Root Certificate Authority untrusted by browsers after concerns about ties to US intelligence

Mozilla, Microsoft, and Google have removed certificates and root certificates by TrustCor Systems’ from their trust stores following an investigation from The Washington Post revealing the company’s apparent links to companies within the US intelligence community. While there has been no concrete evidence of wrongdoing, many points raised worried users and tech companies alike. 

If you’ve spent any time on at all, you’ll know that a root certificate plays a key role in the SSL ecosystem and cryptographic trust. All trusted Certificate Authorities (CAs) have root certificates that sign SSL certificates they issue to show that they have been approved and vetted by a trusted source. Because of TrustCor’s apparent links to US intelligence agencies, experts have been understandably concerned at its access to a root certificate. 

According to The Verge, TrustCor’s registration records in Panama had a lot of similarities to an Arizona-based spyware maker affiliated with a company called Packet Forensics, including shared officers, agents, and partners. Packet Forensics is a surveillance contractor that records show as having sold communication interception services to US government agencies for over a decade. TrustCor also appears to be linked to Measurement Systems, a company that was found to be harvesting data from several apps, including a Muslim praying app.

Another of TrustCor’s partners is believed to be linked to Raymond Saulino, who, coincidentally, spoke as a representative for Packet Forensics in a Wired article from 2010. Saulino is also linked to Global Resource Systems, a company that gained public attention in 2021 when it briefly activated more than 100 million previously dormant Pentagon IP addresses. The IP addresses were transferred back to the pentagon several months later. It’s unclear why this happened, but researchers speaking to The Washington Post believe transferring the IP addresses could have been a way to give the military access to vast swathes of internet traffic without revealing that the government was receiving it.

Adding further fuel to the fire, experts found that a product from TrustCor claiming to be an encrypted messaging service is not actually encrypted and allows the company to read any messages sent via the app. Furthermore, the company’s official physical address was found to be a small UPS Store in Toronto. 

None of this information inspires much confidence, but Mozilla and Microsoft gave TrustCor the benefit of the doubt and gave them a deadline to get back to them with further details on the points raised in the Washington Post and elsewhere. Discussions between company stakeholders in Mozilla’s public dev-security-policy forum got quite heated, but TrustCor did not satisfactorily reply to people’s concerns.

As a result, Mozilla and Microsoft revoked trust for TrustCor, which means their certificates are now unusable in Firefox and Edge browsers, as well as other products. According to TechTarget, a representative for Mozilla said, “Our assessment is that the concerns about TrustCor have been substantiated and the risks of TrustCor’s continued membership in Mozilla’s Root Program outweighs the benefits to end users.”

Following this development, Google announced it too would no longer recognize TrustCor as trusted in its Chrome browser. This includes Chrome versions 111 (launching in 2023) and greater; and older versions of Chrome that can still receive Component Updates following Chrome 111’s Stable release date.

Apple has not yet announced changes but is expected to follow suit.

Share on Twitter, Facebook, Google+