Major web browsers moved Wednesday to stop using a mysterious software company that certified websites were secure, three weeks after The Washington Post reported its connections to a U.S. military contractor.
“Certificate Authorities have highly trusted roles in the internet ecosystem and it is unacceptable for a CA to be closely tied, through ownership and operation, to a company engaged in the distribution of malware,” Mozilla’s Kathleen Wilson wrote to a mailing list for browser security experts. “Trustcor’s responses via their Vice President of CA operations further substantiates the factual basis for Mozilla’s concerns.”
The Post reported on Nov. 8 that TrustCor’s Panamanian registration records showed the same slate of officers, agents and partners as a spyware-maker identified this year as an affiliate of Arizona-based Packet Forensics, which has sold communication interception services to U.S. government agencies for more than a decade. One of those contracts listed the “place of performance” as Fort Meade, Md., the home of the National Security Agency and the Pentagon’s Cyber Command.
The case has put a new spotlight on the obscure systems of trust and checks that allow people to rely on the internet for most purposes. Browsers typically have more than a hundred authorities approved by default, including government-owned ones and small companies, to seamlessly attest that secure websites are what they purport to be.
TrustCor has a small staff in Canada, where it is officially based at a UPS Store mail drop, company executive Rachel McPherson told Mozilla in the email discussion thread. She said staffers there work remotely, though she acknowledged that the company has infrastructure in Arizona as well.
McPherson said that some of the same holding companies had invested in TrustCor and Packet Forensics but that ownership in TrustCor had been transferred to employees. Packet Forensics also said it had no ongoing business relationship with TrustCor.
Several technologists in the discussion said that they found TrustCor evasive on basic matters such as legal domicile and ownership, which they said was inappropriate for a company wielding the power of a root certificate authority, which not only asserts that a secure, https website is not an impostor but can deputize other certificate issuers to do the same.
The Post report built on the work of two researchers who had first located the company’s corporate records, Joel Reardon of the University of Calgary and Serge Egelman of the University of California at Berkeley. Those two and others also ran experiments on a secure email offering from TrustCor named MsgSafe.io. They found that contrary to MsgSafe’s public claims, emails sent through its system were not end-to-end encrypted and could be read by the company.
McPherson said the various technology experts had not used the right version or had not configured it properly.
In announcing Mozilla’s decision, Wilson cited the past overlaps in officers and operations between TrustCor and MsgSafe and between TrustCor and Measurement Systems, a Panamanian spyware company with previously reported ties to Packet Forensics.
The Pentagon did not respond to a request for comment.
There have been sporadic efforts to make the certificate process more accountable, sometimes after revelations of suspicious activity.
In 2019, a security company controlled by the government of the United Arab Emirates that had been known as DarkMatter applied to be upgraded to top-level root authority from intermediate authority with less independence. That followed revelations that DarkMatter had hacked dissidents and even some Americans; Mozilla denied it root power.
In 2015, Google withdrew the root authority of the China Internet Network Information Center (CNNIC) after it allowed an intermediate authority to issue fake certificates for Google sites.
Reardon and Egelman earlier this year found that Packet Forensics was connected to the Panamanian company Measurement Systems, which paid software developers to include code in a variety of apps to record and transmit users’ phone numbers, email addresses and exact locations. They estimated that those apps were downloaded more than 60 million times, including 10 million downloads of Muslim prayer apps.
Measurement Systems’ website was registered by Vostrom Holdings, according to historic domain-name records. Vostrom filed papers in 2007 to do business as Packet Forensics, according to Virginia state records.
After the researchers shared their findings, Google booted all apps with the spy code out of its Play app store.
They also found that a version of that code was included in a test version of MsgSafe. McPherson told the email list that a developer had included that without getting it cleared by executives.
Packet Forensics first drew attention from privacy advocates a dozen years ago.
In 2010, researcher Chris Soghoian attended an invitation-only industry conference nicknamed the Wiretapper’s Ball and obtained a Packet Forensics brochure aimed at law enforcement and intelligence agency customers.
The brochure was for a piece of hardware to help buyers read web traffic that parties thought was secure. But it wasn’t.
“IP communication dictates the need to examine encrypted traffic at will,” the brochure read, according to a report in Wired. “Your investigative staff will collect its best evidence while users are lulled into a false sense of security afforded by web, email or VOIP encryption,” the brochure added.
Researchers thought at the time that the most likely way the box was being used was with a certificate issued by an authority for money or under a court order that would guarantee the authenticity of an impostor communications site.
They did not conclude that an entire certificate authority itself might be compromised.
Reardon and Egelman alerted Google, Mozilla and Apple to their research on TrustCor in April. They said they had heard little back until The Post published its report.