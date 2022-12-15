



Google joined Mozilla and Microsoft on Thursday in removing TrustCor Systems from its root certification authority.

In Mozilla’s dev-security-policy group, a public email discussion on Certificate Authority (CA) policy and governance, Google announced the following: The company will no longer support TrustCor certificates after his Chrome 111. The browser beta release is scheduled for February 9th, and the stable release is scheduled for March 7th.

Google’s announcement follows decisions made by Mozilla and Microsoft late last month to remove TrustCor from their respective browser root stores. TrustCor came under attack in November after he discovered in a Washington Post article that CA has corporate and technical ties to multiple spyware companies and defense contractors.

Two researchers who helped unravel the relationship with TrustCor — Prof. Joel Reardon of the University of Calgary and Prof. Serge Egelman of the University of California, Berkeley — voiced their concerns about CA in Mozilla’s dev-security-policy group last month. . Weeks of debate between information security experts and major browser companies.

TrustCor’s vice president of operations, Rachel McPherson, categorically denied the accusations, but concerns about the CA persisted, eventually leading to Microsoft and Mozilla removing trust in the root certificate.

A Google rep wrote in a group discussion on Thursday: “However, the arguments did not show why continued trust is justified given the concerns raised and the risks to user safety. This action is incompatible with organizations whose CA certificates are included in the Chrome root store.”

Concerns and Consequences

Although TrustCor has not been accused of misissuing or misusing certificates, browser makers are concerned that CA shares corporate officers, agents, and partners with Packet Forensics, Measurement Systems, and Vostrom Holdings. was In addition, technical ties revealed by Reardon and Egerman also raised concerns.

For example, Earlier this year, Reardon and Egelman discovered that a series of Android apps on the Google Play store contained a malicious SDK created by Measurement Systems. Researchers later discovered the same data collection SDK in a version of TrustCor’s email product, MsgSafe.

In the dev-security-policy group, McPherson acknowledged the presence of Measurement Systems’ SDK in MsgSafe, but claimed it was inserted without permission by an unnamed contract developer who had not worked for the company in over three years. She explained that no action was taken because TrustCor’s attorneys found it difficult to pursue any action on a “labor dispute.”

After Mozilla and Microsoft removed their support for CA, Reeardon and Egelman raised additional concerns about TrustCor’s auditor, the Princeton Audit Group. In another development security policy group discussion last week, the researcher said that Princeton Audit Group’s professional license would not allow him until June 2021, even though TrustCor issued an audit of his CA operations in late 2021. said to have discovered that it appears to have expired. Additionally, Princeton’s status as a WebTrust certified auditor also appears questionable.

CAs are subject to regular audits according to the WebTrust for Certification Authorities standard. This standard applies the requirements of the CA/Browser Forum, an independent consortium of browser companies and CAs. Such audits must be performed by a WebTrust accredited entity that is also a licensed audit firm.

Google’s end of support for TrustCor effectively ends TrustCor’s CA business, at least for the time being. “Google Chrome prioritizes user security and privacy and will not compromise on those values,” a Google spokesperson told TechTarget Editorial. “Google will include or remove his CA certificate within the Chrome Root Store as it deems appropriate for the user’s safety, in accordance with Google’s policy.”

Apple has yet to announce a decision on TrustCor, but company representatives voiced their concerns about the CA in a dev-security-policy group discussion last month.

TrustCor announced earlier this month that it will not issue commercial certificates to resellers or customers at this time.

McPherson and the Princeton Audit Group did not respond to requests for comment at press time.

