An Untrustworthy TLS Certificate in Browsers

[Stopspying]

Content source

https://www.schneier.com/blog/archives/2022/11/an-untrustworthy-tls-certificate-in-browsers.html

The major browsers natively trust a whole bunch of certificate authorities, and some of them are really sketchy:

"Google’s Chrome, Apple’s Safari, nonprofit Firefox and others allow the company, TrustCor Systems, to act as what’s known as a root certificate authority, a powerful spot in the internet’s infrastructure that guarantees websites are not fake, guiding users to them seamlessly.
The company’s Panamanian registration records show that it has the identical slate of officers, agents and partners as a spyware maker identified this year as an affiliate of Arizona-based Packet Forensics, which public contracting records and company documents show has sold communication interception services to U.S. government agencies for more than a decade.
[…]
In the earlier spyware matter, researchers Joel Reardon of the University of Calgary and Serge Egelman of the University of California at Berkeley found that a Panamanian company, Measurement Systems, had been paying developers to include code in a variety of innocuous apps to record and transmit users’ phone numbers, email addresses and exact locations. They estimated that those apps were downloaded more than 60 million times, including 10 million downloads of Muslim prayer apps.
Measurement Systems’ website was registered by Vostrom Holdings, according to historic domain name records. Vostrom filed papers in 2007 to do business as Packet Forensics, according to Virginia state records. Measurement Systems was registered in Virginia by Saulino, according to another state filing."

An Untrustworthy TLS Certificate in Browsers - Schneier on Security

www.schneier.com

 

[silversurfer]

Mozilla and Microsoft distrust TrustCor root certificates in their browsers​

New information came to light during the course of the discussion on the security group. A representative of TrustCor provided information.

In the end, it was clear that there were ties between Measurement Systems and TrustCor, at least until 2021, and that one developer hired by TrustCor had access to an unobfuscated version of the source code of the Measurement System malware SDK. However, there no evidence of the mis-issuing of certificates was presented.

Mozilla decided to distrust TrustCor certificates from November 30, 2022 that are included in the Mozilla root store. The certificates will be removed from the root store when they expire. The certificates may be removed at an earlier point if "evidence is found that the CA has mis-used certificates or the CA backdates certificates to bypass the distrust-after settings".

Microsoft did not provide a statement to the discussion group, but it set the distrust date to November 1, 2022.

You find the full discussion, evidence and commentary by the TrustCor representative here.

Mozilla and Microsoft distrust TrustCor root certificates in their browsers - gHacks Tech News

Mozilla and Microsoft have taken action against three root certificates by TrustCor. These certificates are now distrusted by the browsers.

www.ghacks.net