Nov 10, 2022 17:00:00

Discovered that TrustCor, which is used as a root certificate authority in Chrome, Safari, and Firefox, had a connection with an American intelligence agency

Of the certificate authorities that issue digital certificates, the certificate authority that can prove its own legitimacy under strict screening is the 'root certificate authority.' It has been pointed out that TrustCor, known as one of these root certificate authorities, has connections with US intelligence agencies and law enforcement agencies, and there is concern that the authentication system may have been abused.

TrustCor Systems verifies web addresses, but its address is a UPS Store - The Washington Post

https://www.washingtonpost.com/technology/2022/11/08/trustcor-internet-addresses-government-connections/

This tiny company could help the government get around browser security - The Verge
https://www.theverge.com/2022/11/8/23447338/chrome-safari-firefox-verify-website-us-intelligence

TrustCor is a root certificate authority used by tech companies such as Google, Apple and Mozilla. Documents left in Panama show that TrustCor is associated with the same executives, agents and partners as the American company that developed spyware.

The name of the company is not disclosed, but the name 'Packet Forensics' is mentioned as an affiliate of the company. Packet Forensics is known as a network monitoring company and has been selling wiretapping services to US government agencies for over a decade.

In addition, it was also pointed out that another partner of TrustCor is a company owned by a person named Raymond Saurino. Saurino used to be a spokesperson for Packet Forensics, and recently joined Global Resource Systems, a company that managed over 175 million IP addresses for the U.S. Department of Defense. It is said that there is. It is not clear why the Department of Defense entrusted the management of IP addresses, but at the time it was explained as ``identifying potential vulnerabilities''.

Due to the exposure of such connections with affiliated companies, the foreign media The Washington Post said, ``This result raises concerns that TrustCor may have abused its power to promote surveillance activities in the United States. It's something I can do,' he said.

In addition, it is known that TrustCor had a connection with a Panamanian company called Measurement Systems. Measurement Systems is a company that was previously reported to have ``collected personal information by putting code in the application'', and the application containing the code has been deleted by Google.

When The Washington Post examined TrustCor's address, it turned out that it belonged to a company unrelated to TrustCor, and it seems that the phone number and email address are not working.

The Department of Defense did not respond to The Washington Post's request for comment. On the other hand, a TrustCor executive said, ``We have never cooperated with government information requests nor with third parties monitoring customers.'' In response to this report, Mozilla said, ``We are deeply concerned. However, we have yet to see evidence that TrustCor-issued certificates are being misused. We will take the necessary measures to protect ourselves from harm,' he said.