A report of The Washington Post has expressed doubts about a root certificate authority used by Google Chrome, Safari, Firefox and other tech companies associated with US intelligence agencies. The company in question, called TrustCor, works as a root certificate authority to validate the trustworthiness of websites – and while the report found no concrete evidence of wrongdoing, it raised important questions about the trustworthiness of the company.
Root Certificate Authorities protect against both website counterfeits and attacks. Since root certificate authorities also have the power to give others the ability to grant certificates, this raises some concern if the authority is related to surveillance or malware efforts as it questions the entire certification system.
The mail provides significant evidence that TrustCor is at least connected with more than simple authentication. TrustCor’s Panamanian registration data shows significant overlap with an Arizona-based spyware company affiliated with Packet Forensics, including an “identical list of officers, agents and partners” shared between the two companies. Packet Forensics, a well-known surveillance contractor, has reportedly sold communications interception services to US government agencies for more than 10 years.
Another TrustCor partner has been linked to Raymond Saulino, who it turns out is named as a spokesperson for Packet Forensics in a wired article from 2010. Saulino resurfaces as a liaison for Global Resource Systems, a company that managed more than 175 million IP addresses for the US Department of Defense. It’s still unclear why the Pentagon turned over those IP addresses to the agency, but the Pentagon told… The mail at the time it was part of a “pilot effort” to “identify potential vulnerabilities” and “prevent unauthorized use of DoD IP address space”.
The result raises real concerns that TrustCor may have abused its power as a certification body to further US surveillance operations. Cybersecurity researchers Joel Reardon of the University of Calgary and Serge Egelman of the University of California at Berkeley told The mail they believe TrustCor could use its assets “against high-value targets within a short period of time.”
According to The mail, TrustCor is also affiliated with a Panamanian company called Measurement Systems. This is the same company That The Wall Street Journal reported earlier this year, developers paid to embed a series of their code into various apps to collect data. The spyware — which was found in a Muslim prayer app, speed trap detection app, QR code reader, and others — logged users’ phone numbers, email addresses and locations. Google eventually removed these apps from the Play Store.
Reardon and Egelman also found that one of TrustCor’s products, an encrypted messenger called MsgSafe.io, is not actually encrypted and allows MsgSafe to read all messages sent through the app. When The mail looked up TrustCor’s physical address, it was forwarded to a UPS Store in Toronto. The outlet also discovered that the email contact form on its website is not working and that the Panama-based phone number has been disconnected.
TrustCor can only continue to certify websites (and allow others to certify them as well) because browsers such as Chrome, Safari, and Firefox recognize the company as a root certificate authority. As noted by The mail, cybersecurity researchers have notified Google, Apple and Mozilla of their findings, but haven’t heard much back. The companies also did not immediately respond to The edge‘s request for comment.