Google drops TrustCor certificates as questions loom
Google joined Mozilla and Microsoft in removing support for TrustCor Systems certificates following a Washington Post report on TrustCor's connections to spyware vendors.
Google on Thursday joined Mozilla and Microsoft in dropping TrustCor Systems as a root certificate authority.
In Mozilla's dev-security-policy group, a public email discussion about certificate authority (CA) policies and governance, Google announced that "due to a loss of confidence in its ability to uphold these fundamental principles and to protect and safeguard Chrome's users," the company would no longer support TrustCor certificates beginning with Chrome 111. The beta release of the browser is scheduled for Feb. 9, and the stable release is scheduled for March 7.
Google's announcement follows decisions from Mozilla and Microsoft late last month to remove TrustCor from the root stores of their respective browsers. TrustCor came under fire in November after an article by The Washington Post found the CA has corporate and technical ties to a several spyware companies and defense contractors, including Packet Forensics, Measurement Systems and Vostrom Holdings.
Two researchers who helped uncover TrustCor's connections -- Joel Reardon, a professor at the University of Calgary, and Serge Egelman of the University of California, Berkeley -- raised concerns about the CA in Mozilla's dev-security-policy group last month, which sparked several weeks of discussion among infosec professionals and the major browser companies.
While Rachel McPherson, TrustCor's vice president of operations, defiantly rejected the accusations, concerns about the CA persisted and ultimately led to Microsoft and Mozilla removing trust for its root certificates.
"The public discussion that ensued raised valid and direct questions, applicable to publicly trusted root CA certificates," a Google representative wrote in group discussion on Thursday. "However, the discussion did not demonstrate why continued trust is justified given the concerns raised and the risk to user safety. Behavior that attempts to degrade or subvert security and privacy on the web is incompatible with organizations whose CA certificates are included in the Chrome Root Store."
Concerns and consequences
While TrustCor was not accused of any certificate mis-issuance or abuse, the browser makers were concerned that the CA apparently shared corporate officers, agents and partners with Packet Forensics, Measurement Systems and Vostrom Holdings. Additionally, technical connections uncovered by Reardon and Egelman also raised concerns.
For example, Reardon and Egelman earlier this year found a series of Android apps in the Google Play Store contained a malicious SDK produced by Measurement Systems. Like TrustCor, it is a Panamanian registered company. The researchers later found the same data-gathering SDK in a version of TrustCor's email product, MsgSafe.
In the dev-security-policy group, McPherson conceded the presence of Measurement Systems' SDK in MsgSafe but claimed it was inserted without authorization by an unnamed contracted developer who hadn't worked at the company in more than three years. She explained that TrustCor's legal counsel felt any action regarding a "labor dispute" would be difficult to pursue, so no action was taken.
Reardon and Egelman aired additional concerns about TrustCor's auditor, Princeton Audit Group, after Mozilla and Microsoft removed support for the CA. In a separate dev-security-policy group discussion last week, the researchers said they found that Princeton Audit Group's professional license appeared to have lapsed in June 2021, despite issuing audits of TrustCor's CA operations later that year. Additionally, Princeton's status as an authorized WebTrust auditor also appears in doubt.
CAs must undergo regular audits in accordance with the WebTrust for Certification Authorities standard, which enforces requirements from the CA/Browser Forum, an independent consortium of browser companies and CAs. Such audits must be performed by a WebTrust authorized entity that is also a licensed auditing firm.
UPDATE 12/16: TechTarget Editorial contacted Princeton Audit Group (PAG) for information regarding its status as TrustCor's WebTrust auditor. A PAG representative responded with the following statement in an email:
"PAG has been doing audits since 2016 for banks and outsourcing organizations. TrustCor Audit has been with us for [the] last 10 years. They were involved only with email security; no finance was involved," the statement read. "I have [stopped] doing the audit from this year."
TechTarget Editorial attempted to clarify the statement, but PAG has yet to respond.
Google's removal of support for TrustCor effectively ends TrustCor's CA business, at least for the time being. "Google Chrome prioritizes the security and privacy of its users, and we are unwilling to compromise on these values," a Google spokesperson told TechTarget Editorial. "Google includes or removes CA certificates within the Chrome Root Store as it deems appropriate for user safety in accordance with our policies."
Apple has yet to announce a decision about TrustCor, but a company representative voiced concerns about the CA in the dev-security-policy group discussion last month.
TrustCor announced earlier this month that it was no longer issuing commercial certificates to resellers or customers at this time.
McPherson has not responded to requests for comment at press time.