I’m pretty disappointed by this outcome. I read the entire thread. If you skim the thread and just read the sensational responses then it paints a pretty grim narrative of a CA that cant be transparent. But if you actually read Rachel’s responses she responds to every single accusation several times over. Yeah it’s a word swamp to wade through and the repeated context was annoying, but her company is under attack… what would you do? Would you not try to provide as much rebuttal as possible?
It’s pretty… idk… irreverent to take the stance: oh gosh look at this person squirming under pressure to defend themselves why would they do that they must be guilty and malicious. I can smell it! It really feels like a perversely inappropriate forum for discussing a complicated issue like that. Rachel wasn’t trying to deceive so much as she was tying to set guidelines for appropriate review of the material at hand. And then the comment at the end to her when she was simply trying to make sure the transition happens cordially without breaking existing certificates as seems is the intention, “why does Microsoft need to answer to you?”, is just snotty on a whole new level. Honestly it makes me think we need special courts and some sort of process to handle this stuff because people don’t have time to… process.
I am probably in the minority here, but I can’t help but feel like Rachel was a victim of a sloppy but effective smear campaign. I suspect the outcome would have been different if this was handled in a court of law.
To me, it looks like Kathleen Wilson from Mozilla did a great job sorting undisputed facts from all the noise in https://groups.google.com/a/mozilla.org/g/dev-security-polic..., and the noise that came from Rachel mostly served to obfuscate that these facts remain facts, and leave removal of the CA as the logical conclusion.
Based on that, it seems like the "rebuttal" is trying to rebut irrelevant things, leaving the undisputable elephant standing in the room. (I admit I haven't read the entire wall of text.)
> I suspect the outcome would have been different if this was handled in a court of law.
If it was a criminal court trying to prove something beyond reasonable doubt, certainly. For a CA, it's the other way around, there needs to be strong evidence that keeping the CA is beneficial to the users.
I agree that Kathleen’s response (tone, articulation, scope) was on point. Objectively, it does become hard to justify the value of a CA when there’s a mob of people questioning the value. In a very raw sense, this is probably the most user-centric outcome. So I will sleep on that.
But in a process sense, I am left wanting. I still don’t know what damage was done and why TrustCor CA got this special treatment in the first place in any way material to their CA issuing business, which they appeared to put great effort into operating by the books.
My read is that Mozilla were much more concerned about the shared ownership and operations with Measurement System, than the presence of the malware. I think we can agree that you can't be doing crimes under one company name and simultaneously operate a trusted CA under another?
I do agree that we shouldn’t allow something that overt.
But, if I read correctly, Rachel claimed that there was no longer any shared ownership and tried to explain that ownership in the sense that the word was being use was not a correct term in the first place. I believe she said it was a shared incorporation services / legal council / investor, at most, and that the speculation as to that relationship conferring any authority pertaining to the CA’s operations was entirely incorrect since the executive authority had long since been signed over to actual company officers.
I read the full thread (except for paragraphs where she pasted from previous responses).
She failed to reasonably and convincingly refute some allegations. There were repeated requests to provide information, some of which would be trivial to produce if acting in good faith.
After reading the exchange, I (as a reasonable bystander with no material interest in either side):
* Don't understand the relationship between TrustCor and the malware distributor in a clear way that company ownership records would provide
* Take it as a false statement that the mail service doesn't have apps, as its website advertises them
* Don't understand how their auditor audited them when they don't appear to have a presence in Canada that would be factual based on the extracts from the auditor findings
Unrelated to her responses, I could take in on faith that a rogue developer added spyware from a company with the same owners, but the finding that the payloads were send to TrustCor servers diminish the acceptance that sufficient controls exist in the company to not question the security of them as a CA.
Re: your last point: I find it especially concerning that all the questions about TrustCor's apparently compromised server were answered with, "MsgSafe's and TrustCor CA's infrastructure is separate". The concern was that TrustCor's practices led to their servers being compromised, which isn't a great sign for a company which operates a CA, even though it wasn't the CA servers themselves which were compromised. Nothing Rachel wrote indicated that the CA servers are operated in a more secure way than the MsgSafe servers, nor that they have changed any practices in response to the compromise.
"no longer any shared ownership" was asserted, but never backed up because (it was claimed) issues with getting legal documents updated in a timely fashion.
