“Certificate Authorities have highly trusted roles in the Internet ecosystem, and it is unacceptable for a CA to be so closely linked, through ownership and operation, to a company engaged in malware distribution,” Mozilla’s Kathleen Wilson wrote to the browser security mailing list. experts. “Trustcor Responses via CA Operations Vice President Support Factual Basis for Mozilla’s Concerns.”
The mysterious company with government ties plays a major role on the Internet
The Post reported on November 8 that Panamanian TrustCor registration records showed the same list of officers, agents and associates as the spyware maker identified this year as an affiliate of Arizona-based Packet Forensics, which sold communications interception services to US government agencies. for more than a decade. One such contract listed a “performance venue” at Fort Meade, Maryland, home to the National Security Agency and the Pentagon’s Cyber Command.
The case highlighted the opaque systems of trust and checks that allow people to rely on the internet for most purposes. Browsers typically have over a hundred approved authorities by default, including those owned by the government and small businesses, seamlessly proving that secure sites are what they claim to be.
TrustCor has a small number of employees in Canada, where it is officially based in the UPS Store, company CEO Rachel McPherson told Mozilla in an email discussion thread. She said employees there work remotely, though she acknowledged the company has infrastructure in Arizona as well.
Some of the same holding companies have invested in TrustCor and Packet Forensics, McPherson said, but ownership in TrustCor has been transferred to employees. Packet Forensics also said it has no ongoing business relationship with TrustCor.
Several technologists in the discussion said they found TrustCor dodgy on basic matters such as legal domicile and ownership, which they said was unsuitable for a company with the authority of a root certificate authority, which not only asserts that a secure https site is not fraudulent but can authorize other certificate issuers to do its thing Himself.
The Post’s report relied on the work of two researchers who were the first to locate the company’s records, Joel Reardon of the University of Calgary and Serge Eagleman of the University of California, Berkeley. These two and others have also experimented with TrustCor’s secure email offering, MsgSafe.io. They found that, contrary to MsgSafe’s general claims, emails sent through its system were not end-to-end encrypted and could be read by the company.
McPherson said that various technologists did not use the correct version or configured it properly.
In announcing Mozilla’s decision, Wilson cited past overlaps in officers and operations between TrustCor and MsgSafe and between TrustCor and Measurement Systems, a Panamanian spyware company with previously reported ties to Packet Forensics.
The Pentagon did not respond to a request for comment.
There have been sporadic efforts to make the testimony process more accountable, sometimes after suspicious activity has been detected.
In 2019, a UAE government-controlled security firm that was known as DarkMatter applied to be promoted to a high-level root authority from an intermediary authority with less independence. It followed revelations that DarkMatter had hacked dissidents and even some Americans. Mozilla denied its root power.
In 2015, Google withdrew the root authority of the China Internet Network Information Center (CNNIC) after it allowed an intermediary body to issue fake certificates to Google sites.
Reardon and Eagleman found earlier this year that Packet Forensics was connected to Panamanian Measurement Systems, which paid software developers to embed code in a variety of apps to record and send users’ phone numbers, email addresses and precise locations. They estimated that these apps have been downloaded more than 60 million times, including 10 million downloads of Muslim prayer apps.
The Measurement Systems website is registered by Vostrom Holdings, according to historical domain name records. Vostrom filed papers in 2007 to do business as Packet Forensics, according to Virginia state records.
After the researchers shared their findings, Google ran all the apps with spy code from the Play Store.
They also found that a version of this code was included in a test release of MsgSafe. McPherson told the email list that one of the developers had included it without the executives’ permission.
Packet Forensics first caught the attention of privacy advocates more than ten years ago.
In 2010, researcher Chris Sogoyan attended an invite-only industry conference called Wiretapper’s Ball and picked up a Packet Forensics handbook intended for clients of law enforcement and intelligence agencies.
The brochure was for a piece of hardware to help buyers read web traffic that the parties thought was safe. But it wasn’t.
According to a report in Wired, “IP connectivity dictates the need to inspect encrypted traffic at will.” “Your investigative team will gather its best evidence while users are lulled into a false sense of security provided by web, email or VOIP encryption,” the handbook added.
Researchers at the time believed that the most likely way the fund was used was with a certificate issued by a financial authority or with a court order guaranteeing the credibility of a fraudulent communications site.
They did not conclude that the entire authority of the testimony might be compromised.
Reardon and Eagleman alerted Google, Mozilla and Apple to their research on TrustCor in April. They said they had heard little response until The Post published its report.