely, though she acknowledged the company also had infrastructure in Arizona.
McPherson said some of the same holding companies invested in TrustCor and Packet Forensics, but ownership of TrustCor was transferred to employees. Packet Forensics also said it has no ongoing business relationship with TrustCor.
Several technologists participating in the discussion said they found TrustCor evasive on fundamental issues such as legal domicile and ownership, which they said was inappropriate for a company wielding the power of a root CA, which not only asserts that a secure https website is not an impostor but can delegate other certificate issuers to do the same.
The Post’s report relied on the work of two researchers who first located the company’s records, Joel Reardon of the University of Calgary and Serge Egelman of the University of California, Berkeley. These two and others have also been experimenting with a secure messaging offering from TrustCor named MsgSafe.io. They found that contrary to MsgSafe’s public claims, emails sent through its system were not end-to-end encrypted and could be read by the company.
McPherson said the various tech experts either used the wrong version or configured it incorrectly.
In announcing Mozilla’s decision, Wilson cited past overlaps of officers and operations between TrustCor and MsgSafe and between TrustCor and Measurement Systems, a Panamanian spyware company with previously reported ties to Packet Forensics.
The Pentagon did not respond to a request for comment.
Sporadic efforts have been made to make the certificate process more accountable, sometimes after suspicious activity has come to light.
In 2019, a UAE government-controlled security company known as DarkMatter requested to be upgraded to a high-level root authority from an intermediate authority with less independence. This followed revelations that DarkMatter had hacked dissidents and even Americans; Mozilla denied him root power.
In 2015, Google removed the China Internet Network Information Center (CNNIC) root authority after allowing an intermediate authority to issue fake certificates for Google sites.
Reardon and Egelman discovered earlier this year that Packet Forensics was connected to the Panamanian company Measurement Systems, which paid software developers to include code in a variety of applications to record and transmit telephone numbers, email addresses. -email and exact locations of users. They estimated that these apps have been downloaded over 60 million times, including 10 million Muslim prayer app downloads.
The Measurement Systems website was registered by Vostrom Holdings, according to historical domain name registrations. Vostrom filed documents in 2007 to do business as Packet Forensics, according to Virginia state records.
After the researchers shared their findings, Google started all apps with the spy code from its Play app store.
They also discovered that a version of this code was included in a test version of MsgSafe. McPherson told the mailing list that a developer included it without getting executive approval.
Packet Forensics first caught the attention of privacy advocates a dozen years ago.
In 2010, researcher Chris Soghoian attended an invitation-only industry conference dubbed the Wiretapper’s Ball and obtained a Packet Forensics brochure for law enforcement and intelligence agency clients.
The brochure was for hardware intended to help buyers read web traffic that the parties believed to be secure. But that was not the case.
“IP communication dictates the need to examine encrypted traffic at will,” the brochure reads, according to a Wired report. “Your investigative staff will collect their best evidence while users are lulled into a false sense of security offered by web, email or VOIP encryption,” the brochure adds.
Researchers believed at the time that the most likely way to use the box was with a certificate issued by an authority for money or under a court order that would guarantee the authenticity of a site. impostor communication.
They did not conclude that an entire CA itself could be compromised.
Reardon and Egelman alerted Google, Mozilla and Apple to their TrustCor research in April. They said they had heard little until the Post published its report.
#Web #browsers #abandon #mysterious #company #linked #military #contractor