Combining that with basic questions about how exactly ownership changed that were never answered and instead obfuscated behind reams of "nothing speak".
The final basis for the determination seems to be that the main loss of from distrusting the TrustCor CA was thier sibling company's private email service that is, at best, advertising itself under a very shady definition of E2EE.
Thus this seems like an easy decision to me.
The interesting conclusion that follows from that is that if you are going to operate a shady CA, it behooves you to find some large clients to make cost of revoking your trust higher.
>The interesting conclusion that follows from that is that if you are going to operate a shady CA, it behooves you to find some large clients to make cost of revoking your trust higher.
...Which in essence means CA's probably shouldn't exist as a standalone thing, and everyone should learn to build their own trust networks. None of this vouch nonsense, or Trust theater.
But she never said who actually owned these companies or how they were related, and said doing so would lead to tax problems. That was rather suspicious.
I have no problem saying that if your ownership structure is such that your lawyers or accountants have advised you not to reveal it publicly, you should not be in the CA business.
Apple runs a bunch of crap through a tax loophole in Ireland. Should they be trusted running the entire mobile ecosystem that underpins all of this in the first place? I actually agree that shady companies shouldn't be swept under the rug. But I don't agree with the hypocrisy of singling out some random CA for doing things that most every other company out there does because we lack the backbone as a society to put a stop to the shadiness.
If they are transparent about what they're doing, then it's not the same case I was talking about.
I can't see Apple saying "Well, on advice of our lawyers we can't actually explain our corporate structure to you." Is it a secret that they have a corporate entity in Ireland, is it a secret what they do with it? Or is it public knowledge that they don't hide?
So I wouldn't describe secret ownership structures as a thing "most every company out there does." But I'm not going to say Apple doesn't do unethical things. (Also is Apple even a trusted root CA for mozilla or microsoft browsers?)
I think non-transparency is an even higher level of problem for a CA. Secrecy about your corporate structure does not seem okay for a CA -- we need to know who they are and who controls them, non-negotiably. Secrecy of corporate structure does not seem like a thing most every company (or every CA) out there does.
But it's quite possible Apple should _not_ be trusted to "run the entire mobile ecosystem" that uses Apple products. You can make that argument. And we can talk about what the heck any of us can do about it individually or collectively if so. That's a different question than who should be allowed as a trusted CA root, or who Mozilla or Microsoft should allow as a trusted CA root.
When you say "that underpins all of this in the first place", I'm not sure what you mean; Mozilla and Microsoft trusted CA roots effect people who aren't doing anything with Apple products, Apple does not in fact "underpin" the entire SSL CA system in the first place. I don't know what to do about the Apple ecosystem if Apple can't be trusted, but I support Mozilla, Microsoft, or anyone else removing trusted CA roots belonging to companies with secretive corporate structures, ownership, or governance. All of this can be true. Apple doing unethical things doesn't mean mozilla or microsoft should allow a trusted root CA with secretive corporate ownership structure.
Sure. The Apple stuff is just an example, I don't mean to suggest they're a CA, but they are trusted to ship the list of CAs that you trust to your devices as are MS and Mozilla, so the exact same question of "should we trust them if they are a corporation of questionable ethics that do the same sort of tax things" exists and is apropos. Why is there a double standard? I find it rather inconsistent that we're going after some "shady" CA for essentially not being forthcoming in response to allegations that they consider false and have no duty to set straight without material proof that the allegations are to be taken seriously, and who look to be the target of a journalistic smear campaign involving forming similarly named corporate entities in the US to try and extract private information about the company via extrajudicial means. I mean why stop with TrustCor? Let's deploy the arsenal! Let's examine the interests of all parties funding all of the systems we trust in society. Seriously. If we're going to give a shit about something why is it some CA nobody's heard of where there is absolutely zero evidence of non-compliance with the required CA processes? Why spend effort on this? It's hardly news that companies try to minimize tax liability by structuring themselves in advantageous ways. What, pray, is a hallmark of a trustworthy company? Perhaps the public should vote on CA inclusion in the root trust list. Fuck the CA oligarchy.
To be honest, it sounded like Rachel herself did not know exactly how the company ownership was structured. It seemed obvious that it was a US company that incorporated abroad for some reason, and that alone is pretty sketchy. It looks like they are trying to hide who actually controls the company. That alone should be reason not to trust them.
