Major Web Browsers Drop Sketchy Certificate Authority

Here is something that got my attention. All the major web browsers, meaning Firefox, Chrome, and Edge, have decided to drop a certificate authority that has ties to a US military contractor.

Mozilla’s Firefox and Microsoft’s Edge said they would stop trusting new certificates from TrustCor Systems that vouched for the legitimacy of sites reached by their users, capping weeks of online arguments among their technology experts, outside researchers and TrustCor, which said it had no ongoing ties of concern. Other tech companies are expected to follow suit.

“Certificate Authorities have highly trusted roles in the internet ecosystem and it is unacceptable for a CA to be closely tied, through ownership and operation, to a company engaged in the distribution of malware,” Mozilla’s Kathleen Wilson wrote to a mailing list for browser security experts. “Trustcor’s responses via their Vice President of CA operations further substantiates the factual basis for Mozilla’s concerns.”

The Post reported on Nov. 8 that TrustCor’s Panamanian registration records showed the same slate of officers, agents and partners as a spyware-maker identified this year as an affiliate of Arizona-based Packet Forensics, which has sold communication interception services to U.S. government agencies for more than a decade. One of those contracts listed the “place of performance” as Fort Meade, Md., the home of the National Security Agency and the Pentagon’s Cyber Command.

That would qualify as sketchy as this company makes software that should ring alarm bells. Pratik Selva, Lead Security Engineer at Venafi added this:

When considering security, one of the areas that is still not given due focus by many organizations is Certificate Authorities (CAs). CAs are / should be a key component in any corporate security strategy as they are machine identity enablers. A root CA is the most significant piece in that hierarchy as it holds the potential to impact the security and the trust of the entire certification hierarchy due to any abuse or compromise. This view needs to be factored in when organizations conduct threat modeling or assessments.  

Additionally, there can be also compliance implications if there are weak or non-existent checks and balances in place for ensuring the security of a CA. What is more alarming is that CA compromise has been found to be achieved using living-off-the-land (LOTL) techniques and tools. LOTL attacks are problematic from a detection standpoint and are an incident response (IR) nightmare. As root CAs pose a cascading risk, they have been a favorable target of nation state APT actors aiming to mount a crippling attack.”

My advice would be to make sure your browsers are up to date as that is how the removal of this certificate authority would take place. But this also underscores that you need to be on your toes when it comes to security and privacy.

Leave a Reply

%d bloggers like this: