Mozilla’s Kathleen Wilson wrote to the browser security mailing list: “Certificate authorities have highly trusted roles in the Internet ecosystem, and it is unacceptable for a CA to be closely associated with a malware distribution company through ownership and operation,” experts said. “Trustcor’s responses through CA’s vice president of operations further substantiate the factual basis for Mozilla’s concerns.”
The Post reported on Nov. 8 that TrustCor’s Panamanian registration records show the same officers, agents and partners as the spyware maker, known as an affiliate of Arizona-based Packet Forensics, which sold communications interception services to U.S. government agencies this year. for more than ten years. In one of those contracts, the “venue” was Fort Meade, Md., home of the National Security Agency and the Pentagon’s Cyber Command.
The case has brought new attention to the dark trust and verification systems that allow people to trust the internet for most purposes. Browsers usually have over a hundred authorities, including government-owned ones and small companies, to prove that secure websites are what they say they are.
TrustCor has a small staff in Canada, where it is officially located in a UPS Store mailbox, company CEO Rachel McPherson told Mozilla in an email discussion. He acknowledged that the company also has infrastructure in Arizona, but said that employees there work remotely.
Some of the same holding companies invested in TrustCor and Packet Forensics, McPherson said, but ownership of TrustCor has passed to employees. Packet Forensics also said it has no ongoing business relationship with TrustCor.
Several technologists involved in the debate said TrustCor missed key issues like legal residency and ownership, saying it was not appropriate for a company using the authority of a root certificate authority to claim it was not just a secure, https website. the fraudster can, however, proxy other certificate issuers to do the same.
The Post report is based on the work of two researchers, Joel Reardon of the University of Calgary and Serge Egelman of the University of California, Berkeley, who first found the company’s corporate records. These two and others have also experimented with a secure email offering from TrustCor called MsgSafe.io. They found that, contrary to MsgSafe’s public claims, emails sent through its system were not end-to-end encrypted and could be read by the company.
McPherson said various technology professionals were either using the correct version or not configuring it correctly.
In announcing Mozilla’s decision, Wilson cited past overlaps in officials and operations between TrustCor and MsgSafe, a Panamanian spyware company formerly associated with Packet Forensics, and TrustCor and Measurement Systems.
The Pentagon did not respond to a request for comment.
Sporadic attempts have been made to make the certification process more accountable, sometimes after suspicious activity has been discovered.
In 2019, a security company controlled by the United Arab Emirates government known as DarkMatter applied to be promoted from an intermediate authority to a high-level root authority with less independence. This followed revelations that DarkMatter had hacked dissidents and even some Americans; Mozilla denied its root power.
In 2015, Google revoked the core authority of the China Internet Network Information Center (CNNIC) after it allowed an intermediary authority to issue fake certificates for Google sites.
Reardon and Egelman discovered earlier this year that Packet Forensics was linked to Measurement Systems, a Panamanian company that paid software developers to insert code into various programs to record and transmit users’ phone numbers, email addresses and exact locations. According to their estimates, these apps have been downloaded more than 60 million times, including 10 million times of Muslim prayer apps.
Measurement Systems’ website is registered by Vostrom Holdings according to its historical domain name records. Vostrom filed for business as Packet Forensics in 2007, according to Virginia state records.
After the researchers shared their findings, Google downloaded all the apps from its Play app store with the spy code.
They also discovered that a version of that code was included in a trial version of MsgSafe. McPherson said a developer on the email list included it without being cleared by executives.
Packet Forensics first caught the attention of privacy advocates a decade ago.
In 2010, researcher Chris Soghoian attended an invitation-only industry conference nicknamed the Wiretapper’s Ball and obtained a Forensic Package package aimed at law enforcement and intelligence agency clients.
The brochure was a piece of hardware to help buyers read web traffic that the parties believed to be secure. But it wasn’t.
“IP communication dictates the need to voluntarily inspect encrypted traffic,” the brochure reads, according to a Wired report. “Your user staff will collect the best evidence while users are lulled into a false sense of security provided by web, email or VOIP encryption,” the brochure added.
The researchers thought at the time that the most likely way the box was used was through a certificate issued by an authority in exchange for money, or a court order vouching for the authenticity of a fraudulent communications site.
They did not conclude that an entire certification authority itself could be compromised.
Reardon and Egelman notified Google, Mozilla and Apple in April of their investigation into TrustCor. They said they heard little until The Post published its report.