hack news

Considerations about Trustcor

Prof. Reardon

unread,

Nov 8, 2022, 5:52:25 PMNov 8

to dev-secur…@mozilla.org

Hey all:

I am Joel Reardon, a professor at the College of Calgary, who researches
privateness in the cell house. Earlier this 365 days, collaborators and I uncovered
and disclosed a spyware SDK embedded in apps that had been invasively monitoring customers
[1]. The SDK was banned from the Play Store and apps that included this SDK had been
instructed to purchase it or they would be eradicated from the Play Store.

The SDK was from a Panamanian firm [2] called Measurement Programs [3]. Their
web attach’s WHOIS files listed Vostrom Holdings [4] as their owner when
I had began the investigation; it’s now anonymized for privateness, nonetheless historical
files is accessible [5].

Alongside with investigative journalists at the Wall Road Journal, we chanced on
that Vostrom Holdings is doing industry as Packet Forensics [6]a
firm that sells staunch-intercept products [7]. The Measurement Programs
firm was furthermore registered in Virginia [8] by “Raymond Alan Saulino”, which was
then made indolent when Google took action against the SDK [9]. “Raymond A
Saulino” is furthermore an officer for Packet Forensics Global LLC [10]and
regardless of the center title no longer being an precise match, they each checklist the an identical
residential contend with [11, 12].

So now let’s fetch to why I am speaking about this right here on this forum. After we stumbled on
that the SDK domainss had been registered by Vostrom, we regarded to admire what else was furthermore
registered [13].  Among the domains stood out: trustcor.cowhich redirected at
the time to the TrustCor CA’s web attach. The NS files continue to narrate
nsX.msgsafe.io [14]the an identical as trustcor.com itself [15]. Msgsafe is a TrustCor
encrypted e-mail product [16].

Enjoy Measurement Programs, Trustcor is furthermore registered in Panama [17]. They had been
registered a month apart they on occasion allotment an an identical operate of corporate officers
(cf. [1]). It’s miles my thought that these officers fully are provocative on three
corporations, so it would not seem that they register, e.g., many corporations in
Panama.  One of those officers is Frigate Bay Maintaining LLC [18]. Shortly after
the WSJ article was printed, a “Raymond Saulino” filed kinds for Frigate Bay
Holdings LLC listed as its supervisor [19]. Raymond Saulino has furthermore spoken to press
publicly on behalf of Packet Forensics in the context of a Wired article about
subverting SSL [20].

Trustcor furthermore talks about their “geo-jurisdiction advantage” on a total page
[21] where they screech that “TrustCor is a Panamanian registered firm, with
technical operations based mostly entirely mostly in Curaçao—one of basically the most true, privateness oriented
jurisdictions on this planet.” No topic that, they’ve job openings for PKI
Engineer and Programs Engineering in Phoenix, AZ [22, 23]the latter declaring that
the applicant “MUST be positioned approach the Phoenix, AZ attach of living – job is remote with
occasional trips to files center amenities”. Their very private audit reports screech that
they are Canadian, with their files centres in Phoenix, AZ [24]. I am no longer
notably skittish by where they’ve their technical operations, nonetheless I mediate
that it’s provocative to leave out that the ideas centres are in Arizona on the prolonged
descriptions of the “geo-jurisdiction advantage”. Certificate authorities are
about belief.

I undoubtedly internet furthermore tested the Msgsafe encrypted e-mail product in the browser, while
saving the following web site visitors utilizing Firefox and Chrome’s “assign to HAR” file likelihood.
I am no longer gay there may possibly be E2E encryption or that Msgsafe can no longer study customers’
emails. I admire that e-mail contents and attachments are despatched plaintext
(over TLS) to api.msgsafe.ioeven when sending to different Msgsafe customers or when
utilizing PGP or SMIME to ship to non-Msgsafe customers. The SMIME cert is despatched inbound
from the server, and there may possibly be not any outbound web site visitors that embodies the final public key
to be signed. The password is despatched plaintext to the server (over TLS) and thus
any key derived from that password would furthermore be known by the server. Hanlon’s
razor tells me I may possibly well furthermore neutral unexcited no longer attribute these errors to malice; it may possibly possibly perchance well correct be a
developmental failure [25]. Nonetheless, I mediate it’s practical expectation
that a root certificate authority can fetch the crypto factual, and so I am project
regardless of the reason.

Yet every other provocative whine is that whois files lists Wylie Swanson because the
registrant for a quantity of domains that carefully mimic different encrypted e-mail
products [26]. This includes hushemail.procure, protonmails.comand tutanoto.com,
which shadow competing products and services, and which redirect customers who seek recommendation from them to
msgsafe.io. Wylie Swanson is the co-founder of Trustcor [27]. In my peek,
it appears to be care for typo squatting and I wouldn’t ask that a root certificate
authority to be engaged on this extra or less behaviour.

To be definite, I undoubtedly internet stumbled on no proof of Trustcor issuing a spoiled certificate or
in every other case abusing the authority they’ve in code signing, SMIME, and domain
validation. I undoubtedly internet fully checked the final public certificate transparency logs because
I am ignorant of comparable public auditing for code signing and SMIME. Likely
Vostrom registered a an identical-sounding domain for Trustcor and redirected it
as an act of provider. Likely the an identical possession of Trustcor and Measurement
Programs is a twist of destiny. Likely the Raymond Saulino of Frigate Bay holdings is
a provocative Raymond Saulino than the one representing Packet Forensics.

I am no longer accustomed to the total protection side of how CA membership works, so I
do not know if there may possibly be an expectation of candor referring to a CA’s international
possession or connection to staunch intercept corporations. Likely what I am
reporting is already known and no longer a project, or maybe there may possibly be an fully
practical cause of all these coincidences. Nonetheless, I have I may possibly well furthermore neutral unexcited
narrate my findings correct in case it ends up being helpful, because I mediate that
it’s practical for a root certificate authority to assuage my concerns.

A final twist of destiny: one of Msgsafe’s e-mail domains is decoymail.comwhich
Msgsafe customers can demand and which redirects to msgsafe.io [28]. In 2014 it was
registered to VOSTROM Holdings, Inc., while in 2015 it was registered to TRUSTCOR
SYSTEMS S. DE R.L. [29]. DecoyMail was a firm created by Rodney Joffe [30],
who’s the actual individual that furthermore filed the fashioned registration of Packet Forensics
[31] and was unexcited an licensed agent for Packet Forensics in a 2019 filing
[32] and a Supervisor for Packet Forensics in a 2021 filing [33]. The e-mail
rjo…@centergate.com is linked to the domains rodneyjoffe.com,
packetforensics.comand decoymail.procure [34]. Decoymail.procure currently redirects
to msgsafe.io.

Appropriate to restate: I would no longer internet any proof that Trustcor has achieved anything disagreeable, and I
would no longer internet any proof that Trustcor has been anything different than a diligent competent
certificate authority. Had been Trustcor simply an e-mail provider that misrepresented
their claims of E2E encryption and had some connections to staunch intercept
defense contractors, I wouldn’t elevate a project on this venue. But because it’s
a root certificate authority on billions of gadgets—along side mine—I have it
is practical to internet a proof.

[1] //archive.ph/AuNOy (archive of WSJ article)
[2] //opencorporates.com/corporations/pa/2337L
[3] //measurementsys.com/
[4] //vostrom.com/about.opp
[5] //www.whoxy.com/measurementsys.com
[6] //cis.scc.virginia.gov/CommonHelper/DocumentStorageLocalFileget?DocumentId=1542553&sourceType=1
[7] //www.packetforensics.com/products.true
[8] //cis.scc.virginia.gov/CommonHelper/DocumentStorageLocalFileget?DocumentId=3476851&sourceType=1
[9] //cis.scc.virginia.gov/CommonHelper/DocumentStorageLocalFileget?DocumentId=12188858&sourceType=1
[10] //opencorporates.com/corporations/us_nv/E0518742015-4
[11] //opencorporates.com/officers/429641126
[12] //opencorporates.com/officers/168691865
[13] //www.whoxy.com/firm/20189182
[14] //www.whoxy.com/trustcor.co
[15] //www.whoxy.com/trustcor.com
[16] //trustcor.com/files/12012016.php
[17] //opencorporates.com/corporations/pa/2326L
[18] //opencorporates.com/corporations/us_wy/2020-000946985
[19] //wyobiz.wyo.gov/Business/FilingDetails.aspx?eFNum=230084239221021253238165142128171020141144245186
(click on on historical previous, then contend with update pdf)
[20] //www.wired.com/2010/03/packet-forensics/
[21] //trustcor.com/curacao
[22] //careers.jobscore.com/careers/trustcor/jobs/pki-safety-engineer-cGlJUDydTp67nWF6LOxNC0?ref=rss&sid=68
[23] //careers.jobscore.com/careers/trustcor/jobs/programs-engineer-aNkuyi0pKr6R6NaKlhlxBf?ref=rss&sid=68
[24] //www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=c4f0e7c6-b310-4f5c-9907-8ecfad68366e
[25] //en.wikipedia.org/wiki/Hanlon%27s_razor
[26] //www.whoxy.com/e-mail/28298508
[27] //trustcor.com/management
[28] //decoymail.com
[29] //securitytrails.com/domain/decoymail.com/historical previous/a (must produce yarn)
[30] //ecorp.azcc.gov/CommonHelper/GetFilingDocuments?barcode=00396622
[31] //ecorp.azcc.gov/CommonHelper/GetFilingDocuments?barcode=02780271
[32] //ecorp.azcc.gov/CommonHelper/GetFilingDocuments?barcode=19121111449561
[33] //bizfileonline.sos.ca.gov/api/yarn/GetImageByNum/190229140180179177132144027172122051178173016008
[34] //www.whoxy.com/e-mail/23160817