It's not a strawman. Literally we're saying "you see TrustCor CA didn't do anything wrong by the books, but we can't trust them anymore because they can't articulate their corporate structure on demand after scandalous allegations". Well, I simply ask people to consider how any other corporation in the same situation would response. My bet is they'd also be less than forthcoming. And my example is Apple, who we know exploits tax loopholes via complex corporate governance structures, who everyone seems okay with trusting. It just doesn't make sense to me.
Apple is a public company and it's very clear who owns and who controls the company. They're a multinational company that consists of multiple legal entities, and it's generally not a secret who you are doing business with.
TrustCor is a company that looks like a front for a Spyware maker, and when asked about that they say: "It's not like you think, but we don't want to tell you what the actual situation is, so you'll have to trust us, it's fine! Also the spyware we were caught distributing is totally not our fault, it's from a contractor in a completely different business unit and is totally independent from our CA business, but again we can't tell you more because it is secret. But trust us, the CA business is completely legit. And the sketchy things you found were all the idea of a guy who passed away recently, so we unfortunately can't ask him why he did it, but it's all legit don't worry trust us."
> I think we can agree that you can't be doing crimes under one company name and simultaneously operate a trusted CA under another?
Playing devil's advocate: Why not? I mean yes, obviously if you end up in jail that might interfere with your ability to operate a CA (or any company for that matter). But barring that, as long as they haven't done anything to affect the security or proper operation of the CA certificate itself, why is that a basis for removing them from root stores? To the best of my knowledge this action is unprecedented.
> can you trust an entity in one context when they have proven themselves untrustworthy in another
We do that all the time. If, rather than TrustCor being associated with a company making malware we'd instead found out the company's CEO had cheated on his wife, would that be grounds for removing them from the root certificate store? Context matters.
Why the ad hominem attack and call security researchers, professors, professionals and employees from Apple, Mozilla and Google "mob"?
"TrustCor CA got this special treatment"
I'm not a regular on that mailing list, any source that this is special treatment and other CA that are spyware software and snakeoil encryption software creators etc. are treated differently?
There is no ad hominem attack. And, I mean find me a company on the global stage that isn't optimizing taxes using offshore holding companies. If that's too shady to be allowed for a CA, then we shouldn't allow Apple to do it either.
The security BS was being sold by a sibling company, heck, the person responding is a high up in both companies. And there is a lot of evidence of them being connected to the malware vendor.
If they can't rebut those concerns/connections in a clear and convincing way, they have no business being a CA. If you are satisfied with the answers, more power to you, but I honestly don't know how you could be after reading through those emails.
It's frustrating because you're just repeating the same drivel other people who don't have the situation straight are. Nobody related to TrustCor CA is connected to a malware company. That's factually incorrect. They are connected to an email privacy company which offers E2EE email but which, for product reasons, doesn't enable it as the default when you create a new account. The alleged malware company and the email company were historically related when they were born because they shared an investor. But that is no longer the case.
No, the person asserted that they aren't connected, and then offered lots of words about how they aren't connected, without actual good explanations as to why we should believe that assertion.
So, what you are saying is that they just happened to have the same investor, the malicious developer that they say worked for them just happened to include malware from that company (Unobfuscated, unlike every other example available), said developer was able to route traffic through the company domains, just happened to have identical corporate officers, and just happened to be related to a company that brags about being able to bypass SSL?
Let's just say that there is enough there they better have a very clear explanation about it, and instead they just deflecting deflecting deflecting or refusing to answer. I'm sorry it is bad for their business (assuming they actually are innocent of all this), but that is not an appropriate response for a CA when someone is asking legitimate questions based on legitimate suspicion from what would have to the world's worst series of coincidences.
Whenever you push that false TrustCor narrative, I will answer with the question that has not been answered: Why did TrustCor have the source code of the spy ware no-one had?
I think showing empathy is good and important. Responding to accusations on a public forum is understandably stressful, I could understand how it's hard to stay entirely placid in that situation. And I strongly agree on inflammatory comments like the Microsoft comment at the end, which do nothing to raise the level of the discussion.
