“Certificate authorities have highly trusted roles in the Internet ecosystem, and it is unacceptable for a CA to be closely tied, through ownership and operation, to a company engaged in malware distribution,” Mozilla’s Kathleen Wilson wrote in a mailing list for browser security experts. “Trustcor’s responses via their CA VP of Operations further confirm the factual basis of Mozilla’s concerns.”
The mail reported on Nov. 8 that TrustCor’s Panamanian registration records showed the same list of officers, agents and partners as a spyware maker identified this year as an Arizona-based affiliate of Packet Forensics, which sold wiretapping services communications to US government agencies for more than a decade. One of those contracts listed the “place of execution” as Fort Meade, Md., the headquarters of the National Security Agency and the Pentagon’s Cyber Command.
The case has brought into the spotlight the shadowy systems of trust and controls that allow people to rely on the Internet for most purposes. Browsers typically have more than a hundred approved authorities by default, including government-owned and small business ones, to seamlessly certify that safe websites are what they purport to be.
TrustCor has a small staff in Canada, where it is officially based at a UPS Store postal depot, company executive Rachel McPherson told Mozilla in the email discussion thread. She said staffers are working remotely, though she acknowledged the company also has infrastructure in Arizona.
McPherson said some of the same holdings had invested in TrustCor and Packet Forensics, but that ownership of TrustCor had been transferred to employees. Packet Forensics also said it has no ongoing business relationship with TrustCor.
Several technologists in the discussion said they found TrustCor evasive on key issues such as legal domicile and ownership, which they argued were inappropriate for a company exercising the power of a lead certificate authority, which not only claims that a site Secure web https is not an imposter but can delegate other certificate issuers to do the same.
The Post’s report was based on the work of two researchers who first located the company’s business records, Joel Reardon of the University of Calgary and Serge Egelman of the University of California at Berkeley. These two and others also conducted experiments on a secure email offering from TrustCor called MsgSafe.io. They found that, contrary to MsgSafe’s public claims, emails sent through its system weren’t end-to-end encrypted and could be read by the company.
McPherson said the various tech experts either hadn’t used the correct version or hadn’t configured it correctly.
In announcing Mozilla’s decision, Wilson cited past overlaps in officials and operations between TrustCor and MsgSafe and between TrustCor and Measurement Systems, a Panamanian spyware company with previously reported ties to Packet Forensics.
The Pentagon did not respond to a request for comment.
There have been sporadic efforts to make the certification process more accountable, sometimes after disclosures of suspicious activity.
In 2019, a UAE government-controlled security company, known as DarkMatter, applied to be upgraded to top-level lead authority from intermediate authority with less independence. That followed revelations that DarkMatter had hacked dissidents and even some Americans; Mozilla has denied him the power to root.
In 2015 Google has withdrawn root authority of the China Internet Network Information Center (CNNIC) after allowing an intermediary authority to issue fake certificates for Google sites.
Reardon and Egelman earlier this year discovered that Packet Forensics was linked to Panamanian firm Measurement Systems, which paid software developers to include the code in a variety of apps to record and transmit phone numbers, addresses users’ emails and exact locations. They estimated those apps were downloaded more than 60 million times, including 10 million Muslim prayer app downloads.
The Measurement Systems website was registered by Vostrom Holdings, according to historical domain name registries. Vostrom filed papers in 2007 to do business as Packet Forensics, according to Virginia state records.
After the researchers shared their findings, Google started all apps with the spy code from its play store.
They also discovered that a version of that code was included in a trial version of MsgSafe. McPherson told the mailing list that a developer had included it without permission from executives.
Packet Forensics first caught the attention of privacy advocates a dozen years ago.
In 2010, researcher Chris Soghoian attended an invite-only industry conference dubbed Wiretapper’s Ball and obtained a Packet Forensics brochure aimed at law enforcement and intelligence agency clients.
The brochure involved a piece of hardware to help buyers read web traffic that the parties deemed safe. But it wasn’t.
“IP communication imposes the need to examine encrypted traffic at will,” the brochure reads a report in Wired. “Your investigative staff will gather the best evidence while users are lulled into a false sense of security afforded by web, email or VOIP encryption,” the brochure added.
Researchers at the time thought the box was most likely used with a certificate issued by an authority for money or under a court order guaranteeing the authenticity of an imposter communications site.
They didn’t conclude that an entire certificate authority itself could be compromised.
Reardon and Egelman alerted Google, Mozilla and Apple about their TrustCor research in April. They said they heard little until The Post published its report.