Serge Egelman

unread,

Nov 8, 2022, 6:38:07 PMNov 8

to dev-secur…@mozilla.org, joel.r…@ucalgary.ca

I are searching to follow this up with some further vital factors that I’ve stumbled on:

We before every little thing came across this CA after discovering the malware SDK that Joel described. We went thru a couple of of our app analysis files to hunt down the total apps impacted and reported those to Google. In every case, assign one, that SDK was heavily obfuscated (going to this level as to encrypt strings, which were then decrypted dynamically at runtime). We stumbled on a pre-commence beta of the MsgSafe app that contained the fully unobfuscated version of the SDK that we had viewed in the wild. For instance, right here’s a screenshot made after decompiling that app utilizing apktool:

Screenshot 2022-11-08 at 8.26.43 AM.png

You can furthermore admire full debug symbols, which don’t exist in any different version of the app that now we internet stumbled on.

In step with their Twitter feed, they launched a beta of their Android app in late 2017:

Screenshot 2022-11-08 at 8.18.04 AM.png

Whereas that app is not any longer in the Play Store, there are third-occasion app archives that internet made it publicly obtainable. For instance:

Enjoy most Android apps, it be signed, so one more particular person can doubtlessly independently confirm its provenance.

So the seek files from is, why did MsgSafe appear to bundle an unobfuscated version of this SDK in their app? How was it got, if as Rachel says, they’ve nothing to enact with the firm that is spreading it? In step with her e-mail, they would no longer internet a public app; somebody may possibly well furthermore neutral unexcited doubtlessly picture that to their social media particular person…

serge

Kathleen Wilson

unread,

Nov 8, 2022, 8:03:35 PMNov 8

to dev-secur…@mozilla.org, ege…@cs.berkeley.edu, joel.r…@ucalgary.ca

Thank you, Joel and Serge, for bringing this to the honour of Mozilla and the wider community.

We brand out of your publish that:

  • Measurement Programs distributed an SDK containing spyware to Android customers (furthermore reported by the Wall Road Journal in April 2022).

  • There may possibly be monumental proof that Measurement Programs and TrustCor are carefully linked:

  • You stumbled on no proof of the CA mis-issuing certificates.

We discover this files to be very referring to and based mostly entirely totally on our Root Store Coverage, (Share 7.3 Removals), we intend to enact the following actions:

1) Demand that a representative of the TrustCor CA, who now we internet furthermore contacted over e-mail, respond right here on this dialogue thread with the following files as rapidly as that you may possibly well well be furthermore mediate of, and no later than November 22, 2022.

  • Response to the worries raised in Joel’s publish, along side

    • How was an unobfuscated version of the Measurement Programs SDK integrated into MsgSafe?

  • Explanation of the possession, governance, and relationship between Trustor, Measurement Programs and Packet Forensics Global, notably focusing on how the documented actions by different Vostrom Holdings organizations akin to Measurement Programs affect TrustCor and its operations.

    • To what extent does TrustCor these days protect a industry relationship or allotment possession/ corporate officers with Measurement Programs or Packet Forensics?

    • If Trustcore these days would not protect a industry relationship or allotment possession/corporate officers, has it achieved so in the previous?  If so, when? When was the connection disolved?

    • What in usual explains the shared corporate officers across the corporations?

    • Have you internet separate corporate registration documentation demonstrating that the TrustCor CA is a provocative group than the Trustcor entity that shares corporate officers with Measurements Programs.  If so, please provide it.

  • Recount the quantity of SMIME certificates whose deepest keys had been saved in variations of the MsgSafe app which included the acknowledged malware. Recount TrustCor CA’s thought for those certificates; e.g. timeline for revoking them.

  • Self-evaluation of threat versus profit of the TrustCor CA’s root certificates being included in Mozilla’s root store with the procure sites (TLS) and e-mail (S/MIME) belief bits enabled. Please admire //wiki.mozilla.org/CA/Quantifying_Value for the ideas to be provided.

  • Assertion of Auditor’s Abilities, as explained right here: //wiki.mozilla.org/CA/Audit_Statements#Providing_Auditor_Qualifications

2) Reckoning on our private further investigations, relevant external tendencies, and on TrustCor’s response, we intend to enact the following alternate solutions.

  1. If our concerns internet no longer been resolved by November 22 and further investigation and dialogue is unexcited wished, then operate “Distrust for TLS After Date” and “Distrust for S/MIME After Date” to November 29, 2022for the 3 TrustCor root certificates (TrustCor RootCert CA-1, TrustCor ECA-1, TrustCor RootCert CA-2) that are currently included in Mozilla’s root store. This means that for certificates chaining up to those root certificates, Mozilla will no longer belief discontinuance-entity certificates that internet a Legitimate-From date later than the distrust-after date. Certificates with a Legitimate-From date sooner than the distrust-after date will continue to be depended on till a option is made about TrustCor’s threat to the CA ecosystem, along side thru their response to this message

  2. If the TrustCor CA representatives are ready to provide passable proof demonstrating that the accusations are with out merit and no proof emerges that the CA has mis-aged certificates, then purchase the distrust-after values (in the event that they’ve been operate), and permit TrustCor CA to continue to be an fully-operational CA in Mozilla’s root store.

  3. If the worries are founded, nonetheless there may possibly be not any reason to agree with that the CA has mis-aged certificates, maintain the distrust-after values operate till the total existing discontinuance-entity root certificates internet expired, then purchase the basis certificates from Mozilla’s root store.

  4. If there may possibly be reason to agree with that the CA has mis-aged certificates or the CA backdates certificates to avoid the distrust-after settings, then purchase the basis certificates from Mozilla’s root store in an expedited timeline, with out waiting for the head-entity certificates to expire.

Mozilla retains the factual to purchase any main steps we judge appropriate to guard the protection and privateness of our customers, along side disabling (in part or entirely) or taking out a certificate and certificate authority from our Root Store program.

Whereas we adore TrustCor’s snappy response to the Washington Post article, these concerns internet to be completely addressed in repeat to protect belief in the CA ecosystem.

If any individual has further details about the TrustCor CA and these concerns, your input to this thread shall be considerably favored. You can furthermore furthermore write to Mozilla privately at certif…@mozilla.org.

Thanks,

Kathleen

Rachel McPherson

unread,

Nov 8, 2022, 8:58:03 PMNov 8

to dev-secur…@mozilla.org, Serge Egelman, joel.r…@ucalgary.ca

Hi Joel and Serge,

Attention-grabbing that right here’s the first time you or any individual else to your evaluation community has reached out to us, rather then when you depend the Washington Post journalist who claims in his article that we did no longer respond, which is one of many many false claims made in the article since we answered very swiftly to his contact. And before I originate, you may possibly well furthermore neutral unexcited doubtlessly clarify in case your views are representing The College of Calgary’s views, The College of California at Berkeley’s views, or your commercial endeavor AppCensus’s views, or your views representing any buyer, agency, and lots of others…?  If in truth these views are fully neutral and deepest, that is furthermore priceless to brand.

For any of the technical vital factors aboutMsgSafe.io’s e-mail software and provider, that belongs in a provocative forum because it just isn’t linked to CA operations or CA public protection based mostly entirely totally on your description. I know you guys promote some extra or less app safety resolution commercially, nonetheless I did brand in my earlier response that our firm and MsgSafe has never shipped an app that was no longer in BETA fully and that the 5-365 days-aged app beta was abandoned years in the past and replaced with a cell-first web journey that we mediate is fully rather superior on the cell phone browser itself with out having to set up any app software which is (as you guys neatly know) unhealthy by manner of navigating the third occasion software that helps create apps more uncomplicated to exhaust or helps monetize them or regardless of, nonetheless may possibly well also possess different stuff spoiled guys exhaust for his or her private capabilities. We abandoned cell model years in the past (as you may possibly well furthermore clearly picture) and rather than changing it we correct point out customers create exhaust of their constructed-in browsers fully to exhaust the provider which as you may possibly well furthermore admire for yourself works amazingly neatly now based mostly entirely totally on React Native’s cell capabilities. Here is by far the safest manner to exhaust the electronic mail app from what I’ve been instructed by the team, nonetheless again in that different forum please allotment your suggestions due to course we’re searching to create it even better. I assist you to follow those up with theMsgSafe.iostraight thru their buyer improve channels and I know for a fact they shall be extremely joyful when you may possibly well furthermore provide any definite suggestions for bettering that product suite, and thanks upfront for that. I know they fetch a form of suggestions, nonetheless every little thing helps by manner of establishing products better and further true, I mediate that’s one whine all of us agree on. My recommendation is you don’t originate the conversation with them speaking about an abandoned app beta from decades in the past (rather then maybe to declare purchase it), and in its place level of curiosity on bettering their production web application for cell.