However, I think it's helpful to consider public comments separately from the responses of browser vendors. I think they did an admirable job of keeping the contents of their messages calm and focused on establishing uncontroversial claims. In no way are Apple or Mozilla's responses trying to make the person squirm, or trying to 'smell the guilt'. Mozilla's final assessment rests on TrustCor's quantifying value statement in light of the MsgSafe.io findings, i.e. the close tie of TrustCor operatives with this malware operation.
The legal system is hardly a panacea. Legal battles can be made to last many years. And a court of law has no ground to litigate on questions of trust in the first place.
The forum was able to establish a list of important and uncontested claims in a few weeks of strenuous discussion, and their assessment of the benefits of keeping TrustCor vs. the risks seems reasonable to me. Third-party inflammatory messages about Microsoft notwithstanding.
I do agree with your assessment of the official responses. I’ll admit I may be overly sympathetic towards Rachel, but after reading her responses, I was left wanting a more substantiated resolution. It’s hard for me to trust a “value judgement” in the middle of a riot, so to speak.
> Responding to accusations on a public forum is understandably stressful, I could understand how it's hard to stay entirely placid in that situation.
Which is why at that point you hire lawyers and a corporate communications agency to do this for you. When your company's existence is on the line, you don't want to do that stuff yourself.
Which is very hard when given an exploding timeline of a few days to respond… Honestly I felt like some of her responses were crafted with input form people with legal training and that’s exactly what turned people off because everyone knows lawyers can’t be trusted rite.
The CA forum is designed to be a forum of trust, on eye level.
The fact that her responses read like a letter written by a bad lawyer already violates that trust. She's saying as little as possible, admitting nothing, and constantly trying to evade claims on a technicality.
I guess to me that behavior also makes sense if one has nothing to hide and is unfairly being asked for a bunch of info that isn’t appropriate or relevant to provide because of absurd unsubstantiated claims that they are in bed with malware authors by a journalist who seemingly has an agenda.
Interesting way to describe a situation in which company A had the same owners as malware company B and also integrated a never-before-seen unobfuscated copy of company B's malware into company A's app.
The claims are neither absurd nor unsubstantiated.
Rachel admits that TrustCor (company A) and Measurement Systems (Company B) had the same investors:
> Unknown until recently by any employee officers of TrustCor we and Measurement Systems S de RL had in common a group of investors who represented funds (groups of companies and other funds), not individuals.
She argues it doesn't matter because those people don't own TrustCor anymore, but can't or won't provide any details about the supposed ownership transfer.
Rachel also admits that the supposedly secure email app owned by TrustCor (which lies about being E2EE) had Measurement Systems' malware built into it, which she blames on a rogue employee:
> Prior to my original reply, we had already completed an investigation related to this activity. Our software revision control system revealed immediately when the software was introduced and which developer introduced it. [...] Also as I previously stated, "Whether or not the SDK was added for a developer’s own financial gain or otherwise is beyond us and we don’t care to speculate." Our investigation found the developer in question properly signed our standard "Confidentiality Obligation and Invention Agreement” that requires any developer to obtain a corporate license to any 3rd party software or intellectual property the developer chooses to include. We confirmed through corporate records and email searches that no such agreement was ever obtained by the company or company counsel. Also, none was included inside the software/check-in to revision control. We also confirmed no approval for including this third-party software was ever obtained from Wylie (technically the manager of the developers at that time). Technically that individual developer violated our Confidentiality Obligation and Invention Agreement.
So, which part of what I said is not actually true?
I could be mistaken, but TrustCor CA is company C. TrustCor (company B) is where rouge contractor allegedly added "malware", or in industry parlance, analytics software, to a product as part of work to instrument the app that never shipped publicly and thus never harmed users. But TrustCor CA is operated entirely independently from Company B. Furthermore, this entire thing is predicated on an allegation that because some piece of analytics malware appears unobfuscated in their app but obfuscated in others, they must have exclusive access to the source and therefore must be the authors. That's.. quite the leap. I can think of many other simple explanations for why the incorrect build of some software might appear in a software product. Anyway I don't believe it's correct to say Company B that "put malware in" their app is the same as Company C that operates an above board CA. And I'm beginning to question whether this software the opportunistic researches found is actually even malware in the first place.
