Why it matters: The chain of trust ensured by Certificate Authorities (CA) keeps the web safe and internet companies happy. However, when the chain breaks, a CA can suddenly become an unwelcome guest within the most popular web browsers.
Mozilla, Microsoft, and likely other browser makers have started to take action against TrustCor, a Certificate Authority (CA) issuing root certificates for billions of internet-connected devices. According to recent investigations and the company's own words, TrustCor is working — or has worked — with another entity doing business in the spyware space.
The potentially shady nature of TrustCor's business emerged in a discussion on a Mozilla mailing list, where Joel Reardon, a professor at the University of Calgary, shared his findings about a spyware SDK hidden within some Android apps. These apps were downloaded more than 46 million times and included a speed camera radar, a Muslim prayer app, a QR scanner, and more.
In early November, Reardon revealed that Panama-based Measurement Systems was the company that created the spyware SDK. Later investigations unveiled ties between Measurement Systems and a defense contractor doing some cyber-warfare work for the US government. On top of that, Measurement Systems seemed related to TrustCor, with both companies registered in Panama and sharing the same corporate officers.
Furthermore, TrustCor operates an email encryption service named MsgSafe. A beta version of MsgSafe contained the only known unobfuscated version of the Android spyware made by Measurement Systems. A TrustCor representative joined the Mozilla discussion, providing further information but no clear answers to the company's involvement with the spyware business.
In the end, a few key poin ..
Support the originator by clicking the read the rest link below.