Major Web Browsers Drop Mysterious Authentication Company After Ties To US Military Contractor Exposed

This week several major web browsers quickly severed ties with a mysterious software company used to certify the security of websites, three weeks after the Washington Post exposed its connections to a US military contractor, the Post reports.

TrustCor Systems provided ‘certificates’ to browsers to Mozilla Firefox and Microsoft Edge, which vouched for the legitimacy of said websites.

“Certificate Authorities have highly trusted roles in the internet ecosystem and it is unacceptable for a CA to be closely tied, through ownership and operation, to a company engaged in the distribution of malware,” said Mozilla’s Kathleen Wilson in an email to browser security experts. “Trustcor’s responses via their Vice President of CA operations further substantiates the factual basis for Mozilla’s concerns.”

According to TrustCor’s Panamanian (!?) registration records, the company has the same slate of officers, agents and officers as Arizona-based Packet Forensics, which has sold communication interception services to the U.S. government for over a decade.

One of those contracts listed the “place of performance” as Fort Meade, Md., the home of the National Security Agency and the Pentagon’s Cyber Command.

The case has put a new spotlight on the obscure systems of trust and checks that allow people to rely on the internet for most purposes. Browsers typically have more than a hundred authorities approved by default, including government-owned ones and small companies, to seamlessly attest that secure websites are what they purport to be. -WaPo

Also of concern, TrustCor’s small staff in Canada lists its place of operation at a UPS Store mail drop, according to company executive Rachel McPherson, who says she told their Canadian staffers to work remotely. She also acknowledged that the company has ‘infrastructure’ in Arizona as well.

McPherson says that ownership in TrustCor was transferred to employees despite the fact that some of the same holding companies had invested in both TrustCor and Packet Forensics.

Various technologists in the email discussion said they found TrustCor to be evasive when it came to basic facts such as legal domicile and ownership – which they said was not appropriate for a company responsible for root certificate authority that verifies a secure ‘https’ website is not an imposter.

Keep reading

Author: HP McLovincraft

Seeker of rabbit holes. Pessimist. Libertine. Contrarian. Your huckleberry. Possibly true tales of sanity-blasting horror also known as abject reality. Prepare yourself. Veteran of a thousand psychic wars. I have seen the fnords. Deplatformed on Tumblr and Twitter.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: