29 Dec 2022
Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space. Received monthly by more than 50,000 subscribers. Written by Ivan Ristić.
We previously wrote that concerns were raised on Mozilla’s dev-security-policy mailing list about the trustworthiness of TrustCor CA. Joel Reardon, a professor at the University of Calgary with interest in privacy in the mobile space, reported on the possible connections and shared ownership between TrustCor CA and a company called Measurement Systems. This is relevant because the latter had been linked to a US defense contractor and implicated in collecting private information from mobile application users.
People familiar with the PKI space and operation of trust stores could tell how this conversation was going to end as soon as TrustCor’s first email arrived in their mailboxes. That first response and the follow-up emails all followed the same pattern: too much text, a lot of rambling, and not enough factual information. Contrast that style of communication with Mozilla’s concise request for information.
In the span of less than a month, TrustCor ended up being distrusted by Microsoft, Mozilla, and then Google. What’s interesting in this case is that the removal happened not because of the information that was initially uncovered. There was no smoking gun, and TrustCor CA was not found to have breached its technical obligations. However, the unsatisfactory responses eroded the user agents’ trust. The initial doubt and circumstantial evidence, combined with TrustCor’s small actual footprint in the public certificate space, led to its demise.
The world is most definitely better off with TrustCor removed from the root stores. After all, any trusted CA can issue certificates for any domain name, so we ought to be super extra cautious about who is being allowed in.
That said, this incident is a reminder that CAs are allowed in root stores at the user agents’ absolute discretion. A CA is not able to continue to do business if any one of the major vendors (Apple, Google, Microsoft, or Mozilla) decides not to trust it. Some vendors are better than others at establishing the rules. Microsoft apparently distrusted TrustCor without notifying the company. But even if we take Mozilla as the leader in transparency and process, its response essentially boils down to “we don’t trust you.”
Trust is no doubt difficult to quantify, but not being able to answer the question “What rule has been broken?” is most definitely going to annoy EU officials, who are famously laser-focused on establishing rules for everything. As you may remember from last month’s newsletter, the EU plans to establish stronger controls over digital trust in its territories, and browser vendors are not happy about that.
This subscription is just for the newsletter; we won't send you anything else.
Here are some things that caught our attention since the previous newsletter:
Designed by Ivan Ristić, the author of SSL Labs, Bulletproof TLS and PKI, and Hardenize, our course covers everything you need to know to deploy secure servers and encrypted web applications.
Remote and trainer-led, with small classes and a choice of timezones.
Join over 1,500 students who have benefited from more than a decade of deep TLS and PKI expertise.