Particular to your commentary on the certificate authority and protection pertinent to this forum, I adore that you acknowledge and mentioned extra than one cases all the most life like likely device thru your publish that you internet stumbled on

no proof

of TrustCor mis-issuing certificates or in every other case abusing our authority or violating established CA policies or root policies. We obviously agree. I’m going to comment on a couple of of your different factors for the profit of this forum, after which I point out we purchase things off-line (sideline at the least) and both meet in particular person or internet cell phone calls or professionally manner our discourse some different manner, with out you guys utilizing the media, your twitter forces or slinging extra false claims, which isn’t factual for any individual along side the final public that we each hope to serve.

I’m no longer an attorney, nonetheless when a firm registers itself as a corporate entity and lists its officers and addresses and mailing addresses and uses attorneys to enact those things, in total cases the firm before every little thing will get regis tered to the attorney or there after which that files will get straight obsoleted thru amendments pointing to the actual officers. I will picture you we don’t internet any crossover between our officers and the officers of different corporations you narrate, for definite. As for the possession or beneficial shareholders of the firm, the names you checklist are close, nonetheless disagreeable. We internet got had the an identical beneficial house owners for 7 years, and while their names are “akin to” the names you mentioned, they aren’t an identical and we no doubt never had any possession from corporations registered in the USA. As for the gruesome-over between officers, I am as perturbed as you because what that web attach is exhibiting (commence corporates) and possibly what the gov attorneys internet in our files is fully no longer what exists in my files, so obviously it’s my responsibility to reconcile this with the possession and fetch it corrected and most considerably explained. With out having researched any of that, I will again consult with those different random USA corporations that are no longer us, and that had been created in different jurisdictions 7 years after we had been integrated, that sound akin to our possession, and their skill for scandalous play against us on this kind along with the insurance files strive I mentioned before. It appears to be care for the actual corporations had been there before, nonetheless had been modified and the attorneys and folk had been added to the yarn, whereas our files narrate reasonably different names and with out that particular particular person. Again, I will reconcile and display cover after I’ve achieved extra evaluation and when put next these items on the total timeline of occasions.

Also, we’re no longer in USA territory based mostly entirely totally on possession, despite the fact that as you identified we enact host some gear in the USA. I don’t mediate it’s total for corporations to narrate where any of their serious web web hosting infrastructure is positioned, nonetheless yes now we internet infrastructure in the USA and in the Caribbean, and our key areas are properly documented in our CA audits and insurance filings.

When I study your feedback about the firm names and the domain title, it appears care for we already explained this in our preliminary respond to the extent my attorney is tickled with me explaining publicly because we’re fascinated by follow-on civil lawsuits. Plainly mentioned, it appears to be care for 7 or so years after we had been founded, somebody went and created corporations with an identical names (nonetheless rather than making them where they belong and are already registered, they created them within the USA). I don’t know for a fact why any individual would enact this, we no doubt did no longer enact it. Our attorneys agree with somebody may possibly well internet achieved this (and it has the same opinion with our tournament timeline we’re creating as we evaluation) for physical actions taken and can neutral internet aged this with insurance corporations to accomplish further nonpublic details about our firm and our insurance infrastructure which is colossal and refined correct care for every CA’s insurance must be. In case you pair that with somebody furthermore having a lookalike domain title, obviously that would be aged for spoiled capabilities (phishing, and lots of others) against our potentialities or against us or against our distributors I assume, … that doesn’t ogle care for a factual combination. It appears to be rather deplorable, undoubtedly. After we realized the domain title was accessible, we took apt action and we had asserted international trademark claims and we had been ready to force the domain be sold to us and now we internet it and exhaust it these days. Who would register those corporations or domain or enact these items to us and why?  That’s beyond me, nonetheless none of it sounds care for factual behavior to me or to our attorneys. Whereas you guys internet any precise proof of better ideas as to how these may possibly well need been aged, I’d clutch to allotment that with our attorneys.

I mediate I’ve hit on the total monumental factors I will discuss about publicly, obviously I will’t comment on prior (whether deceased or no longer) workers, and lots of others.

Oh and on our private domain possession or prior employee domain possession, frankly that again has to enact with that MsgSafe e-mail product and no longer CA operations, nonetheless our potentialities and the firm and prior and fresh workers and lots of others all register domains thru it by the hundreds or thousand(s) there are at some level of provisioning or no longer, and we undoubtedly can’t be accountable for what all of them register. With out a doubt if any violate any guidelines we strive to handle that on an particular particular person case basis, nonetheless optimistically abuse is saved to a minimum and now we internet a form of protections constructed-in care for checking against Alexa high sites and different things CAs enact operationally as allotment of the industry. Some nonetheless no longer all of those protections are prolonged to the MsgSafe e-mail product nonetheless that will perchance furthermore neutral furthermore be blurry because folks register some undoubtedly extra special domains rather naturally and with none malice that possess extra special phrases or substrings or regardless of…

As I mentioned tickled we’re to purchase this offline with our CA operational companions and fellow root program stakeholders and administrators, and lots of others.

Thank you all people,

Rachel

Please brand: this message is not any longer in reveal respond to Kathleen’s message that correct came in, now we internet no longer but had time to soak up her publish and can neutral respond to Kathleen’s message on all mentioned factors within the timeframe dispensed. Nonetheless, we did no longer feel the must lengthen our response to Joel and Serge.

I are searching to follow this up with some further vital factors that I’ve stumbled on:

We before every little thing came across this CA after discovering the malware SDK that Joel described. We went thru a couple of of our app analysis files to hunt down the total apps impacted and reported those to Google. In every case, assign one, that SDK was heavily obfuscated (going to this level as to encrypt strings, which were then decrypted dynamically at runtime). We stumbled on a pre-commence beta of the MsgSafe app that contained the fully unobfuscated version of the SDK that we had viewed in the wild. For instance, right here’s a screenshot made after decompiling that app utilizing apktool:

You can furthermore admire full debug symbols, which don’t exist in any different version of the app that now we internet stumbled on.

In step with their Twitter feed, they launched a beta of their Android app in late 2017:

Ryan Dickson

unread,

Nov 9, 2022, 3:10:41 PMNov 9

to Rachel McPherson, dev-secur…@mozilla.org, Serge Egelman, joel.r…@ucalgary.ca

All,

The Chrome Root Program is aware of the allegations against TrustCor by AppCensus and described in this Washington Post article. Chrome maintains a diversity of mechanisms to guard its customers, and is ready to exhaust them as main.

To be definite, behavior that attempts to degrade or subvert safety and privateness on the procure is incompatible with organizations whose CA certificates are included in the Chrome Root Store.

The evaluation by AppCensus, along with our private, has acknowledged what would be described as “coincidences” that, when compiled, may possibly well well name into seek files from the honesty and safety of a publicly-depended on root CA owner or operator. As described by Kathleen Wilsonwe predict about it’s TrustCor’s responsibility to assuage community project by publicly addressing the questions outlined in her message.

Furthermore, we eminent the following coincidences and demand further clarification from TrustCor:

Coincidence #1 Audit Irregularities

  • TrustCor uses Princeton Audit Neighborhood (PAG) as its auditor.

  • In step with CCADB files, PAG would not audit any different publicly-depended on CAs.

  • TrustCor’s most most recent audit statements ([[[[Common]and[[[[BR – TLS]) characterize CA operations in Toronto, Ontario, Canada.

    • PAG is listed as a licensed practitioner fully in the USA.

    • TrustCor’s CPS signifies the ideas amenities are positioned in Phoenix.

    • Even supposing the management assertion references Phoenix, PAG’s attestation would not.

  • Past[[[[1],[[[[2], and[[[[3], we stumbled on puny public files particular to audits performed by PAG.

Coincidence #2 WIPO Complaint

  • This page summarizes a 2018 criticism filed with the WIPO Arbitration and Mediation Heart against Trustcor Programs S. De R.L. by Compagnie Générale des Etablissements Michelin, owner of BFGOODRICH.

  • The criticism cites concerns linked to TrustCor registering bfgoodrichpromotions.procureand the threat of a linked phishing procedure due to the registration and corresponding e-mail servers configured on the disputed domain title.

  • Within the raze, the Panel stumbled on TrustCor’s passive preserving of the disputed domain title indicated “spoiled religion”. Furthermore, the Panel furthermore stumbled on that TrustCor’s failure to respond to the Complainant’s close-and-desist letters was an further circumstance evidencing the TrustCor’s “spoiled religion”.

  • One of these behavior is per that described by Joel Reardon right here (admire dialogue foundation with “Yet every other provocative whine is that whois files lists Wylie Swanson because the registrant for a quantity of domains that carefully mimic different encrypted e-mail products [26]).

  • We’ve individually confirmed the domain registrations described above had been once registered as indicated by Joel.

Extra Observations

Separately, we eminent the following observations after taking a closer ogle at Msgsafe.io and studying TrustCor’s certificate issuance.

Msgsafe.io

TrustCor owns msgsafe.ioa privateness-focused webmail platform that appears to be common across ransomware assaults (examples[[[[4],[[[[5], and[[[[6]).

