This week several major web browsers quickly severed ties with a mysterious software company used to certify the security of websites, three weeks after the Washington Post exposed its connections to a US military contractor, the Post reports.
TrustCor Systems provided ‘certificates’ to browsers to Mozilla Firefox and Microsoft Edge, which vouched for the legitimacy of said websites.
“Certificate Authorities have highly trusted roles in the internet ecosystem and it is unacceptable for a CA to be closely tied, through ownership and operation, to a company engaged in the distribution of malware,” said Mozilla’s Kathleen Wilson in an email to browser security experts. “Trustcor’s responses via their Vice President of CA operations further substantiates the factual basis for Mozilla’s concerns.”
According to TrustCor’s Panamanian (!?) registration records, the company has the same slate of officers, agents and officers as Arizona-based Packet Forensics, which has sold communication interception services to the U.S. government for over a decade.
One of those contracts listed the “place of performance” as Fort Meade, Md., the home of the National Security Agency and the Pentagon’s Cyber Command.
The case has put a new spotlight on the obscure systems of trust and checks that allow people to rely on the internet for most purposes. Browsers typically have more than a hundred authorities approved by default, including government-owned ones and small companies, to seamlessly attest that secure websites are what they purport to be. -WaPo
Also of concern, TrustCor’s small staff in Canada lists its place of operation at a UPS Store mail drop, according to company executive Rachel McPherson, who says she told their Canadian staffers to work remotely. She also acknowledged that the company has ‘infrastructure’ in Arizona as well.
McPherson says that ownership in TrustCor was transferred to employees despite the fact that some of the same holding companies had invested in both TrustCor and Packet Forensics.
Various technologists in the email discussion said they found TrustCor to be evasive when it came to basic facts such as legal domicile and ownership – which they said was not appropriate for a company responsible for root certificate authority that verifies a secure ‘https’ website is not an imposter.
Hellbound and Down 