> I could be mistaken, but TrustCor CA is company C. TrustCor (company B) is where rouge contractor allegedly added "malware", or in industry parlance, analytics software, to a product as part of work to instrument the app that never shipped publicly and thus never harmed users.
> Anyway I don't believe it's correct to say Company B that "put malware in" their app is the same as Company C that operates an above board CA.
You are mistaken. There is no Company C.
The company that put the malware in their app is MsgSafe.io, a "secure email" provider that advertises E2EE but doesn't actually provide E2EE. MsgSafe is owned by TrustCor. Again, this is something that Rachel readily and repeatedly admits in the email thread, for example in her 18 November email:
> Also, I will use "our company" when speaking of TrustCor (the CA operator) and MsgSafe (the email service).
MsgSafe may technically be a different company from Trustcor in the same sense that Google and Alphabet are technically different companies, but Rachel considers them both together to be "our company."
TrustCor/MsgSafe, Rachel's "our company," is Company A.
Company B is Measurement Systems. Measurement Systems is the company that provides the malware to app developers, not the company that put the malware in in their app. As quoted in my previous post, Rachel admits that TrustCor and Measurement Systems had the same investors. According to public records they still have the same investors. Rachel claims that the previous owners have since divested, but (1) this is not reflected by public records and (2) she is unable or unwilling to provide any documentation of it. Also as quoted in my previous post, Rachel admits that TrustCor/MsgSafe's app contained Measurement Systems' SDK.
> to a product as part of work to instrument the app that never shipped publicly and thus never harmed users.
This is false. The app, although in "beta," was available on the Play Store and linked from MsgSafe.io as well as publicly advertised from the MsgSafe.io twitter account.
> Furthermore, this entire thing is predicated on an allegation that because some piece of analytics malware appears unobfuscated in their app but obfuscated in others, they must have exclusive access to the source and therefore must be the authors. That's.. quite the leap. I can think of many other simple explanations for why the incorrect build of some software might appear in a software product.
No, it's not. There are various other pieces of evidence tying TrustCor/MsgSafe to Measurement Systems, including domain registrations and common investors.
> And I'm beginning to question whether this software the opportunistic researches found is actually even malware in the first place.
This, now, is truly absurd. The Measurement Systems' malware SDK captured and uploaded information including wifi router SSID and MAC, the phone number and email address associated with the device it's running on, the device IMEI, clipboard contents, and GPS locations [1]. There is no good-faith argument that can be made against it being malware.
I've seen many analytics frameworks that try to capture whatever device identifiers they can get their hands on. I bet half the apps on your phone use one. And this has been an accepted practice in the industry for years. Why do you think Apple and browsers have been slowly removing access to these IDs? I tend to agree that such data collection is unnecessary and unwanted, but if a product or service is putting that shit in their software, and they call it out in their privacy policy and users consent to providing that information, then I don't see the legal problem. Though I certainly wish we would make laws that disallow such practices.
The problem here with Rachel behaviour is not if they are guilty or not. The problem here is that there is an expectation that a CA have a certain standard of behaviour and ability to handle... well adversarial situations. Because that is what a CA has to do! They are the beholder of our trust.
By behaving like they do and more particularly not providing any of the proof asked in the process, Trust is broken. They do not demonstrate they have their shit together, do not demonstrate they understand the process nor the problem, and in general shows they are not equipped in term of knowledge and skills to be a CA.
That they are guilty or not do not matter anymore at this point. They have failed at a more basic level of being a CA. They cannot do the things we expect a CA to do. Them being breached or using their power for bad things do not even matter anymore.
In civil courts, the burden of proof lies with the accuser, usually. Because this is what happens if you let public opinion rule. It’s unfair to the accused and rarely ends in their favor, regardless of innocence or guilt, as you so clearly put it.
Being a root CA is a privilege, not a right. A root CA has enormous power over the whole internet, so they must prove that they are absolutely trustworthy beyond any doubt.
In civil courts the burden is the preponderance of evidence. And trust is a higher standard yet where the burden is on those who want the benefits of being trusted.
Part of a CAs job is to manage public opinion because their job is to maintain trust in the CA system. If they cannot instill trust then they should not be a CA.
I read the entire thread too and "I'm disappointed" that you portrayed (in the root of this comment) and unfair picture of "being harassed by a mob" while then retreating to "I don't know how this works".
It's basically a series of vague appeals to emotion.
> It really feels like a perversely inappropriate forum for discussing a complicated issue like that.
and
> Rachel was a victim of a sloppy but effective smear campaign.
The facts are neatly summarized in the thread as to why the CA was yanked. It's dispassionate (Except the MS flame) and to the point.
Your defense is almost as poor as the slight accusation of the researcher as misogynistic.
> I am probably in the minority here, but I can’t help but feel like Rachel was a victim of a sloppy but effective smear campaign.
I usually have sympathy for privacy-friendly services being abused by bad actors, and i certainly have sympathy for anyone being impersonated by State-sponsored APT for nefarious purposes. However, after reading through the thread, this does not seem to match reality.
It took just a few email back and forth for TrustCor to change their statement from "we know nothing about these people" to "we used to have common investors", while placing the blame on a single recently-deceased individual... which still does not explain how a malicious data exfiltration (malware) SDK ended up in a beta product of theirs (a question they silently skimmed over), or why they pretend not to know why most of their legal infrastructure in place is deeply tied to this malicious actor.
Without commenting on the CA operations of TrustCor (and its lack of transparency), or the seemingly-broken security promises of the MsgSafe service, it seems relevant for the CA/B forum that TrustCor is obviously arguing in bad faith and trying to dissimulate ties to a now-well-known APT.
You would certainly expect most CAs to operate more transparently, to be registered where they actually operate, and to disclose where their hardware is located, especially when this location exposes them to NSL-style laws. Operating out of a mailbox in a tax heaven, for a company based in Canada, with machines in the USA is already very sketchy. TrustCor's responses in the mailing lists in my humble opinion clearly outlines that they are bad faith (if not entirely malicious) and should be treated accordingly by browser vendors.
I understand that Rachel is now in a bad position and feels smeared. And maybe she is not the person responsible for the malicious setup/activities of the entire company (maybe she's even unaware), but that's what you get for being the public face of a rather-secretive malicious actor.
I'm not seeing where she's provided answers to the questions that really matter. All she's done is to talk in a patronizing manner to the CA members regarding their inability to understand corporate structures, as well as never answering how or why a MITM companies' SDK ended up being embedded in their app.
Further, even in times of stress, lashing out isn't the best decision. If I were interrogated by a cop and I called them a bunch of names, I would attract additional charges, on top of being suspected of commiting the crime that I've been accused of.
To be fair they do say (without proof but that can be hard to provide) that the spyware was put there by a contract developer that was not authorized to add 3rd party tools but did anyway.
That being said, given how extremely evasive they were and the lack of any tangible proof, I don't think it is unreasonable to doubt this explanation (how come you think a contract dev implementing malware isn't grounds for a lawsuit, shouldn't that be an open and shut case?)
I have to say that even if the “rogue developer” story is accurate, the reaction to it is a little underwhelming. “Sure, our supposed E2EE software did some crazy sketchy shit including proxying trivially-decryptable network packets to god-knows-where through our servers, but, uh, that guy doesn’t work here anymore” is supposed to be satisfying?
I'm advising people for a long time now to make screenshots of emails etc. - at least have everything in writing, don't act on phone calls if you feel things are "in a grayzone" (happens often in startups).
Its pretty clear that a dev with a second degree in law still wouldn't have been able to determine whether companies that shared most of the same infrastructure and listed corporate officers were 3rd parties in the context of software, without grilling someone who may or may not be a Trustcor executive, may or may not be the past founder and may or may not be dead, where such a death neither implies nor dismisses the possibility that they are still running the company.
I wondered the same about those "audits". When we had to introduce SOX and had compliance audits, every moving of my small finger needed to be reviewed and documented and have a trail to a senior manager approving the move of my small finger.
She didn't lash out, everyone else did? She made it very clear numerous times that she didn't think the forum appropriate for discussion of speculation.
This response by Rachel McPherson from Trustcor definitely comes as lashing out"
> Apparently it may also come as a surprise to some readers and the researchers themselves that other root program members are in fact international governments, and some are also defense companies, or companies who are wholly-owned by defense companies and/or state-owned enterprises, meaning "businesses" that are completely owned or controlled by governments. Further, some of those governments are not free/democratic and in fact some have tragic modern histories of basic human rights violations. We are none of those things and our company does not identify with those values. Given this point above, why of all potential targets are these researchers interested in TrustCor? They could go after countries with human rights violations that have placed a CA in the program.
