Mozilla and Microsoft have taken action against a certificate authority accused of close ties to a US military contractor that allegedly paid software developers to include data-harvesting malware in mobile apps.
The AC, TrustCor, denies this but did not respond to direct questions at the time of publication.
After a lengthy discussion between Mozilla and Apple employees, security researchers, and the CA itself, Mozilla program manager Catherine Wilson said the organization’s concerns were sufficiently “substantiated. to set a non-approval date of November 30 for TrustCor root certificates.
The round-tripping was done on Mozilla’s Development Security Policy (MDSP) mailing list, and you can read the full discussion there. Microsoft did not participate in the conversation. Instead, TrustCor executive Rachel MacPherson claimed that Microsoft had set a November 1 non-approval date for her company’s certificates.
“Microsoft gave us no advance notice of this decision,” McPherson said. He said.
“We have never been charged, and there is no evidence to suggest that TrustCor violated any conduct, policy or procedure, improperly issued trust certificates or worked with others to do so. We didn’t do any of that. »
In its comments, Apple said it agrees with the views of other commentators and that the findings “leave reasonable doubt as to… [TrustCor’s] The ability to act as a generally trusted certificate authority.
As of this writing, TrustCor certificates still appear in the list of Trusted Root Certificates, and it’s unclear if iMaker plans to act on its own.
Anatomy of a breach of trust
The whole TrustCor issue dates back to earlier this year when Joel Reardon, a professor at the University of Calgary and co-founder of AppCensus, discovered data-harvesting malware in a suite of Android apps downloaded more than 46 million times.
The infected apps included radar radar, Islamic prayer apps, QR scanner, weather app, etc.
According to Reardon, Panama-based Measurement Systems is the company that developed the code. in the the wall street journal In a report on Reardon’s findings, he claimed to have found links between Measurement Systems and a Virginia defense contractor that performs cyber intelligence, network defense and intelligence interception work for the United States government.
The apps were removed, although some returned to Google Play with the offending icon removed.
Backshot further discussion on mozilla.dev.security.policy on November 8, where he and Serge Eagleman of the University of California, Berkeley report their research on measurement systems.
For each of the spouses, the Measurement Systems website was registered by Vostrom Holdings, which operates as Packet Forensics, and Reardon said it sells lawful interception products to government agencies.
Both Measurement Systems and TrustCor are registered in Panama, registered for only a month, and have the same group of executives, Reardon said.
The pair also investigated an encrypted messaging service operated by TrustCor called Msgsafe, which they claim sends plain text emails over TLS. Reardon said he was “not convinced that E2E encryption exists or that Msgsafe can’t read user emails.”
Reardon claimed he had “no evidence that Trustcor had done anything wrong” or “had nothing but a diligent competent certificate authority”.
However, he added, “If Trustcor were just a courier that misrepresents its E2E encryption claims and has ties to legitimate defense contractors to intercept, I wouldn’t raise any concerns here. . But since it’s a root certificate on billions of devices — mine included — I think it’s reasonable to get an explanation,” Reardon said on the general discussion forum.
TrustCor McPherson attempted to answer questions posed by Mozilla and others on the subject, but although he insisted that Reardon’s information was out of date and that Trustcor and Packet Forensics had no ongoing business relationship , the authorities were not convinced.
Comments in the thread seem less interested in the alleged links, and more concerned that TrustCor cannot provide satisfactory answers.
Cryptography expert Filippo Valsorda said: “Initial concerns, aside from possible links to the spyware operation, were no reason to be suspicious of me. However, the way HQ handled the allegations left me with no confidence in their operations. »
Others echoed the same sentiment, saying McPherson’s answers weren’t enough for a company with as much online power as a certificate authority.
“Our assessment is that concerns about TrustCor have been justified and that the risks of TrustCor’s continued membership in Mozilla’s core program outweigh the benefits to end users,” said Mozilla’s Wilson.
We’ve contacted TrustCor to find out what it plans to do, but haven’t heard back yet. ®