Updated on 2022-12-01: TrustCor removed from Mozilla root store
Mozilla’s security team has decided to remove the TrustCor certificate authority from the Firefox root store, a system that controls which certificates are trusted by the Firefox browser. The decision comes after a group of academics found ties between the Panamanian company and companies from the surveillance industry, ties that were covered in this WaPo report in more depth. Although there was no official statement, Microsoft also appears to have removed TrustCor support from Edge hours before Mozilla’s public announcement. Read more: Mysterious company with government ties plays key internet role
Updated on 2022-11-14: Why is this root certificate authority’s address a UPS mailbox?
A fascinating story taking a closer look at TrustCor Systems, a web root certificate authority that’s trusted by big browsers Chrome, Firefox and Safari to vouch for the legitimacy of websites, which has unusual connections to contractors for U.S. intelligence and law enforcement, per documents, and security researchers speaking to Washington Post ($) reporter @josephmenn. It’s a long (and complicated) read but brilliantly explained. It’s quite strange that such an important component of the internet is shrouded in so much secrecy and mystery, such as why its physical office is just a UPS Store mail drop in Toronto. “They have this position of ultimate trust, where they can issue encryption keys for any arbitrary website and any email address,” said one researcher. “It’s scary this is being done by some shady private company.” More from Menn in his tweet thread. Plus, this infuriating lack of response from the browser vendors until after the story came out suggests there’s more to come on this down the line. Read more: Mysterious company with government ties plays key internet role
Overview: Concerns about TrustCor
Concerns have been raised about browser vendors trusting certificates issued by TrustCor, a Panamanian company with deep links to companies from the surveillance industry. Read more: