== Questionable TLS Certificate Authorities and Certificate Transparency One piece of web security news of the time interval is that TrustCor Systems is, to quote [[the grugq's newsletter https://grugq.substack.com/p/november-9-2022]], "a root certificate authority with intelligence community ties that's registered in Panama and operates out of a UPS Store PO box in Toronto" ([[also https://mamot.fr/@jvagle/109308503963923021]], [[also https://twitter.com/josephmenn/status/1590149524806598656]], [[also https://www.techtarget.com/searchsecurity/news/252527174/TrustCor-under-fire-over-certificate-authority-concerns]]). [[Concern over TrustCor is apparently not entirely new https://mastodon.social/@kurtseifried/109317104247793582]], but for whatever reason it didn't bubble back up in the modern era of browsers being more strict on CAs until now. The good news is that the modern web TLS uses [[Certificate Transparency https://certificate.transparency.dev/]], which pretty much requires all TLS certificates used on the web to be logged in public to CT logs, where people can find them; [[this has been a significant improvement to the ecology ../tech/TLSCertTransAboutEcology]]. Based on this we can be fairly confident that TrustCor didn't (recently) issue any TLS certificates that would be generally damaging. The bad news is that this is only a partial protection against TLS certificate misuse and targeted attacks. As of now (early November 2022), [[Firefox doesn't require CT signatures on website TLS certificates https://bugzilla.mozilla.org/show_bug.cgi?id=1281469]], which means that an un-logged TrustCor TLS certificate could be used in a targeted attack against Firefox users (including possibly people using the Tor Browser, which is based on Firefox). To go further afield, not all public TLS use is by web browsers. For non-browser use, TrustCor could issue un-logged TLS certificates that would be accepted by TLS using programs, such as malware that wants to contact a command and control server using a relatively innocent looking TLS certificate. Malware could always use its own hard-coded custom CA to sign its C2C TLS certificates, but then monitoring middleware might detect and alert on seeing such TLS certificates. Of course middleware could also alert on TLS certificates without [[CT log SCTs ../tech/TLSCertTransLogsClientView]], but that's a more modern feature that you could hope monitoring middleware isn't quite up to date on. Should you race to pull TrustCor from system root certificate stores (in browsers and elsewhere)? I don't know. For most people, it's probably not a high risk. PS: I believe that the live TrustCor root certificates are [[here https://crt.sh/?caid=5717]], [[here https://crt.sh/?caid=7900]], and [[here https://crt.sh/?caid=12196]], although I could have missed some in [[my crt.sh search and winnowing https://crt.sh/?CAName=%25TrustCor%25]]. They have a lot of intermediate certificates.