The Mysterious Company That Lives in Our Browsers

The certification authority Trustcor is in Chrome, Safari, and Firefox - it has ties to spyware and surveillance companies.

The browsers Chrome, Safari, Firefox, and others trust the TLS certificates from the certification authority Trustcor. But the company has ties to contractors for US intelligence and law enforcement agencies, according to the Washington Post newspaper.

The company's registration documents in Panama show that it has the same officers, agents, and partners as spyware maker Measurement Systems. This was identified during the year as a subsidiary of Packet Forensics based in the US state of Arizona. The latter sells communications interception services to the US government.

For example, Raymond Saulino, who is a Trustcor partner, spoke in an article for the online magazine Wired as a spokesman for Packet Forensics. In addition, Saulino registered the spyware manufacturer Measurement Systems in the state of Virginia. The company has thus created spyware SDK and paid app developers around the world to integrate it.

Security researchers discovered apps with the corresponding malicious code in Google's Play Store. They are said to have been installed on a total of around 60 million devices. Google then deleted the apps from the Play Store in March 2022.

A test version of the supposedly end-to-end encrypted e-mail service MsgSafe.io from the company Trustcor is said to have contained the above-mentioned spyware. End-to-end encryption is also questioned by experts interviewed by the Washington Post. You assume that Trustcor can read the e-mail.

Fake TLS Certificates?

So far, however, there have been no reports that Trustcor should have misused its root certificate integrated into the browsers. These could be used, for example, to issue fake certificates for websites and thus carry out machine-in-the-middle attacks (MITM).

According to the Washington Post, however, researchers suspect that the certificates are only used against high-level targets and only for a very short period of time. A person familiar with Packet Forensics' work confirmed that the certificates were used in this way. In addition to TLS certificates, Packet Forensics also uses Trustcor's email service. Both are used for telecommunications surveillance on behalf of the US government.

The company's legal counsel, Kathryn Tremel, disagreed. Packet Forensics has no business relationship with Trustcor. However, she declined to comment on a past business relationship, according to the Washington Post report. Packet Forensics recently signed a $4.6 million deal with the Pentagon for "computing, hosting, and related services. "

After the report was published, the browser manufacturer Mozilla gave Trustcor two weeks to comment on the allegations. The alternative Android GrapheneOS, which focuses on security and data protection, has already reacted and removed the Trustcor certificate from its current release. Since the certificates are hardly used, no impact on the user experience is expected.