This week several major web browsers quickly severed ties with a mysterious software company used to certify the security of websites, three weeks after the Washington Post exposed its connections to a US military contractor, the Post reports.
TrustCor Systems provided ‘certificates’ to browsers to Mozilla Firefox and Microsoft Edge, which vouched for the legitimacy of said websites.
“Certificate Authorities have highly trusted roles in the internet ecosystem and it is unacceptable for a CA to be closely tied, through ownership and operation, to a company engaged in the distribution of malware,” said Mozilla’s Kathleen Wilson in an email to browser security experts. “Trustcor’s responses via their Vice President of CA operations further substantiates the factual basis for Mozilla’s concerns.”
According to TrustCor’s Panamanian (!?) registration records, the company has the same slate of officers, agents and officers as Arizona-based Packet Forensics, which has sold communication interception services to the U.S. government for over a decade.
One of those contracts listed the “place of performance” as Fort Meade, Md., the home of the National Security Agency and the Pentagon’s Cyber Command.
The case has put a new spotlight on the obscure systems of trust and checks that allow people to rely on the internet for most purposes. Browsers typically have more than a hundred authorities approved by default, including government-owned ones and small companies, to seamlessly attest that secure websites are what they purport to be. -WaPo
Also of concern, TrustCor’s small staff in Canada lists its place of operation at a UPS Store mail drop, according to company executive Rachel McPherson, who says she told their Canadian staffers to work remotely. She also acknowledged that the company has ‘infrastructure’ in Arizona as well.
McPherson says that ownership in TrustCor was transferred to employees despite the fact that some of the same holding companies had invested in both TrustCor and Packet Forensics.
Various technologists in the email discussion said they found TrustCor to be evasive when it came to basic facts such as legal domicile and ownership – which they said was not appropriate for a company responsible for root certificate authority that verifies a secure ‘https’ website is not an imposter.
The Post report built on the work of two researchers who had first located the company’s corporate records, Joel Reardon of the University of Calgary and Serge Egelman of the University of California at Berkeley. Those two and others also ran experiments on a secure email offering from TrustCor named MsgSafe.io. They found that contrary to MsgSafe’s public claims, emails sent through its system were not end-to-end encrypted and could be read by the company.
McPherson said the various technology experts had not used the right version or had not configured it properly. -WaPo
In a previous case which illustrates the importance of trusting root-level authorities – a security company controlled by the United Arab Emirates, DarkMatter, applied in 2019 to have top-level root authority from their status as an intermediate authority with less independence. The request followed revelations that DarkMatter had hacked dissidents and even some Americans – after which Mozilla denied it root power.