Note: unfortunately, Hacker News found this post. I think I got them to go away. But if you're coming from there, please read about the parable of the Nazi bar [https://en.wiktionary.org/wiki/Nazi_bar#English] and take a hard look at the company you keep, or just fuck off. Thanks.
we now return to your regularly scheduled snark about certificates.
Once every year or two, it becomes apparent that a Certificate Authority -- a company with the power to say that a website is who they say they are and you should be able to make https connections to it without scary warnings -- might be up to something shady and maybe doesn't deserve to be one of the ultimate sources of trust.
There's a public mailing list, dev-security-policy@mozilla.org, where the major browser developers decide whether they should keep trusting a CA. And sometimes it's fun to watch the results. Sometimes the CA in question takes a hostile stance of "whatever nerds, what are you gonna do, shut us down?" and then the nerds shut them down. Turns out it's hard to sell certificates that web browsers don't trust.
I had my attention drawn to the TrustCor saga because GitHub Dependabot won't shut up about it. Every time I push anything that might involve a certificate, it tells me about the grave danger I might be in if I trust TrustCor, and gives me a helpful link to the shit that went down [https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4].
The beginning of the story seems to be that a journalist was investigating spyware in mobile apps, and finding the companies that seemed to be ultimately responsible for creating them. There was evidence [https://www.techtarget.com/searchsecurity/news/252527174/TrustCor-under-fire-over-certificate-authority-concerns] that one such company was TrustCor, one of the certificate authorities that used to be trusted by every web browser.
In particular, TrustCor had put a mobile app on the Google App Store that contained one such spyware package, Measurement Systems. It was the only unobfuscated version of the package anyone had ever seen, implying that they didn't just license it from some other company, and it seemed that something in the code phoned home to a server at TrustCor.
So that led to some questions. These questions weren't initially "should TrustCor shut down as a CA", because none of this was strictly about certificates.
I'm sure TrustCor's VP of operations had a lot of ways to respond to this, but here are some of the responses she chose:
* Measurement Systems isn't the same company as us
* And anyway that was a single rogue developer
* And anyway that was a beta version of an app that we withdrew
* What did you expect us to do, use an ineffective old analytics package like Firebase, or use the powerful, beautiful, sexy analytics from Measurement Systems? Who are not us by the way
* You're a bunch of ignorant meddlers who don't know anything about the CA business
* You're after us because we make an encrypted e-mail product and you secretly work for the US government and want to shut us down
* Your claims are false and you can't prove anything
If you read enough of the thread, it's clear that not every accusation against TrustCor was true, and it's hard to tell what the truth really was. But also it doesn't matter, because once TrustCor had written the open letter [https://trustcor.com/static/falseclaimsandmedia.txt] saying
> It is filled with ridiculous, false claims and out-of-context statements twisted to fulfill a baseless prophecy imagined by a group of researchers who are more concerned with enriching themselves and their company than they are with Internet security.
their fate was sealed.
The conclusion on the mailing list was roughly: look, we're not here to find you guilty in a court of law, we're here to decide whether we trust you, and after all that we definitely don't. Your certificates get yeeted out of browsers at the end of November, have fun.
And just to make the point, they did what they could to make every other software developer know not to trust TrustCor either. They put "trusting TrustCor" into the big database of software vulnerabilities. Again, that's why I heard about it. Because now pushing code to GitHub that might still accept a TrustCor certificate, if it saw one, is a Moderate Severity Vulnerability.
What's funny to me is that the TrustCor VP seems like she was almost on the right track. If she really wanted to win the moral high ground at all costs, instead of accusing people of secretly working for the government, she could have pointed out that most of the people on that mailing list work either for or with Google. The world's largest ad company. The company that tracks everyone on 90% of web sites via Google Analytics. The company that also distributes spyware, because they don't check what their ad customers are doing very well and let them run random JavaScript on random web pages. The certificate authority whose company is, in absolute terms, up to more shady shit than any other CA.
Saying that would have gotten her company destroyed even faster, but I think she would have been right.