Not only "SDK ended up being embedded in their app" but why they had an unobfuscated version when everyone else has only an obfuscated version of that SDK.
One one hand i agree that being defensive is warranted given the accusation, especially considering most of the claims appear to be related to an entirely different product than their CA business. The bit where someone goes to great length to demonstrate how they email isn't e2ee is especially jarring.
That said, it appears mozilla's decision is founded not on their response in the thread, but on the fact that Trustcor basically is a root CA for the sole reason that they provide a useful service in the exact product being shown as untrustworthy. If the only reason is their email service, and their email service can't hold up to scrutiny (including promising e2ee and not actually providing it, and having poor development security practices) then why do they have root CA power in 99% of client devices? in my opinion, their email service didn't warrant such inclusion to begin with, even if the service was sound, and that's not accounting for their weird corporate ties (which may be legitimate, tbf).
Rachel stated that TrustCor CA has many customers that are not the email service. Because this isn’t a court, discovery won’t tell us if that is, in fact, true or not. But if it is, then it seems completely normal.
Moz's decision isn't based on the costumer base, it's based on "what does you being a root CA provide?". Their email service was listed as the primary reason they should be a root CA (regardless of other eventual costumers) and if the email service isn't sound then their primary reason is moot.
That’s fair and I do agree with that line of reasoning. You don’t need a CA to run a mail service anymore. Perhaps we should audit all of the CA value statements and weed out dated entities…
Although m.d.s.policy contributors might represent other uses of the Web PKI, the browser vendors (or at least Microsoft, Mozilla and Google) are primarily interested in web browsers, and it's unlikely that "But look at these SQL Servers" for example is a compelling objection to measures whose primary goal is to secure the web.
And in practice, on the web you're baking SCTs into the certificates (technically sophisticated customers might buy certificates with no SCTs because they know what they're doing, but that's a speciality product, lotta people buy gasoline every day, but not too many need barrels of crude oil, if you claim 2 million distinct customers served daily but then say they're all buying crude oil I just don't believe you).
To get working SCTs the (pre-)certificate needs to be logged at one of a few dozen trusted Certificate Transparency logs. Which means there's a public record of every such certificate, who issued it and when it was logged.
While this is indeed not a court and doesn't have "Discovery" the CA agreements do require the CA to provide Mozilla and other vendors with complete records of certificates they're interested in, these days that is often provided in the form of crt.sh links because hey, the (pre-)certificates† were in the logs anyway, but it's compliant to provide the data as ZIP files or whatever -- if there is such data and you have it.
So, no, independent researchers can get a pretty good idea by just inspecting a public log view, and the browsers can insist on getting the exact answer if they want it, unless of course TrustCor doesn't care about being distrusted.
† You aren't required to log the certificate as well as a pre-certificate but in many cases CAs do that too. Modern rules are clear that the existence of the (non-working) pre-certificate is assumed to imply the existence of the corresponding certificate even if you claim the certificate was never actually issued.
I agree there was a lot of mud slinging in that thread, but this is the key bit from Mozilla's response, supported by statements which Trustcor haven't disagreed with:
> Certificate Authorities have highly trusted roles in the internet ecosystem and it is unacceptable for a CA to be closely tied, through ownership and operation, to a company engaged in the distribution of malware. Trustcor’s responses via their Vice President of CA operations further substantiates the factual basis for Mozilla’s concerns.
It's not some other company, its the same owners and operators doing malware under one name and running a CA under another.
The most shocking aspect of this is how it reveals that Mozilla, Microsoft and Google do zero due diligence before adding a new root CA. Relying on independent researchers to find problems.
Is that still the case? Or is it just new root CAs get the appropriate amount of scrutiny, but a lot of existing CAs have been effectively grandfathered in because they were added two decades ago when folks weren't as diligent?
EDIT: elsewhere in the thread someone linked the bugzilla request for TrustCor to be added. I had assumed that was a long time ago, but it's "only" 7 years ago.
The problem isn't a lack of "Response", its a lack of "answers".
When someone asks you what is the shared ownership of these two entities, and you tell a story about your summer in lancaster working in the mail room of one of the entities, it isn't useful or related to the question.
