An Untrustworthy TLS Certificate in Browsers
The major browsers natively trust a whole bunch of certificate authorities, and some of them are really sketchy:
Google’s Chrome, Apple’s Safari, nonprofit Firefox and others allow the company, TrustCor Systems, to act as what’s known as a root certificate authority, a powerful spot in the internet’s infrastructure that guarantees websites are not fake, guiding users to them seamlessly.
The company’s Panamanian registration records show that it has the identical slate of officers, agents and partners as a spyware maker identified this year as an affiliate of Arizona-based Packet Forensics, which public contracting records and company documents show has sold communication interception services to U.S. government agencies for more than a decade.
[…]
In the earlier spyware matter, researchers Joel Reardon of the University of Calgary and Serge Egelman of the University of California at Berkeley found that a Panamanian company, Measurement Systems, had been paying developers to include code in a variety of innocuous apps to record and transmit users’ phone numbers, email addresses and exact locations. They estimated that those apps were downloaded more than 60 million times, including 10 million downloads of Muslim prayer apps.
Measurement Systems’ website was registered by Vostrom Holdings, according to historic domain name records. Vostrom filed papers in 2007 to do business as Packet Forensics, according to Virginia state records. Measurement Systems was registered in Virginia by Saulino, according to another state filing.
More details by Reardon.
Cory Doctorow does a great job explaining the context and the general security issues.
EDITED TO ADD (11/10): Slashdot thread.
Clive Robinson • November 10, 2022 9:52 AM
@ Bruce, ALL,
Re : CA’s
Only some?
Most western nations like America, Australia… etc have legislation “to compell” in one way or abother.
Others have placed staff in CA’s or by financial manipulation (RSA) have gained sympathetic help.
But mostly, due to the cut-throat nature of the business most CA’s have cut back not just security staff but security systems, thus they are in effectct a “push over” even for “script-kiddy” like attackers.
The real cause of the problem and why it’s so easy to get security credentials that are at best highly questionable is as I mention from time to time,
“Hierarchical Trust Systems”
In fact any and all Hierarchical poeer structures are by definition “corrupt”. Due to the way power gets vested in the very top of the pyramid and every human has “a price”, every system “a vulnerability”…
Yet we do not do research to get rid of hierarchies,
“Why?”
Are we complicitly corrupt?