Mozilla and Microsoft distrust TrustCor root certificates in their browsers
Mozilla and Microsoft have taken action against three root certificates by TrustCor. These root certificates are now distrusted by the browsers.
Mozilla set the distrust date to November 30, 2022, while Microsoft sets the date to November 1, 2022. Other browser makers, including Google and Apple may follow.
Concerns about TrustCor were raised on Mozilla's Dev Security discussion forum in early November by Joel Reardon, a professor at the University of Calgary, and others.
The main claim leveled against TrustCor was that it appeared to be tied to Measurement Systems, which "distributed an SDK containing spyware to Android" users. The following evidence was presented:
- Measurement Systems and TrustCor had their domains registered by Vostrom Holdings.
- The two entities have identical corporate officers.
- TrustCor operates the email encryption product MsgSafe. One beta version of MsgSafe contained the "only known unobfuscated version of the spyware SDK" by Measurement Systems.
New information came to light during the course of the discussion on the security group. A representative of TrustCor provided information.
In the end, it was clear that there were ties between Measurement Systems and TrustCor, at least until 2021, and that one developer hired by TrustCor had access to an unobfuscated version of the source code of the Measurement System malware SDK. However, there no evidence of the mis-issuing of certificates was presented.
Mozilla decided to distrust TrustCor certificates from November 30, 2022 that are included in the Mozilla root store. The certificates will be removed from the root store when they expire. The certificates may be removed at an earlier point if "evidence is found that the CA has mis-used certificates or the CA backdates certificates to bypass the distrust-after settings".
Microsoft did not provide a statement to the discussion group, but it set the distrust date to November 1, 2022.
You find the full discussion, evidence and commentary by the TrustCor representative here.
Firefox users may delete TrustCor certificates immediately in the browser.
Note: removing certificates may prevent access to certain sites on the Internet. You may use the "export" feature to save them to the local system, so that you get an option to restore them using the import option.
Here is how that is done:
- Load about:preferences#privacy in the web browser's address bar.
- Scroll down to the Certificates section.
- Activate the "view certificates" button.
- Scroll down to TrustCor. The list is sorted alphabetically.
- Select each of the TrustCor certificates, then Delete or Distrust, and confirm; this removes the certificates from the browser.