Questionable TLS Certificate Authorities and Certificate Transparency

November 12, 2022

One piece of web security news of the time interval is that TrustCor Systems is, to quote the grugq's newsletter, "a root certificate authority with intelligence community ties that's registered in Panama and operates out of a UPS Store PO box in Toronto" (also, also, also). Concern over TrustCor is apparently not entirely new, but for whatever reason it didn't bubble back up in the modern era of browsers being more strict on CAs until now.

The good news is that the modern web TLS uses Certificate Transparency, which pretty much requires all TLS certificates used on the web to be logged in public to CT logs, where people can find them; this has been a significant improvement to the ecology. Based on this we can be fairly confident that TrustCor didn't (recently) issue any TLS certificates that would be generally damaging. The bad news is that this is only a partial protection against TLS certificate misuse and targeted attacks. As of now (early November 2022), Firefox doesn't require CT signatures on website TLS certificates, which means that an un-logged TrustCor TLS certificate could be used in a targeted attack against Firefox users (including possibly people using the Tor Browser, which is based on Firefox).

To go further afield, not all public TLS use is by web browsers. For non-browser use, TrustCor could issue un-logged TLS certificates that would be accepted by TLS using programs, such as malware that wants to contact a command and control server using a relatively innocent looking TLS certificate. Malware could always use its own hard-coded custom CA to sign its C2C TLS certificates, but then monitoring middleware might detect and alert on seeing such TLS certificates. Of course middleware could also alert on TLS certificates without CT log SCTs, but that's a more modern feature that you could hope monitoring middleware isn't quite up to date on.

Should you race to pull TrustCor from system root certificate stores (in browsers and elsewhere)? I don't know. For most people, it's probably not a high risk.

PS: I believe that the live TrustCor root certificates are here, here, and here, although I could have missed some in my search and winnowing. They have a lot of intermediate certificates.

Written on 12 November 2022.
« How Linux swap files (and swap partitions) find where to read and write
I wouldn't use ZFS for swap (either for swapfiles or with a zvol) »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sat Nov 12 22:36:38 2022
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.