Wicked actors’ exhaust of TrustCor’s provider offering may possibly well furthermore neutral unexcited no longer be regarded as a illustration of the provider, or TrustCor, itself. Nonetheless, we’re provocative to adore actions TrustCor has taken against the addresses represented in the assaults described above, and others that will perchance furthermore neutral were reported in the previous. Whereas TrustCor’s responses to known circumstances of abuse are circuitously linked to its predicament as a depended on CA, they are continuously interpreted as an illustration of TrustCor’s commitment to upholding safety and privateness on the procure.

Certificate Issuance

We studied TrustCor’s TLS server certificate issuance and did no longer get signs of mis-issuance or definite violations of the Baseline Requirements.

We acknowledged that ~35% of the dnsNames represented in the certificates issued by TrustCor had been publicly accessible at the time of evaluation, and fully 59% of those served TrustCor-issued Certificates.

Intently studying issuance patterns, most TrustCor-issued certificates had been issued to the following domains: ddns.procure, hopto.org, sytes.procure, zapto.org, myddns.me, servebeer.com myftp.organd serve///http.com.

We would internet anticipated a substantially broader operate of publicly accessible domains, nonetheless right here’s no longer intended to particular wrongdoing by TrustCor.

If there are any questions referring to any of the objects above, we’d be tickled to handle them.

– Ryan

Philip Valsorda

unread,

Nov 9, 2022, 4:56:01 PMNov 9

to dev-secur…@mozilla.org

We acknowledged that ~35% of the dnsNames represented in the certificates issued by TrustCor had been publicly accessible at the time of evaluation, and fully 59% of those served TrustCor-issued Certificates.

Intently studying issuance patterns, most TrustCor-issued certificates had been issued to the following domains: ddns.procure, hopto.org, sytes.procure, zapto.org, myddns.me, servebeer.com, myftp.organd serve///http.com.

We would internet anticipated a substantially broader operate of publicly accessible domains, nonetheless right here’s no longer intended to particular wrongdoing by TrustCor.

Thank you Kathleen and Ryan for swiftly addressing the points with the trustworthiness of this CA operator.

I furthermore seen the an identical issuance patterns, and wished to brand that every particular person those domains belong to the an identical Dynamic DNS provider [1] which provides free Trustcor certificates [2].

I agree that this would not narrate any wrongdoing, nonetheless I ask that the fact that this CA appears to largely serve a single provider provider shall be allotment of the “self-evaluation of threat versus profit of the TrustCor CA’s root certificates being included in Mozilla’s root store” that Kathleen requested.

Clint Wilson

unread,

Nov 12, 2022, 2:26:48 AMNov 12

to MDSP, Rachel McPherson, Serge Egelman, joel.r…@ucalgary.ca, Ryan Dickson

Hey all,

In repeat to further assemble the observations that will perchance furthermore neutral warrant some response from TrustCor, the Apple Root Program would clutch so that you have to add some further notes. We concur with views expressed below that the corpus of those observations lend themselves to practical doubt about this firm’s ability to operate as a publicly depended on CA, and at this level agree with it equally practical to ask TrustCor to handle the worries raised herein.

Observations:

  1. The “Main Market / Customer Putrid” field for TrustCor in CCADB signifies “TrustCor develops privateness protection products and services and points certificates to its potentialities in improve of such products and services.”
    1. This appears to narrate that certificate issuance is not any longer the core of their industry, nonetheless rather augmentative thereto. Nonetheless, taking a ogle at their web attach///http://www.trustcorsystems.com/(which redirects to//trustcor.com/), there may possibly be puny narrate, and nothing predominantly represented, of products and services or products rather then TLS and S/MIME certificate issuance.
    2. Especially in gentle of the yarn which began this thread and different observations shared since, this rather benign-seeming observation then prompts the seek files from: What are the privateness protection products and services these certificates are being issued in improve of?
  2. As highlighted in other areas, the contend with TrustCor has listed on CCADB doesn’t appear to house TrustCor offices and in its place factors to what appears to be to be a chain of retail retailers, along side a UPS Store, as referenced in the linked Washington Post article (//www.washingtonpost.com/technology/2022/11/08/trustcor-web-addresses-government-connections/).
    1. The attach is the Ontario Headquarters of TrustCor, as referenced by the corpus of audit statements representing TrustCor?
  3. Having a ogle at Ontario Business Records, it furthermore appears to be that TrustCor Programs S. DE R.L. (the corporation listed on their audits) “ceased exercise in Ontario” on December 31, 2016. There are different registered entities with the TrustCor title, nonetheless these different registered corporations seem to be unrelated to TrustCor CA.

Thank you,

-Clint

Rachel McPherson

unread,

Nov 18, 2022, 9:14:02 PM (12 days in the past)Nov 18

to MDSP, Clint Wilson, Ryan Dickson, Kathleen Wilson, joel.r…@ucalgary.ca, Serge Egelman

Kathleen, Ryan, Clint and the remainder of the community:

I was reminded by a couple of of you right here’s a monumental public forum with non-CA-operators and non-browser/platform-developers brand, and that people internet a form of ardour in these topics nonetheless no longer always the an identical level of journey or familiarity with the CA operations and root CA program guidelines or technical knowhow because the intended target audience. As a result of this fact let me originate by announcing THANK YOU to my fellow CA/B Dialogue board people and people of the better community for reminding me of that, and individually thanks for those of you that internet despatched very good and provocative, supportive emails (you know who you are). I adore working with a lot of you for a lot of years and your definite messages had been very main and heartfelt. Given the publicity of this forum, I will enact my easiest to appreciate folk by no longer constantly utilizing their names or calling out different root program member organizations as examples, even when it’d be priceless to enact so. As one more I will query you to purchase into consideration that side in my response. Also, I will exhaust “our firm” when speaking of TrustCor (the CA operator) and MsgSafe (the electronic mail provider). I will exhaust “the researchers” when speaking about Serge Edelman, Joel Reardon, their commercial enterprise AppCensus, or the colleges for which they work (College of California, Berkeley and the College of Calgary, respectively).

It’s miles serious readers brand now we internet never been accused of, and there may possibly be not any proof to point out that TrustCor violated conduct, protection, or procedure, or wrongfully issued depended on certificates, or labored with others to enact so. We internet got no longer achieved any of those things. It’s furthermore vital to adore TrustCor operates a certificate authority (TrustCor CA) which provides CA products and services true and insulated by an exclusion settlement, and TrustCor operates a privateness-bettering communications provider (MsgSafe.io) as two obvious industry units.

I will enact my easiest to succinctly respond to the questions and concerns from the representatives from the basis programs representatives first, after which for the readers wanting further detail, I will provide extra context in the sections below basically the most pertinent files of my response. I undoubtedly internet furthermore linked a memo from Wylie who wished to be heard as allotment of this course of. For those of you who’re searching to veil (journalism) the topic, thanks upfront for pondering the total message and attachments before you write anything or before you name us, please.

———————————

In Response to Kathleen’s (Mozilla) concerns, offering further clarification as requested:

In Response to “How was an unobfuscated version of the Measurement Programs SDK integrated into MsgSafe?”:

Our firm never published a production or supported version of the MsgSafe cell app containing the Measurement Programs SDK. Relative to the little population of Beta product-testers (which were largely our private workers) who chose to verify a Beta version of the app containing that SDK, I will add that all the most life like likely device thru the attain stages of MsgSafe’s BETA cell app, our developers sought out the assist from third occasion software products and services to accomplish better app analytics. We are mindful that they evaluated different SDKs and instruments care for Firebase, Bugsnag, and lots of others. nonetheless they claimed to no longer assist principal in troubleshooting and bettering the app efficiency across all software producers and OS variations. There was a time all the most life like likely device thru this course of where they integrated further software developers to assist with the points we had been dealing with. Whether or no longer the SDK was added for a developer’s private monetary produce or in every other case is beyond us and we don’t care to speculate. Again, the MsgSafe BETA cell app was never launched in a production supported version and has been abandoned for years, and we can confirm the cell-first web UI, which is the fully supported cell interface in-exhaust these days and for the previous few years, which would not possess any SDK from any individual.

As far as how the MsgSafe cell app got an “unobfuscated version” of the SDK? It’s not any longer our attach of living to speculate, nonetheless it undoubtedly fully makes sense that any firm would provide updates to their software over time. The third-occasion app archive web attach containing MsgSafe’s APK, as referenced in the researcher’s publish, is over 3 years aged. It’ll furthermore neutral unexcited approach as no shock that the software stumbled on there doesn’t match up precisely to the software stumbled on in apps they reported about in April 2022. Our developers doubtlessly didn’t even peer refined adjustments care for this because it’s no longer our put collectively to reverse engineer different firm’s software and violate license agreements.

In Response to “Explanation of the possession, governance, and relationship between Trustor, Measurement Programs and Packet Forensics Global, notably focusing on how the documented actions by different Vostrom Holdings organizations akin to Measurement Programs affect TrustCor and its operations.

To what extent does TrustCor these days protect a industry relationship or allotment possession/ corporate officers with Measurement Programs or Packet Forensics?”:

TrustCor would not internet or protect any industry relationship or allotment any officers or possession with Measurement Programs or Packet Forensics, or any different defense firm. The documented actions and opinions enact no longer affect TrustCor’s CA operations in any manner. Furthermore, any shareholders would no longer internet any maintain an eye on over our CA operations (as enforced by our exclusion settlement), and any misbehaviour of organizations or folk external to us are a outcomes of their choices and enact no longer internet an affect on our operations.

