Mozilla and Microsoft have removed root certificate authority (RCA) TrustCor from their respective Firefox and Edge browsers, under a suspicion over its reported ties to spyware firms and intel agencies.
RCAs are entities that authenticate keys that browsers and operating systems use to verify connections to legitimate websites. The vetting process for an RCA to be in major web browsers is expensive and lengthy because RCA status comes with the potential for abuse, like surveillance and traffic hijacking.
In November, it was reported a number of concerning insights into TrustCor, including shared officers with a Panamanian spyware firm called Measurement Systems, which distributed an app software development kit (SDK) that secretly collected data on users.
Measurement Systems is itself an affiliate of Packet Forensics, a firm that has pitched police on its ability to conduct man-in-the-middle attacks. A beta version of a secure messaging program developed by TrustCor, MsgSafe.io, contained that SDK and security researchers told the Post it wasn’t actually encrypted as advertised.
One TrustCor partner was listed as a contact for yet another firm that managed 175 million IP addresses for the Pentagon; another source told the paper that Packet Forensics technology was used to catch terrorism suspects.
Adding to the list of suspicious factors, the firm’s mailing address was a UPS Store mail drop in Toronto, while TrustCor’s website listed its leadership as a man who died months ago, and another whose LinkedIn indicated he left the company in 2019.
Other browsers include TrustCor as an RCA, including Apple’s Safari and Google’s Chrome. In a statement, Google said the company would be “providing an update on the trust status of TrustCor shortly.” Apple did not immediately respond.