https://cohost.org/arborelia/post/868933-how-to-destroy-a-cer

[noscript]
 
log insign up
arborelia

arborelia

@arborelia

  * she/her
  * arborelia.net/

I like games that you can play again and they're different the next
time: such as randomizers, roguelikes, and gender expression! Twitch
stream: https://twitch.tv/arborelia

Mastodon: @[email protected]

log in
arborelia
arborelia@arborelia1/19/2023, 1:04 AM
---------------------------------------------------------------------

How to destroy a certificate authority in one month

Once every year or two, it becomes apparent that a Certificate
Authority -- a company with the power to say that a website is who
they say they are and you should be able to make https connections to
it without scary warnings -- might be up to something shady and maybe
doesn't deserve to be one of the ultimate sources of trust.

There's a public mailing list, [email protected], where the major
browser developers decide whether they should keep trusting a CA. And
sometimes it's fun to watch the results. Sometimes the CA in question
takes a hostile stance of "whatever nerds, what are you gonna do,
shut us down?" and then the nerds shut them down. Turns out it's hard
to sell certificates that web browsers don't trust.

I had my attention drawn to the TrustCor saga because GitHub
Dependabot won't shut up about it. Every time I push anything that
might involve a certificate, it tells me about the grave danger I
might be in if I trust TrustCor, and gives me a helpful link to the
shit that went down.

The beginning of the story seems to be that a journalist was
investigating spyware in mobile apps, and finding the companies that
seemed to be ultimately responsible for creating them. There was
evidence that one such company was TrustCor, one of the certificate
authorities that used to be trusted by every web browser.

In particular, TrustCor had put a mobile app on the Google App Store
that contained one such spyware package, Measurement Systems. It was
the only unobfuscated version of the package anyone had ever seen,
implying that they didn't just license it from some other company,
and it seemed that something in the code phoned home to a server at
TrustCor.

So that led to some questions. These questions weren't initially
"should TrustCor shut down as a CA", because none of this was
strictly about certificates.

I'm sure TrustCor's VP of operations had a lot of ways to respond to
this, but here are some of the responses she chose:

  * Measurement Systems isn't the same company as us
  * And anyway that was a single rogue developer
  * And anyway that was a beta version of an app that we withdrew
  * What did you expect us to do, use an ineffective old analytics
    package like Firebase, or use the powerful, beautiful, sexy
    analytics from Measurement Systems? Who are not us by the way
  * You're a bunch of ignorant meddlers who don't know anything about
    the CA business
  * You're after us because we make an encrypted e-mail product and
    you secretly work for the US government and want to shut us down
  * Your claims are false and you can't prove anything

If you read enough of the thread, it's clear that not every
accusation against TrustCor was true, and it's hard to tell what the
truth really was. But also it doesn't matter, because once TrustCor
had written the open letter saying

    It is filled with ridiculous, false claims and out-of-context
    statements twisted to fulfill a baseless prophecy imagined by a
    group of researchers who are more concerned with enriching
    themselves and their company than they are with Internet
    security.

their fate was sealed.

The conclusion on the mailing list was roughly: look, we're not here
to find you guilty in a court of law, we're here to decide whether we
trust you, and after all that we definitely don't. Your certificates
get yeeted out of browsers at the end of November, have fun.

And just to make the point, they did what they could to make every
other software developer know not to trust TrustCor either. They put
"trusting TrustCor" into the big database of software
vulnerabilities. Again, that's why I heard about it. Because now
pushing code to GitHub that might still accept a TrustCor
certificate, if it saw one, is a Moderate Severity Vulnerability.

What's funny to me is that the TrustCor VP seems like she was almost
on the right track. If she really wanted to win the moral high ground
at all costs, instead of accusing people of secretly working for the
government, she could have pointed out that most of the people on
that mailing list work either for or with Google. The world's largest
ad company. The company that tracks everyone on 90% of web sites via
Google Analytics. The company that also distributes spyware, because
they don't check what their ad customers are doing very well and let
them run random JavaScript on random web pages. The certificate
authority whose company is, in absolute terms, up to more shady shit
than any other CA.

Saying that would have gotten her company destroyed even faster, but
I think she would have been right.

#security
---------------------------------------------------------------------
8 comments
 
You must log in to comment.

in reply to @arborelia's post:

widr
widr
signal eleven@widr1/19/2023, 3:19 AM

lol yes! i posted about this when it was still new and i gotta say
just reading through the email thread on its own is one for the books

login to reply
widr
widr
signal eleven@widr1/19/2023, 3:27 AM

catching up since then, lmao

    There are also still numerous questions and concerns about the
    certification/ability of your auditor, especially in light of
    them being removed from a list of auditors.

...and rachel trustcor's parting shot complete with a "yeah multiple
root authorities are state actors, but we're not gonna tell you who,
do your own research "

login to reply
lmichet
lmichet
Laura@lmichet1/19/2023, 5:28 AM

This is fascinating shit, thank you for sharing it!!

login to reply
tati
tati
slightly festive tati@tati1/19/2023, 5:44 AM

can't believe this was compelling enough to read... love the subdued
contempt, its a real mood

    Another factor I'll offer is that even if a company (unlike us)
    is really owned by a defense contractor or government, it doesn't
    mean they're bad or that they'd misbehave.

very non-suspicious thing to say lol

login to reply
nex3
nex3
Natalie@nex31/19/2023, 10:26 AM

what blew me away is that the entire reason anyone was talking about
government ownership in the first place was because she brought it up
as an example of bad actors who were more important to target than
TrustCor! "Why are you picking on us when there are those big mean
government CAs?" "Which government CAs?" "How dare you ask that!
There's nothing wrong with government CAs!"

login to reply
tati
tati
slightly festive tati@tati1/19/2023, 4:22 PM

Accusing others of what you've done is a common way to shift
attention elsewhere lol.

    "Who the fuck just farted?! Come clean!!" Said the person who
    just farted.

login to reply
keiya
keiya
Keiya the Cyber-Kitty@keiya1/19/2023, 11:24 AM

"huh, these people think we're acting kinda shady. let's act like
slimey weasels except actually weasels are kinda cute and we're not"
is sure... a way to react.

login to reply
ireneista
ireneista
Irenes (many)@ireneista1/19/2023, 10:18 PM

solid conclusion. we agree fully.

login to reply
Pinned Tags

  * silver ball century
  * pinball

  * (c) 2022 anti software software club llc
  * thanks for using cohost

Legal

  * Terms of Use
  * Privacy Notice
  * Community Guidelines

About

  * @staff
  * Support
  * cohost status
  * cohost on twitter
  * ASSC on twitter
  * Careers