Mozilla, Microsoft ditch root certificate authority under cloud of suspicion

Mozilla and Microsoft have removed root certificate authority (CA) TrustCor from their respective Firefox and Edge browsers, under a cloud of suspicion over its reported ties to spyware firms and intel agencies. Both browsers will no longer accept new TrustCor certificates, the Washington Post reports.

Root CAs are entities that authenticate keys that browsers and operating systems use to verify connections to legitimate websites. The vetting process for a root CA to be in major web browsers is expensive and lengthy, because root CA status comes with the potential for abuse, like surveillance and traffic hijacking. Firefox’s approval process, for example, takes at least two years, according to the Washington Post.

In November, the Post reported a number of concerning insights into TrustCor, including shared officers with a Panamanian spyware firm called Measurement Systems, which distributed an app software development kit (SDK) that secretly collected data on users. Measurement Systems is itself an affiliate of Packet Forensics, a firm that has pitched police on its ability to conduct man-in-the-middle attacks (that would require subverting a certificate authority). A beta version of a secure messaging program developed by TrustCor, MsgSafe.io, contained that SDK, and security researchers told the Post it wasn’t actually encrypted as advertised.

One TrustCor partner was listed as a contact for yet another firm that managed 175 million IP addresses for the Pentagon; another source told the paper that Packet Forensics technology was used to catch terrorism suspects. Adding to the list of suspicious factors, the Post found that the firm’s mailing address was a UPS Store mail drop in Toronto, while TrustCor’s website listed its leadership as a man who died months ago, and another whose LinkedIn indicated he left the company in 2019.

While no reports have indicated TrustCor abused its root CA status, in a mailing list for browser security experts, Mozilla’s Kathleen Wilson wrote that it was “unacceptable for a CA to be closely tied, through ownership and operation, to a company engaged in the distribution of malware.” TrustCor’s Rachel McPherson appeared to reply to the thread, writing that while the firm is “incredibly disappointed with this decision, we are not going to waste anyone’s time with a response to the removal right now.”

A representative from TrustCor, VP of operations Rachel McPherson, responded to IT Brew’s request for comment by pointing to a statement on its website, which dismissed the allegations as “rumour and innuendo.” The December 2 updated response insisted that “there has been no evidence or speculation that TrustCor has ever mis-issued any certificates or mishandled any key material.”

Other major browsers include TrustCor as a root CA, including Apple’s Safari and Google’s Chrome. In a statement, Google spokesperson Ed Fernandez told IT Brew the company would be “providing an update on the trust status of TrustCor shortly.” Apple did not immediately respond to a request for comment.—TM