Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Privacy Security

Mysterious Company With Government Ties Plays Key Internet Role (washingtonpost.com) 67

whoever57 writes: Would you trust your communications to a company that has links to a spyware company and claims that its address is a UPS store in Toronto? You probably already do. Washington Post reports: An offshore company that is trusted by the major web browsers and other tech companies to vouch for the legitimacy of websites has connections to contractors for U.S. intelligence agencies and law enforcement, according to security researchers, documents and interviews. Google's Chrome, Apple's Safari, nonprofit Firefox and others allow the company, TrustCor Systems, to act as what's known as a root certificate authority, a powerful spot in the internet's infrastructure that guarantees websites are not fake, guiding users to them seamlessly.

The company's Panamanian registration records show that it has the identical slate of officers, agents and partners as a spyware maker identified this year as an affiliate of Arizona-based Packet Forensics, which public contracting records and company documents show has sold communication interception services to U.S. government agencies for more than a decade. One of those TrustCor partners has the same name as a holding company managed by Raymond Saulino, who was quoted in a 2010 Wired article as a spokesman for Packet Forensics. Saulino also surfaced in 2021 as a contact for another company, Global Resource Systems, that caused speculation in the tech world when it briefly activated and ran more than 100 million previously dormant IP addresses assigned decades earlier to the Pentagon. The Pentagon reclaimed the digital territory months later, and it remains unclear what the brief transfer was about, but researchers said the activation of those IP addresses could have given the military access to a huge amount of internet traffic without revealing that the government was receiving it.
whoever57 has also shared a unpaywalled link to the story.
This discussion has been archived. No new comments can be posted.

Mysterious Company With Government Ties Plays Key Internet Role

Comments Filter:
  • by Anonymous Coward

    Would you trust your communications to a company that has links to a spyware company and claims that its address is a UPS store in Toronto?

    Sure, why not? Everything else on the Internet is spied on like crazy, so what's another pair of prying eyes?

  • MITM (Score:5, Interesting)

    by RemindMeLater ( 7146661 ) on Thursday November 10, 2022 @12:03PM (#63041163)
    Any bets that this is the government go-to company when they need a bogus cert to run MITM attacks?
    • A pretty safe bet. Looks like a new Crypto AG that you're a customer of even if you never bought from them...

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      Any bets that this is the government go-to company when they need a bogus cert to run MITM attacks?

      Any bets the government can walk into any American office of any cert provider and demand the same? That's today's government you're talking about. They could make it to an early dinner with a 12-pound FISA warrant wrapped in an NDA bow with all the fixin's if they got the invite after lunch. Hardly need your knowledge or justification, since the Constitution has become more of a guideline at best.

      Now the real question for TrustCor is, where is the canary clause in the contract/EULA that stipulates you w

      • by Anonymous Coward

        You're talking about the government using standover tactics to get issued a single certificates so that they can fake a particular domain name. Op is talking about spyware tools having Fiddler-like functionality and being able to silently MiTM every single "secure" web site those devices visit. There's a magnitude of difference between the two.

        Apple, Google, Microsoft and Mozilla happily removed StartSSL from their Trusted Root certificate stores a few years ago based on nothing more than rumors of Chinese

        • Re: (Score:3, Interesting)

          by Shaitan ( 22585 )

          "If they have *not* removed TrustCor from their Trusted Root certificate stores by the end of the week you should be extremely concerned about what's going on."

          Yes you should but even if they do you should remember the agencies would never build one when they can have two for just twice the price.

      • by Agripa ( 139780 )

        Any bets the government can walk into any American office of any cert provider and demand the same? That's today's government you're talking about. They could make it to an early dinner with a 12-pound FISA warrant wrapped in an NDA bow with all the fixin's if they got the invite after lunch. Hardly need your knowledge or justification, since the Constitution has become more of a guideline at best.

        Now the real question for TrustCor is, where is the canary clause in the contract/EULA that stipulates you will inform your other customers if such a request happens? If you want to flush out the stooge, perhaps see where the canary isn't singing so loudly.

        It is a little more involved. It would require a writ from the court ordering the company to do something, and there is a legal question about whether that is enough.

        And then if that worked, the false certificate once used publicly, destroys the credibility of the certificate authority.

