“Certificate authorities play very trusted roles in the Internet ecosystem, and it is unacceptable for a CA to be closely owned and operated by a malware distribution company,” Mozilla’s Kathleen Wilson wrote to the browser security mailing list. experts. “Trustcor’s responses from CA’s VP of Operations further substantiate the factual basis for Mozilla’s concerns.”
The Post reported on Nov. 8 that TrustCor’s Panamanian registration records show the same list of officers, agents and partners as the spyware maker, identified this year as an Arizona affiliate of Packet Forensics, which has sold communications interception services to U.S. government agencies. for more than ten years. One of those contracts listed Fort Meade, Md., home of the National Security Agency and the Pentagon’s Cyber Command, as the “place of performance.”
The case has drawn new attention to the murky trust systems and checks that allow people to rely on the Internet for most purposes. Browsers typically have more than a hundred approved authorities by default, including government-owned institutions and small businesses, to ensure that secure websites are what they say they are.
TrustCor has a small staff in Canada, where it is officially based at a UPS Store mail drop-off location, company manager Rachel McPherson told Mozilla in an email discussion thread. She said employees are working remotely, though she acknowledged the company also has infrastructure in Arizona.
McPherson said some of the same holding companies have invested in TrustCor and Packet Forensics, but ownership of TrustCor has been transferred to employees. Packet Forensics also said it has no ongoing business relationship with TrustCor.
Several technologists in the discussion said they found TrustCor avoiding basic issues such as legal residency and ownership, which they felt was inappropriate for a company with a root certificate authority that not only claims a secure https site is not a scam, but can substitute other CAs to do the same.
The Post report was based on the work of two researchers who first found the company’s corporate records, Joel Reardon of the University of Calgary and Serge Egelman of the University of California, Berkeley. The two and others also experimented with a secure email offering from TrustCor called MsgSafe.io. They found that, contrary to MsgSafe’s public claims, emails sent through its system were not fully encrypted and could be read by the company.
McPherson said that the various technology experts did not use the correct version or did not configure it correctly.
In announcing Mozilla’s decision, Wilson cited previous overlap in officials and operations between TrustCor and MsgSafe, as well as between TrustCor and Measurement Systems, a Panamanian spyware company that previously reported ties to Packet Forensics.
The Pentagon did not respond to a request for comment.
There have been sporadic efforts to make the certification process more accountable, sometimes following the discovery of suspicious activity.
In 2019, the United Arab Emirates government-controlled security company known as DarkMatter applied for an upgrade to a top-level root authority from an intermediary with less independence. This followed revelations that DarkMatter had hacked dissidents and even some Americans; Mozilla denied it root power.
In 2015, Google revoked the root authority of the China Internet Network Information Center (CNNIC) after it allowed an intermediate authority to issue fake certificates to Google sites.
Reardon and Egelman revealed earlier this year that Packet Forensics was connected to Measurement Systems, a Panamanian company that paid software developers to insert code into various apps to record and transmit users’ phone numbers, email addresses and exact location. They estimate that these apps were downloaded more than 60 million times, including 10 million downloads of Muslim prayer apps.
According to historical domain name records, the Measurement Systems website was registered by Vostrom Holdings. Vostrom filed to do business as Packet Forensics in 2007, according to Virginia state records.
After researchers shared their findings, Google is pulling all apps with spying code from the Play app store.
They also discovered that this version of the code was included in the test version of MsgSafe. McPherson told the mailing list that a developer had included it without the managers’ approval.
Packet forensics first caught the attention of privacy advocates a decade ago.
In 2010, researcher Chris Sohoyan attended an invitation-only industry conference nicknamed the Wiretapper’s Ball and obtained a Packet Forensics brochure aimed at law enforcement and intelligence agency customers.
The brochure was intended for hardware to help buyers read web traffic that the parties believed to be secure. But it wasn’t.
“IP communication necessitates the at-will inspection of encrypted traffic,” the brochure said, according to a Wired report. “Your investigative staff will obtain the best evidence while users are lulled into a false sense of security by web, email or VOIP encryption,” the brochure added.
Researchers believed at the time that the most likely way the box was used was as a certificate issued by an authority for money or under a court order that would guarantee the authenticity of a fake communications site.
They did not conclude that the entire certification body could be compromised.
Reardon and Egelman alerted Google, Mozilla and Apple in April about their research into TrustCor. They said they had heard little until The Post published its report.
