Web browsers ditch mysterious company with ties to US military contractor
Major web browsers moved Wednesday to stop using a mysterious software company that certified websites were secure, three weeks after The Washington Post reported its ties to a U.S. military contractor.
Mozilla’s Firefox and Microsoft’s Edge said they would stop relying on new certificates from TrustCor Systems that guarantee the legitimacy of websites their users have reached, ending weeks of online disputes among their technology experts, outside researchers and TrustCor, which said it had no ongoing bond between concern. Other technology companies are expected to follow suit.
“Certificate authorities have very trusted roles in the Internet ecosystem, and it is unacceptable for a CA to be closely associated, through ownership and operation, with a company engaged in the distribution of malware,” Mozilla’s Kathleen Wilson wrote to a mailing list for browser security experts. “Trustcor’s response via their Vice President of CA Operations further substantiates the factual basis for Mozilla’s concerns.”
The Post reported Nov. 8 that TrustCor’s Panamanian registration records showed the same list of officers, agents and partners as a spyware maker identified this year as an affiliate of Arizona-based Packet Forensics, which has sold communications interception services to U.S. government agencies for more than a decade. One of those contracts listed the “place of performance” as Fort Meade, Md., home of the National Security Agency and the Pentagon’s Cyber Command.
The case has put a new spotlight on the obscure systems of trust and checks that allow people to trust the internet for most purposes. Browsers typically have more than a hundred authorities approved by default, including governments and small companies, to seamlessly certify that secure websites are what they say they are.
TrustCor has a small staff in Canada, where it is officially based out of a UPS Store mail carrier, company executive Rachel McPherson told Mozilla in the email discussion thread. She said employees there work remotely, though she acknowledged the company also has infrastructure in Arizona.
McPherson said some of the same holding companies had invested in TrustCor and Packet Forensics, but that ownership of TrustCor had been transferred to employees. Packet Forensics also said it had no ongoing business relationship with TrustCor.
Several technologists in the discussion said they found TrustCor evasive about basic issues like legal residency and ownership, which they said was inappropriate for a company that has the power of a root certificate authority, which doesn’t just claim that a secure https site isn’t an impostor , but can set other certificate issuers to do the same.
The Post report built on the work of two researchers who had first located the company’s corporate records, Joel Reardon of the University of Calgary and Serge Egelman of the University of California at Berkeley. These two and others also ran experiments on a secure email offering from TrustCor called MsgSafe.io. They found that contrary to MsgSafe’s public claims, emails sent through the system were not end-to-end encrypted and could be read by the company.
McPherson said the various technology experts had not used the correct version or had not configured it correctly.
In announcing Mozilla’s decision, Wilson cited previous overlaps in officers and operations between TrustCor and MsgSafe and between TrustCor and Measurement Systems, a Panamanian spyware company with previously reported ties to Packet Forensics.
The Pentagon did not respond to a request for comment.
There have been sporadic attempts to make the certificate process more accountable, sometimes following revelations of suspicious activity.
In 2019, a security company controlled by the United Arab Emirates government that had been known as DarkMatter applied to be upgraded to a top-level root authority from an intermediate authority with less independence. It followed the revelations that DarkMatter had hacked dissidents and even some Americans; Mozilla denied it root power.
In 2015, Google revoked the root authority of the China Internet Network Information Center (CNNIC) after it allowed an intermediary authority to issue fake certificates for Google websites.
Reardon and Egelman discovered earlier this year that Packet Forensics was connected to the Panamanian company Measurement Systems, which paid software developers to include code in a variety of apps to record and transmit users’ phone numbers, email addresses and precise locations. They estimated that these apps were downloaded more than 60 million times, including 10 million downloads of Muslim prayer apps.
Measurement Systems’ website was registered by Vostrom Holdings, according to historical domain name registrations. Vostrom filed paperwork in 2007 to do business as Packet Forensics, according to Virginia State Records.
After the researchers shared their findings, Google launched all apps with the spy code from the Play App Store.
They also found that a version of that code was included in a test version of MsgSafe. McPherson told the mailing list that a developer had included it without getting it cleared by managers.
Packet Forensics first attracted the attention of privacy advocates a dozen years ago.
In 2010, researcher Chris Soghoian attended an invite-only industry conference nicknamed the Wiretapper’s Ball and obtained a Packet Forensics brochure aimed at law enforcement and intelligence agency customers.
The brochure was for a piece of hardware to help buyers read Internet traffic that the parties believed to be secure. But it wasn’t.
“IP communications dictate the need to examine encrypted traffic at will,” the brochure says, according to a report in Wired. “Your investigative staff will gather their best evidence while users are lulled into a false sense of security offered by web, email or VOIP encryption,” the brochure said.
Researchers believed at the time that the most likely way the box was used was with a certificate issued by an authority for money or under a court order that would guarantee the authenticity of an impostor communication site.
They did not conclude that an entire CA itself could be compromised.
Reardon and Egelman notified Google, Mozilla and Apple of their research on TrustCor in April. They said they had heard little back before The Post published its report.