Thank you, Joel and Serge, for bringing this to the attention of Mozilla and the wider community.
We understand from your post that: - Measurement Systems distributed an SDK containing spyware to Android users (also reported <https://www.wsj.com/articles/apps-with-hidden-data-harvesting-software-are-banned-by-google-11649261181?mod=djemalertNEWS> by the Wall Street Journal in April 2022). - There is substantial evidence that Measurement Systems and TrustCor are closely related: - Both had their domains registered by Vostrom Holdings. (as illustrated in this post <https://blog.appcensus.io/2022/04/06/the-curious-case-of-coulus-coelib/> by AppCensus on the basis of whois lookups) - They have identical corporate officers: Measurement Systems <https://opencorporates.com/companies/pa/2337L>, Trustcor Systems <https://opencorporates.com/companies/pa/2326L> - TrustCor operates the mail encryption product MsgSafe and a beta version of MsgSafe contained the only known unobfuscated version of the spyware SDK. (Beta APK, inspected by Joel and signed by Google) <https://apkpure.com/msgsafe-io-unreleased/io.msgsafe.android> - The MsgSafe product relies in part on SMIME certificates issued by TrustCor (MsgSafe Website <https://www.msgsafe.io/mobileapp>) - You found no evidence of the CA mis-issuing certificates. We find this information to be very concerning and in line with our Root Store Policy, (Section 7.3 Removals <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#73-removals>), we intend to carry out the following actions: 1) Request that a representative of the TrustCor CA, who we have also contacted over email, respond here in this discussion thread with the following information as soon as possible, and no later than November 22, 2022. - Response to the concerns raised in Joel’s post, including - How was an unobfuscated version of the Measurement Systems SDK incorporated into MsgSafe? - Explanation of the ownership, governance, and relationship between Trustor, Measurement Systems and Packet Forensics International, especially focusing on how the documented actions by other Vostrom Holdings organizations such as Measurement Systems impact TrustCor and its operations. - To what extent does TrustCor today maintain a business relationship or share ownership/ corporate officers with Measurement Systems or Packet Forensics? - If Trustcore today does not maintain a business relationship or share ownership/corporate officers, has it done so in the past? If so, when? When was the relationship disolved? - What in general explains the shared corporate officers across the companies? - Do you have separate corporate registration documentation demonstrating that the TrustCor CA is a different organization than the Trustcor entity that shares corporate officers with Measurements Systems. If so, please provide it. - State the number of SMIME certificates whose private keys were stored in versions of the MsgSafe app which included the identified malware. State TrustCor CA’s plan for those certificates; e.g. timeline for revoking them. - Self-assessment of risk versus benefit of the TrustCor CA’s root certificates being included in Mozilla’s root store with the websites (TLS) and email (S/MIME) trust bits enabled. Please see https://wiki.mozilla.org/CA/Quantifying_Value for the information to be provided. - Statement of Auditor’s Qualifications, as explained here: https://wiki.mozilla.org/CA/Audit_Statements#Providing_Auditor_Qualifications 2) Depending on our own further investigations, relevant external developments, and on TrustCor’s response, we intend to enact the following options. 1. If our concerns have not been resolved by November 22 and further investigation and discussion is still needed, then set “Distrust for TLS After Date” and “Distrust for S/MIME After Date” to November 29, 2022, for the 3 TrustCor root certificates (TrustCor RootCert CA-1, TrustCor ECA-1, TrustCor RootCert CA-2) that are currently included in Mozilla’s root store. This means that for certificates chaining up to those root certificates, Mozilla will not trust end-entity certificates that have a Valid-From date later than the distrust-after date. Certificates with a Valid-From date earlier than the distrust-after date will continue to be trusted until a decision is made about TrustCor’s risk to the CA ecosystem, including via their response to this message 2. If the TrustCor CA representatives are able to provide satisfactory evidence demonstrating that the accusations are without merit and no evidence emerges that the CA has mis-used certificates, then remove the distrust-after values (if they have been set), and allow TrustCor CA to continue to be a fully-operational CA in Mozilla’s root store. 3. If the concerns are founded, but there is no reason to believe that the CA has mis-used certificates, keep the distrust-after values set until all of the existing end-entity root certificates have expired, then remove the root certificates from Mozilla’s root store. 4. If there is reason to believe that the CA has mis-used certificates or the CA backdates certificates to bypass the distrust-after settings, then remove the root certificates from Mozilla’s root store in an expedited timeline, without waiting for the end-entity certificates to expire. Mozilla retains the right to take any necessary steps we deem appropriate to protect the security and privacy of our users, including disabling (partially or fully) or removing a certificate and certificate authority from our Root Store program. Whilst we appreciate TrustCor’s rapid response to the Washington Post article, these concerns need to be thoroughly addressed in order to maintain trust in the CA ecosystem. If anyone has additional information about the TrustCor CA and these concerns, your input to this thread will be greatly appreciated. You can also write to Mozilla privately at [email protected]. Thanks, Kathleen -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/3f8c3118-929b-4212-b0ba-4310b59c9399n%40mozilla.org.
