Photo by Amelia Holowaty Krales / The Verge
A report from The Washington Post has raised doubts about a root certificate authority used by Google Chrome, Safari, Firefox, and other tech companies with ties to US intelligence. The company in question, called TrustCor, works as a root certificate authority to validate the trustworthiness of websites â and while the report found no concrete evidence of wrongdoing, it raised significant questions about the companyâs trustworthiness.
Root certificate authorities protect against both website forgeries and attacks. Since root certificate authorities also have the power to give others the ability to grant certificates, it raises some concerns if the authorityâs linked to surveillance or malware efforts, as it calls the entire certification system into question.
The Post lays out significant evidence that, at the very least, TrustCor is connected with more than straightforward authentication. TrustCorâs Panamanian registration records show significant overlap with an Arizona-based spyware company associated with Packet Forensics, including an âidentical slate of officers, agents and partnersâ shared between the two companies. A well-known surveillance contractor, Packet Forensics has reportedly sold communication interception services to US government agencies for over 10 years.
It turns out they also own a certificate authority!
Their roots are everywhere. (Seriously, you should delete them in the off-chance they donât get pulled this week.)https://t.co/mlzAOvycoP
â Serge Egelman (@v0max) November 8, 2022
Another of TrustCorâs partners is linked to Raymond Saulino, who, as it turns out, is named as a spokesperson for Packet Forensics in a Wired article from 2010. Saulino pops up again as a contact for Global Resource Systems, a company that managed over 175 million IP addresses for the US Department of Defense. Itâs still unclear why the Pentagon transferred those IP addresses to the agency, but the Pentagon told The Post at the time that it was part of a âpilot effortâ to âidentify potential vulnerabilitiesâ and âprevent unauthorized use of DoD IP address space.â
The result raises real concerns that TrustCor may have abused its power as a certificate authority to further US surveillance operations. Cybersecurity researchers Joel Reardon of the University of Calgary and Serge Egelman of the University of California at Berkeley told The Post they believe TrustCor might use its ability âagainst high-value targets within short windows of time.â
According to The Post, TrustCorâs also linked to a Panamanian company called Measurement Systems. This is the same firm that The Wall Street Journal reported earlier this year had been paying developers to include a string of its code in various apps to harvest data. The spyware â which was found in a Muslim prayer app, a speed trap detection app, a QR code reader, and others â recorded usersâ phone numbers, email addresses, and locations. Google ended up removing these apps from the Play Store.
Reardon and Egelman also found that one of TrustCorâs products, an encrypted messenger called MsgSafe.io, isnât actually encrypted and lets MsgSafe read any messages sent through the app. When The Post looked up the physical address of TrustCor, it was directed to a UPS Store in Toronto. The outlet also found that the email contact form on its website doesn’t work, and its Panama-based phone number has been disconnected.
TrustCor can only keep certifying websites (and giving others the ability to certify them as well) because browsers like Chrome, Safari, and Firefox recognize the company as a root certificate authority. As noted by The Post, the cybersecurity researchers notified Google, Apple, and Mozilla of their findings but havenât heard much back. The companies also didnât immediately respond to The Vergeâs request for comment.