Connect with us

International

Mozilla and Microsoft removed Root CA from TrustCor after US contractor revelations

 



Comment this story

Comment

Major web browsers on Wednesday decided to stop using a mystery software company that certifies websites as secure, three weeks after the Washington Post reported its ties to a US military contractor.

Mozillas Firefox and Microsofts Edge said they would stop trusting new certificates from TrustCor Systems that attested to the legitimacy of sites reached by their users, capping weeks of online arguments between their tech experts, outside researchers and TrustCor, which said it had no continuing connection to be concerned about. Other tech companies are expected to follow suit.

Certificate authorities have highly trusted roles in the internet ecosystem and it is unacceptable for a certificate authority to be closely tied, by ownership and operation, to a company engaged in the distribution of malware, Mozillas wrote. Kathleen Wilson has a mailing list for browser security experts. Responses from Trustcors via their VP of CA Operations further support the factual basis of Mozillas’ concerns.

Mystery Company With Government Ties Plays Key Role On The Internet

The Post reported Nov. 8 that Panamanian registration records for TrustCors showed the same list of officers, agents and partners as a spyware maker identified this year as a subsidiary of Arizona-based Packet Forensics. , which sold communication interception services to US government agencies. for over a decade. One of those contracts stated that the place of performance was Fort Meade, Maryland, home of the National Security Agency and Pentagons Cyber ​​Command.

The case brought to light the murky systems of trust and control that allow people to rely on the internet for most needs. Browsers typically have over a hundred trusted authorities by default, including government and small business ones, to transparently certify that secure websites are what they’re supposed to be.

TrustCor has a small team in Canada, where it is officially based at a UPS Store, company executive Rachel McPherson told Mozilla in the email thread. She said employees were working remotely, though she acknowledged the company also had infrastructure in Arizona.

McPherson said some of the same holding companies invested in TrustCor and Packet Forensics, but ownership of TrustCor was transferred to employees. Packet Forensics also said it has no ongoing business relationship with TrustCor.

Several technologists participating in the discussion said they found TrustCor evasive on fundamental issues such as legal domicile and ownership, which they said was inappropriate for a company wielding the power of a root CA, which not only asserts that a secure https website is not an impostor but can delegate other certificate issuers to do the same.

The Post’s report relied on the work of two researchers who first located the company’s records, Joel Reardon of the University of Calgary and Serge Egelman of the University of California, Berkeley. These two and others have also been experimenting with a secure messaging offering from TrustCor named MsgSafe.io. They found that contrary to MsgSafes public claims, emails sent through its system were not end-to-end encrypted and could be read by the company.

McPherson said the various tech experts either used the wrong version or configured it incorrectly.

In announcing Mozillas’ decision, Wilson cited past overlaps of officers and operations between TrustCor and MsgSafe and between TrustCor and Measurement Systems, a Panamanian spyware company with previously reported ties to Packet Forensics.

The Pentagon did not respond to a request for comment.

Sporadic efforts have been made to make the certificate process more accountable, sometimes after suspicious activity has come to light.

In 2019, a UAE government-controlled security company known as DarkMatter requested to be upgraded to a high-level root authority from an intermediate authority with less independence. This followed revelations that DarkMatter had hacked dissidents and even Americans; Mozilla denied him root power.

In 2015, Google removed the China Internet Network Information Center (CNNIC) root authority after allowing an intermediate authority to issue fake certificates for Google sites.

Reardon and Egelman earlier this year discovered that Packet Forensics was connected to the Panamanian company Measurement Systems, which paid software developers to include code in a variety of applications to record and transmit telephone numbers, email addresses. -email and exact locations of users. They estimated that these apps have been downloaded over 60 million times, including 10 million Muslim prayer app downloads.

The Measurement Systems website was registered by Vostrom Holdings, according to historical domain name registrations. Vostrom filed documents in 2007 to do business as Packet Forensics, according to Virginia state records.

After the researchers shared their findings, Google started all apps with the spy code from its Play app store.

They also discovered that a version of this code was included in a test version of MsgSafe. McPherson told the mailing list that a developer included it without getting executive approval.

