Microsoft and Mozilla decided not to trust the certificate of the root certificate authority 'TrustCor' whose relationship with the US intelligence agency was reported



Browsers use digital certificates to confirm the safety of communications, and the root certificate that forms the basis of that is issued by a root that can prove its legitimacy without being authenticated by a higher-level certificate authority. Certificate authority . It has been pointed out that one of such root certification authorities, ``TrustCor'', has connections with US intelligence agencies and law enforcement agencies, and Mozilla, which develops Firefox, and Microsoft, which develops Edge, have announced that TrustCor will issue a new certificate. It was reported that they decided not to trust the certificate.

concerns about Trustcor
https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/WJXUELicBQAJ

Mozilla, Microsoft Yank TrustCor's root certificate authority after US contractor revelations - The Washington Post
https://www.washingtonpost.com/technology/2022/11/30/trustcor-internet-authority-mozilla/

When using public key encryption in communication, the browser confirms the security by checking the digital certificate attached to the public key. Many of the CAs that issue digital certificates ensure their credibility through digital certificates issued by higher CAs, and the highest CA in this system is called the Root CA. increase.

Root certification authorities prove their legitimacy regardless of digital certificates, whether they are major commercial certification authorities in the world or government agency certification authorities. Software that uses public key cryptography, such as browsers, incorporates a list of digital certificates issued by the root certification authority in advance, and if you trace the digital certificates and reach the one on the list, you can judge that it is legitimate. About.

However, in November 2022, `` TrustCor '', which is recognized as a root certificate authority in browsers such as Chrome, Safari, and Firefox, has been providing communication interception services to US government agencies for more than 10 years. was reported to be associated with

Discovered that TrustCor, which is used as a root certificate authority in Chrome, Safari, and Firefox, had a connection with an American intelligence agency-GIGAZINE



TrustCor executive Rachel McPherson argued that although multiple of the same holding companies invested in TrustCor and Packet Forensics, the two companies do not have an ongoing business relationship. Meanwhile, TrustCor confirmed that it has a small staff working remotely in Canada, while also having infrastructure in Arizona. Some techs point out that TrustCor avoids mentioning issues such as legal location and ownership, making it unsuitable for a root certification authority.

In addition, researchers from the University of Calgary and the University of California, who first discovered the relationship between TrustCor and Packet Forensics, used emails from MsgSafe.io , a communication service that TrustCor claims to be end-to-end encrypted. When I saw it, I reported that it was not actually encrypted and that TrustCor was able to read the contents. McPherson countered that the researchers didn't use the right version or misconfigured it.

In addition, Packet Forensics is also pointed out to be connected to Measurement Systems, a company that wrote code to send user information to the outside through an Android application. The code in question was also included in a test version of MsgSafe.io, but McPherson claims it was inserted by developers hidden from executives.

Dozens of Android applications on Google Play were discovered to have secretly sent user information to the outside and deleted - GIGAZINE



Following a series of reports, Mozilla and Microsoft have decided not to trust the newly issued certificates from TrustCor. In a mailing list attended by TrustCor officials and security professionals, a Mozilla representative said, 'Certificate authorities play a highly trusted role in the Internet ecosystem, and we believe that certificate authorities are owned by companies engaged in malware distribution. It is unacceptable that they are closely tied together through authority and operations.' 'Response via TrustCor's Vice President of Certificate Authority Operations confirms the facts of Mozilla's concerns.'

In addition, Packet Forensics was a pamphlet distributed to law enforcement agencies and intelligence agencies in 2010, claiming that encrypted communications could be intercepted. Researchers at the time thought that this was a forged digital certificate, and they did not think that the root certificate authority itself was dangerous.

in Web Service,   Security, Posted by log1h_ik