olly - stock.adobe.com
After weeks of discussions, Mozilla and Microsoft have removed trust for TrustCor Systems' certificates and removed the company from their respective root certificate stores.
The decisions follow an investigate report from The Washington Post earlier this month that showed TrustCor's apparent connections to spyware vendor Packet Forensics as well as other companies with ties to the U.S. intelligence community. Rachel McPherson, TrustCor's vice president of operations, responded angrily in an open letter, claiming the article was driven by biased security researchers and "filled with ridiculous, false claims and out-of-context statements."
However, after reviewing evidence against TrustCor, Mozilla and Microsoft decided to revoke trust for the root certificate authority (CA), which will make TrustCor's certificates unusable for FireFox and Edge web browsers as well as other products.
"Our assessment is that the concerns about TrustCor have been substantiated and the risks of TrustCor's continued membership in Mozilla's Root Program outweighs the benefits to end users," Kathleen Wilson, program manager with Mozilla, said Wednesday in the organization's CA discussion group.
"Certificate authorities have highly trusted roles in the internet ecosystem and it is unacceptable for a CA to be closely tied, through ownership and operation, to a company engaged in the distribution of malware. Trustcor's responses via their vice president of CA operations further substantiates the factual basis for Mozilla's concerns."
Representatives from Google and Apple had previously expressed concern in the discussion group over the allegations and evidence against TrustCor. But at press time, neither company had announced a decision about the root CA's standing.
Root CAs wield extensive power in the certificate ecosystem because their public key infrastructure (PKI) forms the foundation of the cryptographic trust chain. They are the most trusted and critical CAs for browser companies. In addition to producing their own certificates, root CAs can use their PKI to sign and validate the certificates of third-party intermediate CAs further down the trust chain.
The trouble with TrustCor
The Washington Post found several red flags for TrustCor, one being that the company's physical address listed in a CA audit was a UPS store in Toronto. More importantly, the report cited business registration documents from Panama, where the company is based, that tied TrustCor corporate officers, agents and partners -- including CEO Raymond Alan Saulino -- to Packet Forensics.
Packet Forensics is ostensibly a federal government contractor, but a 2010 Wired article revealed the company sold communication intercept products that could essentially bypass web browsers' SSL encryption -- the very protection provided by digital certificates from CAs. Packet Forensics' products used forged certificates to commit a man-in-the-middle attack and steal private communications, according to the Wired report.
Earlier this year, two security researchers -- Joel Reardon, a professor at the University of Calgary, and Serge Egelman of the University of California, Berkeley -- discovered malicious activity in a series of Android apps that contained data-harvesting code and an SDK produced by Panamanian company Measurement Systems.
According to a Wall Street Journal report in April on Reardon and Egelman's research, corporate and web domain records tied Measurement Systems to Vostrom Holdings, a U.S. defense contractor based in Virginia Beach. The Journal also reported that Packet Forensics is a subsidiary of Vostrom Holdings.
Earlier this month, the Washington Post reported more red flags beyond the paper trail connecting TrustCor to Packet Forensics. Reardon and Egelman found that TrustCor's email product MsgSafe, which claims to provide "end-to-end encrypted email," didn't have such encryption. Instead it contained the same malicious SDK from Measurement Systems that was discovered in the Android apps.
While there was no evidence of TrustCor mis-issuing certificates or abusing its CA authority, the researchers and other infosec professionals expressed deep concern in the Mozilla CA discussion group over TrustCor's apparent corporate and technical ties to spyware vendors.
In a series of posts to the discussion group, McPherson slammed Reardon and Egelman, accusing them of "slinging false claims." She argued the connections to defense contractors and spyware vendors was a combination of errors with registration and an apparent effort by bad actors to create lookalike domains and entities, possibly by rival companies.
McPherson also vehemently denied TrustCor was associated with Packet Forensics or Measurement Systems, though she appeared to evade direct inquiries regarding Vostrom Holdings. However, after repeated requests from Mozilla, Google and Apple, McPherson appeared to concede several of the core allegations against TrustCor. Those included that TrustCor and Measurement Systems shared executive officers, operational control and technical integrations and that MsgSafe's Android beta did contain an unobfuscated version of Measurement Systems' malicious SDK.
While no direct certificate abuse was found at TrustCor, Wilson explained the concerns about Measurement Systems and TrustCor's email product were enough to warrant action.
"Ordinarily, Mozilla would not directly evaluate the benefit of the CA owner's other products when considering whether a CA should be a member of our Root Program," she said in the discussion group. "However, Trustcor's quantifying value statement rests heavily on the value of MsgSafe, which has suffered from a number of problematic behaviors that undermine the value proposition of MsgSafe, and therefore undermine the purported benefits for the TrustCor CA to be a member of our Root Program."
McPherson appeared to accept the decision. "While we are incredibly disappointed with this decision, we are not going to waste anyone's time with a response to the removal right now," she wrote in the group discussion.
TechTarget Editorial made repeated attempts to contact TrustCor and McPherson, but the company did not respond.
UPDATE 12/5: McPherson emailed TechTarget Editorial Monday with a link to a recent TrustCor statement responding to actions taken by Mozilla and Microsoft, which the company said signaled a "disturbing shift" in how CAs are handled by the major browser makers. The company emphasized that there is no evidence of certificate mis-issuance or any other CA-related transgressions, and once again denied that it shared any corporate officers, operational control, office space or technical integrations "with the defense company mentioned."
TrustCor's statement does not mention Packet Forensics, Measurement Systems or Vostrom Holdings by name, so it's unclear to which defense company the statement is referring. McPherson did not respond to additional questions or requests for comment.
Mozilla announced a distrust date of Nov. 30 for TrustCor's root certificates. McPherson said that Microsoft, which did not participate in the Mozilla group discussion, reached a similar decision and retroactively set its distrust date for Nov. 1, which impacts certificates that were issued during the month.
TechTarget Editorial contacted Google and Apple for comment but did not receive responses at press time.