That’s not what happened is it? She directly answered and said they were funded at one point historically by the same investment group, but that relationship had since dissolved. For all we know she had been working incredibly hard to keep the business above board despite financial incentives to be corrupt and unethical individuals willing to pursue them. If you ask most founders of companies who’s on their cap table as an outside person you generally won’t get a strait answer, especially not in a public forum. I take issue with the expectation that answers are required in the first place without some substantial reason why they’re relevant.
Its hard to tell from your repeated assertions that do not match what actually occurred in the thread. It feels like you skimmed, and have some bias attempting to give the benefit of doubt to what you see as the embattled party in some kind of unjust lynching instead of legitimate questions of entire shared corporate officer structures, and clearly shared dev teams [that the representative blatantly attempted to claim was out of line while avoiding the actual part of that evidence that was damning, that the dev somehow had access to the raw source of the library in question that very strongly indicates that it was their library and not the rouge devs'] of a known malware entity and a ROOT level CA.
If you are just trying to play devils advocate in what you feel is somehow a mob action instead of what is probably extremely conservative actions by some of the biggest and most legally careful entities in the planet then honestly, I ask why and for what purpose?
"Apart from our CA work, we also bought an aging email service with a few customers, and invested substantially in developing it into a flagship email security product line compatible with global email security standards including both S/MIME and GPG. Then, over the last few years we added unique features our customers demanded. Today it stands alone as a valuable email service enjoyed by millions around the world as an alternative to other popular web based secure email providers."
and unsubstantiated ad hominem attacks
"us recently by a biased group of security researchers "
Pushing the irrelevant BETA narrative
"TrustCor has never released a non-beta, public version of any mobile phone software/version and in fact the only mobile-friendly configuration we support is direct-from-browser mobile access that leverages the popular industry-standard framework for delivering near-app-quality mobile experiences using web browsing on mobile devices. You don’t need any downloaded software to use it whatsoever."
(where the still unanswered question is: Where did TrustCor get the source code of the spyware no-one else has?)
"Perhaps they are working with the US defense community, [...]"
Pushing unsubstantiated conspiracy theories that add nothing to the case
and on and on and on the same as before nothing new in that email.
I had only read up to Joel's self-correction (last message of Nov 18, 2022) and my impression was that the TrustCor rep was being evasive and kept changing her story. For example, the CA doesn't operate out of Arizona, that's just where they keep a bit of equipment -- except then it does. And not being able or willing to answer some very simple questions.
That's on top of the technical and legal evidence of the companies basically being the same company.
The wall-of-text could be a result of unfair accusation, sure. No doubt she's under a lot of stress either way! And I did think that some of the accusations in the thread were a bit harsh, sarcastic, or otherwise inappropriate. But the facts stand.
A pinned comment defending the CA with shady government ties. Hmm. Anyway, why don't you do us all a favour and quote some of those answers which you think perfectly clarify things, instead of just telling people they are reading it wrong.
The part that really drives me up the wall is that the same groups of people that drive these sorts of situations will turn right back around and complain that entities knee-jerk react with a salvo of smear campaigns, corporate BS and other dirty tricks in the face of even the most mild and genuine criticism as if they themselves are not the driving factor behind creating a situation in which that is not the "safe" response.
That's very weird take - the non-answers provided were as slimy as possible, hiding behind word soup and weird legal claims. I don't see anyone innocent arguing in that way.
Instead of "tying to set guidelines" you can try to honestly answer the questions.
It’s pretty… idk… irreverent to take the stance: oh gosh look at this person squirming under pressure to defend themselves why would they do that they must be guilty and malicious. I can smell it! It really feels like a perversely inappropriate forum for discussing a complicated issue like that. Rachel wasn’t trying to deceive so much as she was tying to set guidelines for appropriate review of the material at hand. And then the comment at the end to her when she was simply trying to make sure the transition happens cordially without breaking existing certificates as seems is the intention, “why does Microsoft need to answer to you?”, is just snotty on a whole new level. Honestly it makes me think we need special courts and some sort of process to handle this stuff because people don’t have time to… process.
I am probably in the minority here, but I can’t help but feel like Rachel was a victim of a sloppy but effective smear campaign. I suspect the outcome would have been different if this was handled in a court of law.