Dec. 7, 2022
UCalgary research raises questions about internet security
Research by a University of Calgary internet security and privacy expert and a colleague at University of California Berkeley has led to web browser firm Mozilla removing an offshore company as a trusted “root certificate authority.”
The basis of all security on the internet comes from root certificate authorities, and their removal is rare and significant. Any root certificate authority can vouch for the legitimacy of any website.
The major web browser firms and other technology companies trust a root certificate authority to guarantee that websites are legitimate and guide users to them seamlessly.
“Ultimately, we trust these entities completely for internet security,” says Dr. Joel Reardon, PhD, associate professor in the Department of Computer Science in the Faculty of Science.
“If you want to go to a website, the only reason you know you’re talking to that website is because some root certificate authority that you trust says this is the right website,” he says.
Research by Reardon and Dr. Serge Egelman, PhD, at the University of California Berkeley, prompted the Washington Post to look into the researchers’ concerns about a Panamanian company, TrustCor Systems, that is a root certificate authority.
The researchers shared their findings with Mozilla, Google and Apple, and the case was discussed in an online forum that attracted other internet security experts and browser specialists.
After nearly a month of discussion, on Wednesday, Nov. 30, Mozilla made the decision to “distrust,” or essentially remove, TrustCor’s root certificate authority from Mozilla’s Firefox browser.
“Either you’re a root certificate authority, in which case you’re completely trusted. Or you’re not a root certificate authority and you have no trust,” Reardon says.
A certificate authority acting improperly could expose millions of internet users to people spying on their internet activity, gaining access to users’ phone numbers, email addresses and exact locations, he says.
Certificates are also used for “code signing,” which is how computers ensure the software updates they receive are from a legitimate source. So it is possible for a misbehaving certificate authority to tamper with this process.
Research sparked Washington Post story
Reardon’s and Egelman’s research looked at TrustCor Systems, a company founded in 2013 and registered in Panama but which has employees working remotely in Canada and the U.S.
Based on corporate records they found, TrustCor had ties to another company, Measurement Systems, a maker of software that can spy on internet users.
The Washington Post, in a story by Joseph Menn, reported that TrustCor’s Panamanian registration records showed TrustCor had the identical slate of officers, agents and partners as Measurement Systems.
Measurement Systems was paying application makers to include its spyware — advertised as protecting privacy — in app makers’ software. The spyware then could be used to spy on internet users.
Measurement Systems is affiliated, through corporate and web domain records, with Arizona-based Packet Forensics, which offers communication interception services to clients such as U.S. intelligence agencies and law enforcement.
Google, after discovering what was going on, banned all software containing Measurement Systems’ spyware from its app store.
TrustCor’s products include an email service called MsgSafe.io that claims to be end-to-end encrypted (meaning only the user and the recipient can access and read the email). However, Reardon, Egelman and other experts found evidence that emails sent through its system could be read by the company.
In the online discussion forum, Rachel McPherson, TrustCor’s vice-president of operations and who’s based in Vancouver, denied any wrongdoing by the company.
“To put it plainly and directly, TrustCor (including MsgSafe.io) has never co-operated with information requests from the U.S. government or any government for that matter,” McPherson said. “Likewise, we have not assisted or enabled any company or third party to surveil, monitor or in any way gather information on our customers for the purposes of providing it to anyone else in any form . . ..”
Although parent company TrustCor owns both the root certificate authority and MsgSafe, both business units operate independently from each other, she said.
McPherson said TrustCor became an employee-owned company in 2021 (with her being the largest shareholder). However, the company’s website still lists as its leadership team the two original co-founders of the Panamanian company. One of these co-founders, who left the company in 2017, recently died. The other co-founder left in 2019.
Concerns 'substantiated,' Mozilla decided
Reardon says he and Egelman found no evidence that TrustCor had issued bad certificates or otherwise abused its authority as a root certificate authority.
However, the concerns raised by the pair’s research proved sufficient for Mozilla to take action.
Kathleen Wilson, California-based program manager at Mozilla Corporation, weighed in Nov. 30 on the discussion forum, pointing out that:
Measurement Systems and TrustCor have had shared corporate officers, operational control and technical integrations.
The same individual was responsible for the day-to-day operation of both TrustCor’s certificate authority business and its MsgSafe business unit.
TrustCor operated an email encryption product called MsgSafe which is operationally tied to its certificate authority unit.
An early version of Measurement Systems’ spyware was included in a test version of TrustCor’s MsgSafe application.
“Certificate authorities have highly trusted roles in the internet ecosystem and it is unacceptable for a CA to be closely tied, through ownership and operation, to a company engaged in the distribution of malware,” Mozilla’s Wilson said.
“Our assessment is that the concerns about TrustCor have been substantiated and the risks of TrustCor’s continued membership in Mozilla’s [root certificate program] outweighs the benefits to end users.”
Therefore, Mozilla will, effective Nov. 30, 2022, “distrust” TrustCor’s three root certificates included in Mozilla’s root certificate store and remove these certificates upon their expiry dates, Wilson said.
Microsoft also removed TrustCor’s certificate authority from its Edge browser.
“Certificate authorities demand so much trust from everyone using them to secure the internet. So they should be held to higher accountability,” Reardon says.
He and Egelman plan to publish their research in a peer-reviewed journal and possibly do a deeper analysis of all root certificate authorities to see if there are similar or other concerns.