Packet Forensics first caught the attention of privacy advocates a dozen years ago.

In 2010, researcher Chris Soghoian attended an invitation-only industry conference dubbed the Wiretappers Ball and obtained a Packet Forensics brochure for law enforcement and intelligence agency clients.

The brochure was for hardware intended to help buyers read web traffic that the parties believed to be secure. But that was not the case.

IP communication dictates the need to examine encrypted traffic at will, the brochure reads, according to a report in Wired. Your investigative staff will collect their best evidence while users are lulled into a false sense of security offered by web, email or VOIP encryption, the brochure adds.

Researchers believed at the time that the most likely way to use the box was with a certificate issued by an authority for money or under a court order that would guarantee the authenticity of a site. impostor communication.

They did not conclude that an entire CA itself could be compromised.

Reardon and Egelman alerted Google, Mozilla and Apple to their TrustCor research in April. They said they had heard little until the Post published its report.

Sources

1/ https://Google.com/

2/ https://www.washingtonpost.com/technology/2022/11/30/trustcor-internet-authority-mozilla/

The mention sources can contact us to remove/changing this article

What Are The Main Benefits Of Comparing Car Insurance Quotes Online

LOS ANGELES, CA / ACCESSWIRE / June 24, 2020, / Compare-autoinsurance.Org has launched a new blog post that presents the main benefits of comparing multiple car insurance quotes. For more info and free online quotes, please visit https://compare-autoinsurance.Org/the-advantages-of-comparing-prices-with-car-insurance-quotes-online/ The modern society has numerous technological advantages. One important advantage is the speed at which information is sent and received. With the help of the internet, the shopping habits of many persons have drastically changed. The car insurance industry hasn't remained untouched by these changes. On the internet, drivers can compare insurance prices and find out which sellers have the best offers. View photos The advantages of comparing online car insurance quotes are the following: Online quotes can be obtained from anywhere and at any time. Unlike physical insurance agencies, websites don't have a specific schedule and they are available at any time. Drivers that have busy working schedules, can compare quotes from anywhere and at any time, even at midnight. Multiple choices. Almost all insurance providers, no matter if they are well-known brands or just local insurers, have an online presence. Online quotes will allow policyholders the chance to discover multiple insurance companies and check their prices. Drivers are no longer required to get quotes from just a few known insurance companies. Also, local and regional insurers can provide lower insurance rates for the same services. Accurate insurance estimates. Online quotes can only be accurate if the customers provide accurate and real info about their car models and driving history. Lying about past driving incidents can make the price estimates to be lower, but when dealing with an insurance company lying to them is useless. Usually, insurance companies will do research about a potential customer before granting him coverage. Online quotes can be sorted easily. Although drivers are recommended to not choose a policy just based on its price, drivers can easily sort quotes by insurance price. Using brokerage websites will allow drivers to get quotes from multiple insurers, thus making the comparison faster and easier. For additional info, money-saving tips, and free car insurance quotes, visit https://compare-autoinsurance.Org/ Compare-autoinsurance.Org is an online provider of life, home, health, and auto insurance quotes. This website is unique because it does not simply stick to one kind of insurance provider, but brings the clients the best deals from many different online insurance carriers. In this way, clients have access to offers from multiple carriers all in one place: this website. On this site, customers have access to quotes for insurance plans from various agencies, such as local or nationwide agencies, brand names insurance companies, etc. "Online quotes can easily help drivers obtain better car insurance deals. All they have to do is to complete an online form with accurate and real info, then compare prices", said Russell Rabichev, Marketing Director of Internet Marketing Company. CONTACT: Company Name: Internet Marketing CompanyPerson for contact Name: Gurgu CPhone Number: (818) 359-3898Email: [email protected]: https://compare-autoinsurance.Org/ SOURCE: Compare-autoinsurance.Org View source version on accesswire.Com:https://www.Accesswire.Com/595055/What-Are-The-Main-Benefits-Of-Comparing-Car-Insurance-Quotes-Online View photos

ExBUlletin

to request, modification Contact us at Here or [email protected]