In Response to “If Trustcore these days would not protect a industry relationship or allotment possession/corporate officers, has it achieved so in the previous?  If so, when? When was the connection disolved?”:

Unknown till neutral nowadays by any employee officers of TrustCor we and Measurement Programs S de RL had on the total a community of traders who represented funds (teams of corporations and different funds), no longer folk. Even despite the fact that we shared a total community of funding funds, now we internet always operated our industry independently of any different firm and internet exclusion provisions in attach of living to guard the CA industry from having fetch entry to-to or being controlled by or influenced from any third-occasion, traders, equity-holders, or any individual different than TrustCor’s CA Approving Officers and workers. To basically the most efficient of our files (and our focused investigation) there may possibly be not any longer and has never been shared possession with any defense firm or any USA firm. This total community of traders with Measurement Programs S de RL. had already dissolved mid 2021, before th ese most recent claims had been publicized, which manner as a pure course of industry and no longer as a reaction to any claims or adversarial occasions. In 2021 TrustCor possession was transferred from the preliminary traders/founders to the workers of TrustCor. The apt course of has been very step-by-step and undoubtedly gradual, notably due to the protracted remedy and most recent dying of 1 key founder, Ian Abramowitz. Nonetheless, it’s underway and irreversible, and the total funding automobile was dissolved over a 365 days in the past.

In Response to “What in usual explains the shared corporate officers across the corporations?”:

The preliminary traders/founders of every preserving corporations had been known to every different and determined to diversify their investments across extra than one corporations and in extra than one territories, which is outwardly a total funding put collectively. They’re strictly passive traders, rather then Ian Abramowitz.

In Response to “Have you internet separate corporate registration documentation demonstrating that the TrustCor CA is a provocative group than the Trustcor entity that shares corporate officers with Measurements Programs.  If so, please provide it.”:

(from above) The apt course of has been very step-by-step and undoubtedly gradual, notably due to the protracted remedy and most recent dying of 1 key founder, Ian Abramowitz. Nonetheless, it’s underway and irreversible, and the total funding automobile was dissolved over a 365 days in the past. As soon because it completes we are in a position to feel free to allotment the final public files, nonetheless we cannot maintain an eye on how long it takes varied attorneys to deem adjustments upon dying, and lots of others. Obviously Ian’s title is on many files already publicized and procuring for his title lets in any individual to admire his memorial web attach from June 2022 (nonetheless he had been in remedy for a while) and different public files of this kind. Since its inception in 2013, TrustCor’s CA industry unit has been fully insulated and true from any shareholders thru its exclusion settlement, which separates equity possession from fetch entry to-to or maintain an eye on-over the CA industry unit.

In Response to “Recount the quantity of SMIME certificates whose deepest keys had been saved in variations of the MsgSafe app which included the acknowledged malware. Recount TrustCor CA’s thought for those certificates; e.g. timeline for revoking them.”:

No deepest keys had been ever saved on the MsgSafe cell application, along side in the unreleased BETA version referenced by the researchers. As a result of this fact, we enact no longer admire any reason to revoke any of the S/MIME certificates issued within the timeframe that the MsgSafe Beta cell app was in circulation. To boot, all of TrustCor’s S/MIME certificates are issued with a validity interval equal to 365 days or less. Any S/MIME certificates issued to MsgSafe customers all the most life like likely device thru the timeframe of the BETA app would all be expired and invalid a truly long time in the past.

In Response to “Self-evaluation of threat versus profit of the TrustCor CA’s root certificates being included in Mozilla’s root store with the procure sites (TLS) and e-mail (S/MIME) belief bits enabled. Please admire//wiki.mozilla.org/CA/Quantifying_Valuefor the ideas to be provided.”:

We internet got provided the CA-Quantifying Price Assertion as a separate doc, linked.

In Response to “Assertion of Auditor’s Abilities, as explained right here://wiki.mozilla.org/CA/Audit_Statements#Providing_Auditor_Qualifications”:

TrustCor’s WebTrust audit is performed by Princeton Audit Neighborhood, Inc. (“PAG”), with the accreditation stumbled on right here://www.cpacanada.ca/en/industry-and-accounting-sources/audit-and-assurance/overview-of-webtrust-products and services/licensed-webtrust-practitioners-international

PAG’s lead auditor is Vijay Khosla and PAG’s team of auditors lift CISA and CISM certifications and relevant in-house practising. Moderate years of journey, in belief products and services or an identical files programs, for the audit team includes 34 years in IT Audit Audits, 10 years in SOC 1,2,3 reporting, 5 years in SOX, 10 years in WebTrust Audits. Abilities contain: over 10 years in: IT and Infrastructure Audit, SDLC and Risk Overview; Data Heart Audits; Encryption practising; Price Accounting Experience; Physical Security; Network Security; and Cloud Computing.
Credentials contain: CPA, CISA, CISM, AICPA, CPA Canada PAG audit team people are drag by law to comply with requirements acceptable to their respective qualifications and furthermore as required for e.g. AICPA, CISA, CISM and CPA Canada. As of TrustCor’s 2021 audit interval, PAG would not count on any third-occasion consultants or affiliate audit corporations.

In Response to the worries and questions from the researcher’s publish as particularly referenced by Kathleen are included in-line below:

In Response to “There may possibly be monumental proof that Measurement Programs and TrustCor are carefully linked: Both had their domains registered by Vostrom Holdings. (as illustrated on this publish by AppCensus on the basis of whois lookups)”:

Upon further investigation into our domains and with further files from our apt team, now we internet stumbled on that TrustCor received the DecoyMail machine decades in the past because the basis of ourMsgSafe.ioproduct and provider. First obtainable in October 2000 (over 22 years in the past), the DecoyMail product (and its successor, ourMsgSafe.io) is an incredibly refined and sufficiently complex machine with many parts. A single component ofMsgSafe.iolets in domains to be very with out peril purchased thru the software’s web interface which triggers a backend domain-registration ‘register’ mechanism that is pointed to an API or registrar yarn. Within the early days of the long transition and upgrading (porting to a provocative programming language) of the software from the DecoyMail provider to theMsgSafe.ioprovider (which took years), these domains had been registered while the software was unexcited pointed to the an identical registrar yarn of the outdated owner which owned many change domains along side others unrelated DecoyMail buyer domains and furthermore domains of the registrar yarn owner. Even unexcited, it was no longer even a corporate/wholesale yarn, it was a deepest yarn with a diversity of domains held by one of many fashioned DecoyMail shareholders. The platform was no longer formally relaunched for numerous years when it was introduced asMsgSafe.ioas confirmed right here://trustcor.com/files/12012016.php. Even after relaunching it, numerous extra years handed before all domains had been migrated to the production registrar, DNSimple, and we’re no longer even definite they had been all migrated — some DecoyMail customers did no longer transition their accounts entirely and a few lookalike domains weren’t acknowledged because they had been lookalikes or homoglyphs and no longer serious to the firm branding or efficiency.

In Response to “They internet got an identical corporate officers: Measurement Programs, Trustcor Programs”:

This observation is unsuitable since the funding/preserving corporations in seek files from had been already dissolved in 2021. We internet got explained our restructuring (above) and can no longer keep up a correspondence on the field of different firm because we enact no longer know them. It’s miles worth noting that the media’s protection would not narrate who’s the beneficial owner of Measurement Programs.

The reporting and public files merely narrate that an particular particular person affiliated with a defense firm (investor or used employee) may possibly well also be an investor in one or each of the funds/preserving corporations and therefore doubtlessly was at a while an investor in our firm thru an funding in one other firm. The researchers’ conclusions that the journalists further expound are confusing the information. For instance, if it holds that any “investor” in one firm (making them an “affiliate” of that firm) is furthermore affiliated as an “investor” in one other firm, links the 2 corporations collectively as affiliates, after which even when one of those two corporations further invests in a third firm (one allotment eradicated), fundamentally most corporations and even CAs approach into seek files from due to the instructed transitive property. Also conflated by the researchers and media is the level about American corporations bearing an identical (no longer precisely the an identical) names to those of the funds/preserving corporations in seek files from. We’re no longer now and never were owned by any American firm with any names akin to those identified by the researchers. We would no longer internet any thought what those corporations are or what are their purpose, nonetheless they aren’t affiliated with our firm or any individual known to us.Our industry was formed in Panama over 9 years in the past and any kinds filed in the previous few years, pointing to an American or an identical-named firm was no longer executed by us or affiliated with us in any manner.

