A company that has several majors web browsers rely on checking whether secure websites have links to U.S. intelligence and law enforcement agencies, new research shows.
Exhibition of authorship Washington Post (opens in a new tab) (TWP) (paywall), which draws conclusions from documentation, records and interviews with security researchers.
TrustCor Systems Panama records reveal it shares staff with a spyware developer previously identified as having ties to Arizona-based Packet Forensics, which public records previously revealed had sold “communications interception services” to U.S. agencies “for more than a decade. “
Root certificate infrastructure
Google Chrome, Apple Safari, supposedly Mozilla secure browser Firefox and a few others allow TrustCor to sign root certificates for websites it deems safe and legitimate, directing users to them instead of potentially convincing fakes.
TrustCor maintains that it has never cooperated with government information requests or monitored users on behalf of a third party. However, the Pentagon declines to comment, and Mozilla demands a response from TrustCor while threatening to revoke its powers.
The TrustCor revelations are a PR nightmare for browsers like Firefox that advertise themselves as privacy toolsbut its own products can no longer be considered safe for end users.
MsgSafe, an e-mail provider from TrustCor, which purports to offer end-to-end encryption, was condemned by security experts speaking to TWP, claiming that an early version of the software contained spyware developed by a company affiliated with Packet Forensics.
An expert familiar with the work of Packet Forensics clearly confirmed that the company used the TrustCor certification process and MsgSafe to intercept communications and “help the US government catch terrorist suspects.”
It also claimed that TrustCor products and services were only used to search for these “high goals” and there were no reports of root certificates being used to vouch for fake websites for purposes such as data collection.
However, the doubts sown by the revelations could damage the reputation of the web browsers involved, as there is no way to know if TrustCor’s strategy will change.