  • Got my refreshments. Now to sit back & watch the conspiracy theorists roam freely in their natural environment. It's like a beautiful nature documentary!
    • Re: (Score:3, Insightful)

      What i think is more entertaining is those noobs to internet security who haven't seen this slow creep of surveillance and manipulation as it evolved treat it all as a conspiracy theory because they think they know better than those that did.

      pay attention and maybe in 20 year or so you may have a clue, though with the way things are going, i reckon you're going to have fuck all chance of finding out anything in the public interest on governmental and corporate corruption by then.

  • by Bruce66423 ( 1678196 ) on Thursday November 10, 2022 @12:27PM (#63041217)

    The only surprise, surely, is that it's been spotted. It's exactly what one would expect given the tasks which the NSA has been given. Now if this has come as news to the NSA, THEN we have a problem!

    • "Is anyone surprised"...Literally the go-to comment you see on every thread from slashdotters who lack the ability to give a properly informed response.
      • Ability? Nah - just the enthusiasm to spell out the many examples that are public knowledge about what the three letter agencies get up to and are never held to account for.

  • by OnlyInAZ ( 7976792 ) on Thursday November 10, 2022 @12:46PM (#63041279)

    I am not a security expert, but I believe that the following procedure will disable these certificates while allowing you to change your mind and re-instate them later:

    1) Open Firefox's menau and select: Settings
    2) In the Security section, click on the View Certificates button
    3) Find the certificated for TrustCor Systems S. de R.L.
    4) For all certificates listed under TrustCor, select a certificate, Click on the Edit Trust button, Deselect all check boxes, and Click on the OK button

  • The entire world has been scammed into blindly trusting 3rd party certificate authorities - all of the major tech companies and the browsers they make are complicit. If you think you can trust ANY 3rd party with your encryption keys, you are very naive.

    • by XanC ( 644172 )

      CAs never get your encryption keys.

  • by PCM2 ( 4486 )

    On macOS, the TrustCor root certificates can be found in the Keychain Access app.

    • by olydav ( 999545 )
      Since these are 'System Roots' certificates, it is difficult to remove them from keychain in newer versions of MacOS. You can however, disable them with a few mouse clicks. Tested on MacOS Ventura 13.0.1. http://www.herongyang.com/PKI/... [herongyang.com] Disclaimer: I am unaffiliated with this site and can't vouch for the author, It was the most concise and offered the greatest detail on macOS PKI that I could find quickly. Most importantly, it helped me to disable TrustCor certs, which was my goal.
  • That's not all (Score:5, Informative)

    by sentiblue ( 3535839 ) on Thursday November 10, 2022 @02:07PM (#63041491)
    If you open up any browser's list of trusted CA, you will find about a dozen of Chinese based entities already trusted. I was skeptical about this so I removed them, but the browser puts them back. I sent my concerned question to the browser makers and all of them gone unanswered. I guess them Chinese can read this message that I'm typing, even before I hit submit.
    • Re:That's not all (Score:4, Informative)

      by AmiMoJo ( 196126 ) on Friday November 11, 2022 @06:42AM (#63043005) Homepage Journal

      I think maybe you don't quite understand what these certificates are for.

      When your browser connects to a website, it contacts a server by IP address. That server needs to provide a certificate for the domain of the site, which has a chain of trust going back to one of these trusted Certificate Authorities. Otherwise the browser will show a warning that the server might not be the real slashdot.org.

      So what is the threat model for a Chinese CA? They could in theory issue a certificate for slashdot.org to the Chinese government, or to some criminals. Hopefully any important website you use has implement HPKP, which basically pins a certificate for that site for a certain period of time, so even if they did create a fake one the browser would ignore it.

      They would then need to get you to connect to their bogus server somehow. They could try to replace the real server's address in your DNS server, but hopefully you are using a secure DNS server which makes that difficult. They could also screw with internet routing to sent requests to Slashdot's IP address to them instead, but doing that in a way that isn't easily detected is difficult too.

      If they were discovered doing any of that, they would quickly be distrusted by Mozilla and others who manage CAs, so their business would be destroyed. It has already happened to one CA, DigiNotar, based in the Netherlands.

      So overall the risk of having Chinese CAs, or for that matter Dutch CAs in your list, is fairly low. There are so many hurdles to clear, and a great incentive to have decent security.

    • I block most international traffic on my firewall. Pretty hard to get Chinese certs without talking to China.
      • That's not a bad idea! Since I have no business/personal needs to visit any destinations in that country, I can just configure my outbound blocked for all their subnets. Thanks!
  • Does anyone have any examples signed by this root CA?

You are always doing something marginal when the boss drops by your desk.

Working...