In Response to “TrustCor operates the mail encryption product MsgSafe and a beta version of MsgSafe contained the fully known unobfuscated version of the spyware SDK. (Beta APK, inspected by Joel and signed by Google)”:

Our firm never published a production or supported version of the MsgSafe cell app containing the Measurement Programs SDK. Relative to the little population of Beta product-testers (which were largely our private workers) who chose to verify a Beta version of the app containing that SDK, I will add that all the most life like likely device thru the attain stages of MsgSafe’s BETA cell app, our developers sought out the assist from third occasion software products and services to accomplish better app analytics. We are mindful that they evaluated different SDKs and instruments care for Firebase, Bugsnag, and lots of others. nonetheless they claimed to no longer assist principal in troubleshooting and bettering the app efficiency across all software producers and OS variations. There was a time all the most life like likely device thru this course of where they integrated further software developers to assist with the points we had been dealing with. Whether or no longer the SDK was added for a developer’s private monetary produce or in every other case is beyond us and we don’t care to speculate. Again, the MsgSafe BETA cell app was never launched in a production supported version and has been abandoned for years, and we can confirm the cell-first web UI, which is the fully supported cell interface in-exhaust these days and for the previous few years, which would not possess any SDK from any individual.

As far as how the MsgSafe cell app got an “unobfuscated version” of the SDK? It’s not any longer our attach of living to speculate, nonetheless it undoubtedly fully makes sense that any firm would provide updates to their software over time. The third-occasion app archive web attach containing MsgSafe’s APK, as referenced in the researcher’s publish, is over 3 years aged. It’ll furthermore neutral unexcited approach as no shock that the software stumbled on there doesn’t match up precisely to the software stumbled on in apps they reported about in April 2022. Our developers doubtlessly didn’t even peer refined adjustments care for this because it’s no longer our put collectively to reverse engineer different firm’s software and violate license agreements.

In Response to “The MsgSafe product depends in allotment on SMIME certificates issued by TrustCor (MsgSafe Website online)”:

MsgSafe.iois each a product and industry, operated individually and independently from TrustCor CA, albeit owned by TrustCor.MsgSafe.iointegrates with TrustCor’s S/MIME certificate API for i ssuance of S/MIME certificates, correct care for every different CA buyer of TrustCor would enact. To boot,MsgSafe.iofurthermore lets in potentialities to lift their private S/MIME certificates (so no longer all of MsgSafe user’s certificates are generated by TrustCor CA).

———————————

InResponse to Ryan’s (Google) concerns, offering further clarification as requested:

In Response to “Coincidence #1 Audit Irregularities”:

TrustCor uses Princeton Audit Neighborhood (PAG) as its auditor.
In step with CCADB files, PAG would not audit any different publicly-depended on CAs.

It’s not any longer within our firm’s purview to clutch which auditors are licensed or favorite to manufacture the main WebTrust audits. We merely follow the basis program and CA/B guidelines and care for out from the published checklist. Our founders at the foundation called and spoke with lots of the auditors on the published checklist at the time and internet aged the an identical one ever since because as I’m sure you’ve viewed with different program people, after getting an auditor it’s more uncomplicated and further price effective to continue utilizing the an identical one 365 days after 365 days. The checklist is published right here and as you may possibly well furthermore admire our auditor remains an favorite auditor (PAG was on the checklist since before our firm was founded and unexcited is these days). If there may possibly be a compelling reason you or any root program supervisor has to care for out one other auditor, we’re no doubt commence to changing if that is required, and it appears to be as despite the fact that the checklist is now for far longer practically ten years after we first had to clutch.

//www.cpacanada.ca/en/industry-and-accounting-sources/audit-and-assurance/overview-of-webtrust-products and services/licensed-webtrust-practitioners-international

TrustCor’s most most recent audit statements ([Standard] and [BR – TLS]) characterize CA operations in Toronto, Ontario, Canada.
PAG is listed as a licensed practitioner fully in the United States.
TrustCor’s CPS signifies the ideas amenities are positioned in Phoenix.
Even supposing the management assertion references Phoenix, PAG’s attestation would not.

As you mentioned, it was included in the management’s assertion and it appears to be to be a clerical error that PAG’s attestation did no longer furthermore contain the positioning of TrustCor’s files amenities particularly, nonetheless we did confirm with our auditor that this would perchance well also be included in PAG’s 2022 attestation. To boot, below5.1.1 Situation Station and Construction, of TrustCor’s CPS, we furthermore screech that TrustCor CA’s files amenities are positioned in Phoenix, Arizona, USA, that are visited and audited yearly.

Past [1], [2]and [3]we stumbled on puny public files particular to audits performed by PAG.

It’s not any longer within our firm’s purview to clutch which auditors are licensed or favorite to manufacture the main WebTrust audits. We merely follow the basis program and CA/B guidelines and care for out from the published checklist. Our founders at the foundation called and spoke with lots of the auditors on the published checklist at the time and internet aged the an identical one ever since because as I’m sure you’ve viewed with different program people, after getting an auditor it’s more uncomplicated and further price effective to continue utilizing the an identical one 365 days after 365 days. The checklist is published right here and as you may possibly well furthermore admire our auditor remains an favorite auditor (PAG was on the checklist since before our firm was founded and unexcited is these days). If there may possibly be a compelling reason you or any root program supervisor has to care for out one other auditor, we’re no doubt commence to changing if that is required, and it appears to be as despite the fact that the checklist is now for far longer practically ten years after we first had to clutch.

//www.cpacanada.ca/en/industry-and-accounting-sources/audit-and-assurance/overview-of-webtrust-products and services/licensed-webtrust-practitioners-international

In Response to “Coincidence #2 WIPO Complaint”:

This page summarizes a 2018 criticism filed with the WIPO Arbitration and Mediation Heart against Trustcor Programs S. De R.L. by Compagnie Générale des Etablissements Michelin, owner of BFGOODRICH.
The criticism cites concerns linked to TrustCor registeringbfgoodrichpromotions.procureand the threat of a linked phishing procedure due to the registration and corresponding e-mail servers configured on the disputed domain title.
Within the raze, the Panel stumbled on TrustCor’s passive preserving of the disputed domain title indicated “spoiled religion”. Furthermore, the Panel furthermore stumbled on that TrustCor’s failure to respond to the Complainant’s close-and-desist letters was an further circumstance evidencing the TrustCor’s “spoiled religion”.
One of these behavior is per that described by Joel Reardon right here (admire dialogue foundation with “Yet every other provocative whine is that whois files lists Wylie Swanson because the registrant for a quantity of domains that carefully mimic different encrypted e-mail products [26]).
We’ve individually confirmed the domain registrations described above had been once registered as indicated by Joel.

Thebfgoodrichpromotions.procurecriticism was no longer linked to TrustCor CA’s products and services or products nonetheless toMsgSafe.io’s privateness-focused e-mail provider. Sadly, free or low-price e-mail provider suppliers are in total abused by phishing, ransomware, and different abuse because they lend to privateness and anonymity and how with out peril spoiled actors can produce them. For instance,bfgoodrichpromotions.procurewas registered by user who signed up forMsgSafe.io‘s provider with, and had their e-mail forwarding to, their Gmail yarn. In 2018,MsgSafe.io’s improve crew indeed didn’t handle this tournament neatly timed due to being overwhelmed by the high quantity of abuse going down at that time. As a consequence,MsgSafe.ioimplemented numerous abuse-cutting back solutions, dramatically cutting back the success of spoiled actors on the platform and internet since added improve team people to respond within a neatly timed manner to all improve tickets.

To quote Ryan, “TrustCor’s provider offering may possibly well furthermore neutral unexcited no longer be regarded as a illustration of the provider, or TrustCor, itself.”

———————————

In Response to Ryan’s (Google) Extra Observations:

TrustCor ownsmsgsafe.ioa privateness-focused webmail platform that appears to be common across ransomware assaults (examples [4], [5]and [6]).

In Response to “Wicked actors’ exhaust of TrustCor’s provider offering may possibly well furthermore neutral unexcited no longer be regarded as a illustration of the provider, or TrustCor, itself. Nonetheless, we’re provocative to adore actions TrustCor has taken against the addresses represented in the assaults described above, and others that will perchance furthermore neutral were reported in the previous. Whereas TrustCor’s responses to known circumstances of abuse are circuitously linked to its predicament as a depended on CA, they are continuously interpreted as an illustration of TrustCor’s commitment to upholding safety and privateness on the procure.”:

There is a definite section accessible for privateness-focused folks that need deepest and anonymous e-mail products and services. Here is why products and services akin to [name suppressed for politeness],MsgSafe.ioand others are always in query. Sadly, these privateness-focused products and services, and frankly all free or low-price e-mail provider suppliers, are in total aged by ransomware developers due to how they lend to privateness and anonymity, and how with out peril they are going to furthermore neutral furthermore be got. (examples of gmail being the most common across ransomware assaults [1], [2]).

With that being mentioned, we purchase reveal mail/phishing very severely and MsgSafe has a zero tolerance protection, as clearly mentioned in its Phrases and Conditions[3]after we’re aware of the products and services being aged for malicious intentions. Within the examples of the electronic mail addresses aged in the ransomware assaults references by Ryan, none of those had been dropped at our consideration thru our usual improve/abuse ticketing machine, and in the event that they’d we would internet shut down the accounts straight. Since changing into aware of those circumstances, we can confirm that every particular person 3 of those accounts were terminated as of 2022-11-15 for being in violation of MsgSafe’s Phrases and Conditions.

Yet every other “leader hunch” in innovation for us worth noting along these traces is now we internet implemented an fully-automated yarn closure machine for basically the most sinister abuses where we predict a couple of human-in-the-loop is not any longer main, akin to reveal mail (furthermore a protection violation). You cannot effectively ship high quantity phishing or reveal mail thru MsgSafe utilizing a combination of automated yarn creation and/or high quantity message-sending due to constructed-in price limiting, on the other hand we took an further step to verify constantly for receive-price abuses when spammers ship mail thru one other high quantity reveal mail sending machine akin to Gmail, and exhaust aMsgSafe.ioe-mail as their respond-to handle or in their return-course, and when that price-restrict is reached (indicating they didn’t reveal mail thru us, nonetheless unexcited violated our protection since a MsgSafe e-mail contend with was aged as an side of sending reveal mail thru one more particular person), our automated machine closes their yarn for defense violation and robotically begins returning a priceless and informative error message next time somebody sends to theirMsgSafe.ioyarn, letting all people alive to (victims, yarn holders or friends) their yarn was closed due to abuse.

Certificate Issuance

We studied TrustCor’s TLS server certificate issuance and did no longer get signs of mis-issuance or definite violations of the Baseline Requirements.
We acknowledged that ~35% of the dnsNames represented in the certificates issued by TrustCor had been publicly accessible at the time of evaluation, and fully 59% of those served TrustCor-issued Certificates.
Intently studying issuance patterns, most TrustCor-issued certificates had been issued to the following domains:ddns.procure,hopto.org,sytes.procure,zapto.org,myddns.me,servebeer.com,myftp.organdserve///http.com.
We would internet anticipated a substantially broader operate of publicly accessible domains, nonetheless right here’s no longer intended to particular wrongdoing by TrustCor.

In Response to “Certificate Issuance” factors:

TrustCor is not any longer aware of and works diligently to be definite there are no longer any mis-issuances or violations of the Baseline requirements. Most of the “dnsNames” represented are inaccessible because at that moment they aren’t currently online (doubtlessly dynamic dns working accura tely), or had been accounts, or had been proactively shutdown for any quantity of reasons. Given this the 59% quantity would be correct, nonetheless the 35% quantity is not any longer basically indicative of anything.

We internet got innovated and lead the market in the adoption of TLS server certificate issuance for one of many longest-running and most beneficial dynamic DNS products and services worldwide and the definite affect this hunch has made can no longer be overstated. Dynamic DNS products and services are a serious side of house-based mostly entirely mostly IoT and “deepest cloud” solutions which internet a dramatic and vital definite affect on deepest privateness and safety. Quite than sending all of your files to the cloud, dynamic DNS products and services allow customers to self-host their video cameras, files storage and IoT house automation solutions in their house or minute industry, to toughen their privateness and safety. Till our partnerships on this attach of living, obtaining server certificates that operate properly with these deepest house programs relying upon dynamic DNS was elusive, complex to put into effect, and therefore the market was fully underserved.

———————————

In Response to Clint’s (Apple) concerns, offering further clarification as requested:

Observations:

The “Main Market / Customer Putrid” field for TrustCor in CCADB signifies “TrustCor develops privateness protection products and services and points certificates to its potentialities in improve of such products and services.”

This appears to narrate that certificate issuance is not any longer the core of their industry, nonetheless rather augmentative thereto. Nonetheless, taking a ogle at their web attach///http://www.trustcorsystems.com/(which redirects to//trustcor.com/), there may possibly be puny narrate, and nothing predominantly represented, of products and services or products rather then TLS and S/MIME certificate issuance.

In Response to “Especially in gentle of the yarn which began this thread and different observations shared since, this rather benign-seeming observation then prompts the seek files from: What are the privateness protection products and services these certificates are being issued in improve of?”:

TrustCor is the guardian firm of TrustCor CA andMsgSafe.io. Certificate issuance is core to the industry of TrustCor.MsgSafe.iois a privateness protection provider. In relation to the certificate products and services that TrustCor providesMsgSafe.io,MsgSafe.ioacts care for a buyer of TrustCor, leveraging TrustCor’s API to demand S/MIME certificates for his or her potentialities in improve of MsgSafe’s e-mail products and services. TrustCor, and the associated web attach, predominantly promotes TrustCor’s CA industry and efforts, while theMsgSafe.ioindustry individually markets and promotes itself.MsgSafe.iois an example of privateness protection products and services.

In Response to: “The attach is the Ontario Headquarters of TrustCor, as referenced by the corpus of audit statements representing TrustCor?Having a ogle at Ontario Business Records, it furthermore appears to be that TrustCor Programs S. de R.L. (the corporation listed on their audits) “ceased exercise in Ontario” on December 31, 2016. There are different registered entities with the TrustCor title, nonetheless these different registered corporations seem to be unrelated to TrustCor CA.”:

TrustCor’s Ontario Headquarters contend with was beforehand positioned at 7270 Woodbine Avenue, Suite 308 Markham ON L3R 4B9 Canada. When Ian’s neatly being began to decline, and provided that Ian, Ryan and I had been the fully Canadian workers, and our technical crew had been centrally positioned to our files centre areas, we selected a remote-work development in Canada. Whereas the Canadian filings resulted in 2016, we unexcited protect personnel, a true storage facility, and now we internet always maintained a fixed mailing contend with in Ontario where the final public can contact the TrustCor Coverage Authority in writing for defense linked enquiries and right here’s the an identical contend with printed on TrustCor’s letterhead and within our CPS paperwork.

To straight contend with and assuage the final public’s project, we are in a position to change the discover “Headquarters” with “Tackle” in future documentation.

Within the ardour of transparency, now we internet further storage, meeting house, and technical operations (supporting full time workers) in Phoenix, AZ, which is an audited predicament where our gear and IT course of controls are reviewed yearly.

—————————————

To contend with Joel’s (College of Calgary/AppCensus) concerns,

In Response to: “Alongside with investigative journalists at the Wall Road Journal, we chanced onthat Vostrom Holdings is doing industry as Packet Forensics [6]afirm that sells staunch-intercept products [7].”:

We won’t comment on the exercise of one other firm, as any comment would be purely our speculation.

In Response to: “The Measurement Programsfirm was furthermore registered in Virginia [8] by “Raymond Alan Saulino”, which wasthen made indolent when Google took action against the SDK[9].”:

We won’t comment on the exercise of one other firm, as any comment would be purely our speculation.

In Response to: “Raymond ASaulino” is furthermore an officer for Packet Forensics Global LLC [10]andregardless of the center title no longer being an precise match, they each checklist the an identicalresidential contend with [11, 12].”:

We won’t comment on the exercise of one other firm or particular particular person, as any comment would be purely our speculation.

In Response to: “Domains had been registered by Vostrom:Among the domains stood out:trustcor.cowhich redirected atthe time to the TrustCor CA’s web attach. The NS files continue to narratensX.msgsafe.io[14]the an identical astrustcor.comitself [15]. Msgsafe is a TrustCorencrypted e-mail product [16].”:

Upon further investigation into our domains and with further files from our apt team, now we internet stumbled on that TrustCor received the DecoyMail machine decades in the past because the basis of ourMsgSafe.ioproduct and provider. First obtainable in October 2000 (over 22 years in the past), the DecoyMail product (and its successor, ourMsgSafe.io) is an incredibly refined and sufficiently complex machine with many parts. A single component ofMsgSafe.iolets in domains to be very with out peril purchased thru the software’s web interface which triggers a backend domain-registration ‘register’ mechanism that is pointed to an API or registrar yarn. Within the early days of the long transition and upgrading (porting to a provocative programming language) of the software from the DecoyMail provider to theMsgSafe.ioprovider (which took years), these domains had been registered while the software was unexcited pointed to the an identical registrar yarn of the outdated owner which owned many change domains along side others unrelated DecoyMail buyer domains and furthermore domains of the registrar yarn owner. Even unexcited, it was no longer even a corporate/wholesale yarn, it was a deepest yarn with a diversity of domains held by one of many fashioned DecoyMail shareholders. The platform was no longer formally relaunched for numerous years when it was introduced asMsgSafe.ioas confirmed right here://trustcor.com/files/12012016.php. Even after relaunching it, numerous extra years handed before all domains had been migrated to the production registrar, DNSimple, and we’re no longer even definite they had been all migrated — some DecoyMail customers did no longer transition their accounts entirely and a few lookalike domains weren’t acknowledged because they had been lookalikes or homoglyphs and no longer serious to the firm branding or efficiency.

All domains registered thru msgsafe (akin totrustcor.coand furthermoretrustcor.com), and any domain dropped at msgsafe utilizing the lift-your-private-domain operate would possessmsgsafe.iotitle server files that narrate bothnsX.msgsafe.ioornsX.dnsimple.comthat are synonymous, hosted at the an identical IP contend with, and are operated by DNSimple.

In Response to: “Enjoy Measurement Programs, Trustcor is furthermore registered in Panama [17]. They had beenregistered a month apart they on occasion allotment an an identical operate of corporate officers”:

Unknown till neutral nowadays by any employee officers of TrustCor we and Measurement Programs S de RL had on the total a community of traders who represented funds (teams of corporations and different funds), no longer folk. Even despite the fact that we shared a total community of funding funds, now we internet always operated our industry independently of any different firm and internet exclusion provisions in attach of living to guard the CA industry from having fetch entry to-to or being controlled by or influenced from any third-occasion, traders, equity-holders, or any individual different than TrustCor’s CA Approving Officers and workers. To basically the most efficient of our files (and our focused investigation) there may possibly be not any longer and has never been shared possession with any defense firm or any USA firm. This total community of traders with Measurement Programs S de RL. had already dissolved mid 2021, before these most recent claims had been publicized, which manner as a pure course of industry and no longer as a reaction to any claims or adversarial occasions. In 2021 TrustCor possession was transferred from the preliminary traders/founders to the workers of TrustCor. The apt course of has been very step-by-step and undoubtedly gradual, notably due to the protracted remedy and most recent dying of 1 key founder, Ian Abramowitz. Nonetheless, it’s underway and irreversible, and the total funding automobile was dissolved over a 365 days in the past.

In Response to: “One of those officers is Frigate Bay Maintaining LLC [18]. Shortly afterthe WSJ article was printed, a “Raymond Saulino” filed kinds for Frigate BayHoldings LLC listed as its supervisor [19]. Raymond Saulino has furthermore spoken to presspublicly on behalf of Packet Forensics.”:

We’re no longer now, and never were, owned by any American firm with any names akin to those identified by the researchers. We would no longer internet any thought what those corporations are or what are their purpose, nonetheless they aren’t affiliated with our firm or any individual known to us.Our industry was formed in Panama over 9 years in the past and any kinds filed this 365 days was no longer executed by our firm. Our lawyer has instructed us no longer to narrate the refined variations in names, spelling, dates of incorporation, or apt territories wherein corporate entities had been formed, as litigation is a skill final consequence of this publication.

In Response to: “Trustcor furthermore talks about their “geo-jurisdiction advantage” on a total page[21] where they screech that “TrustCor is a Panamanian registered firm, withtechnical operations based mostly entirely mostly in Curaçao—one of basically the most true, privateness orientedjurisdictions on this planet.” No topic that, they’ve job openings for PKIEngineer and Programs Engineering in Phoenix, AZ [22, 23]the latter declaring thatthe applicant “MUST be positioned approach the Phoenix, AZ attach of living – job is remote withoccasional trips to files center amenities”. Their very private audit reports screech thatthey are Canadian, with their files centres in Phoenix, AZ [24]. I am no longernotably skittish by where they’ve their technical operations, nonetheless I mediatethat it’s provocative to leave out that the ideas centres are in Arizona on the prolongeddescriptions of the “geo-jurisdiction advantage”. Certificate authorities areabout belief.”:

We discover that most CAs don’t publicly narrate the areas of their CA files centre predicament on the house page of their marketing web sites. The side of our industry which operates the encrypted e-mail product and retail outlets true buyer explain material, MsgSafe, hastechnical operations based mostly entirely mostly in Curaçao(hence the“geo-jurisdiction advantage”)whereas the CA industry unit has files amenities positioned in Arizona. Within the ardour of belief andtransparency, to be definite, TrustCor’s CA industry unit would not fabricate key escrow products and services and therefore would not store buyer deepest-keys, as mentioned in our CPS.

In Response to: “I undoubtedly internet furthermore tested the Msgsafe encrypted e-mail product in the browser, whilesaving the following web site visitors utilizing Firefox and Chrome’s “assign to HAR” file likelihood.I am no longer gay there may possibly be E2E encryption or that Msgsafe can no longer study customers’emails. I admire that e-mail contents and attachments are despatched plaintext(over TLS) toapi.msgsafe.ioeven when sending to different Msgsafe customers or whenutilizing PGP or SMIME to ship to non-Msgsafe customers. The SMIME cert is despatched inboundfrom the server, and there may possibly be not any outbound web site visitors that embodies the final public keyto be signed. The password is despatched plaintext to the server (over TLS) and thusany key derived from that password would furthermore be known by the server. Hanlon’srazor tells me I may possibly well furthermore neutral unexcited no longer attribute these errors to malice; it may possibly possibly perchance well correct be adevelopmental failure [25]. Nonetheless, I mediate it’s practical expectationthat a root certificate authority can fetch the crypto factual, and so I am projectregardless of the reason.”:

MsgSafe.io’s platform may possibly well furthermore neutral furthermore be utilized in a quantity of suggestions,along side utilizing the electronic mail forwarding factors and no longer utilizing the procure-based mostly entirely mostly interface in any appreciate. It’s miles extremely no longer going to speculate what you experienced or tested with out comprehensive files of the yarn configuration, forwarding addresses, user identities and contacts, and their associated GPG and S/MIME certificates.

As far as you no longer believing the product is offering enough encryption capabilities, let me first notify that I enact no longer are searching to hunch the names of any different encryption products and services or products thru the mud. To deal along with your concerns, based mostly entirely totally on our teams exhausted evaluation into many change suppliers offering an identical products and services, one usual rule applies; whether the encryption or decryption capabilities are going down on the client (in total in javascript) or on the server, the server is unexcited storing and dealing with basically the fundamental field topic in the technique. Our implementation is one of two continuously aged by true messaging products and services and chosen for a couple of reasons. If encryption happens on the client then basically the fundamental field topic is handed from the server to the browser over TLS. If the encryption happens on the server then the message is transferred from the client to the server over TLS, then encrypted. Because the MsgSafe web attach explains, our team has stumbled on that implementing basically the fundamental field topic and encryption/decryption processing on the server provides safety with out the further processing requirement on the client. Among the benefits of this implementation is that it lets in slower/older gadgets (telephones) to exhaust our cell-first web journey (since, as we beforehand mentioned, we abandoned model of a cell app, which may possibly well internet achieved the encryption/decryption course of on the cell cell phone), while furthermore supporting desktop customers. To be definite, at no level is files handed in the definite while utilizing the provider, it’s both encrypted with the user key field topic or encrypted with industry-usual TLS.

ManyMsgSafe.iocustomers never journey sending or receiving mail utilizing the procure browser, which manner you’re fully taking a ogle at one implementation of the provider that is doubtlessly the least aged.

Unnecessary to notify we can settle for the change of a weakness inMsgSafe.io‘s user interface, we purchase such reports very severely, nonetheless we would be bowled over to hunt down that to be the case right here. Whereas you unexcited internet questions or doubts, we query that you please file a worm yarnwithMsgSafe.iostraight thru their buyer improve channels.

It’s miles furthermore vital to brand thatMsgSafe.ioand TrustCor’s CA enact no longer allotment model sources or infrastructure and are fully different traces of industry.

In Response to: “Yet every other provocative whine is that whois files lists Wylie Swanson because theregistrant for a quantity of domains that carefully mimic different encrypted e-mailproducts [26]. This includeshushemail.procure,protonmails.comandtutanoto.com,which shadow competing products and services, and which redirect customers who seek recommendation from them tomsgsafe.io. Wylie Swanson is the co-founder of Trustcor [27]. In my peek,it appears to be care for typo squatting and I wouldn’t ask that a root certificateauthority to be engaged on this extra or less behaviour.”:

When the domains had been registered, it was furthermore total for advertisers to remove Google search keywords of their opponents as allotment of their Website positioning marketing. On the time, it was perceived as a low-price manner for a minute originate-up electronic mail provider to reveal a extremely minute quantity of web site visitors toMsgSafe.io’s original privateness-focused e-mail products and services. It was no longer an strive to lie to customers in any manner — customers very clearly understood where they’d been directed. It’s not any longer the firm’s stance or easiest put collectively to register domains akin to opponents, fully took attach of living with a minute quantity of domains, and did no longer occur again after 2016.

In Response to: “A final twist of destiny: one of Msgsafe’s e-mail domains isdecoymail.comwhichMsgsafe customers can demand and which redirects tomsgsafe.io[28]. In 2014 it wasregistered to VOSTROM Holdings, Inc., while in 2015 it was registered to TRUSTCORSYSTEMS S. de R.L. [29]. DecoyMail was a firm created by Rodney Joffe [30],who’s the actual individual that furthermore filed the fashioned registration of Packet Forensics[31] and was unexcited an licensed agent for Packet Forensics in a 2019 filing[32] and a Supervisor for Packet Forensics in a 2021 filing [33]. The e-mailrjo…@centergate.comis linked to the domainsrodneyjoffe.com,packetforensics.comanddecoymail.procure[34]. Decoymail.procure currently redirectstomsgsafe.io.”:

It’s miles public files that TrustCor received the DecoyMail machine decades in the past because the basis of ourMsgSafe.ioproduct and provider. First obtainable in October 2000 (over 22 years in the past), the DecoyMail product (and its successor, ourMsgSafe.io) is an incredibly refined and sufficiently complex machine with many parts. A single component ofMsgSafe.iolets in domains to be very with out peril purchased thru the software’s web interface which triggers a backend domain-registration ‘register’ mechanism that is pointed to an API or registrar yarn. Within the early days of the long transition and upgrading (porting to a provocative programming language) of the software from the DecoyMail provider to theMsgSafe.ioprovider (which took years), these domains had been registered while the software was unexcited pointed to the an identical registrar yarn of the outdated owner which owned many change domains along side others unrelated DecoyMail buyer domains and furthermore domains of the registrar yarn owner. Even unexcited, it was no longer even a corporate/wholesale yarn, it was a deepest yarn with a diversity of domains held by one of many fashioned DecoyMail shareholders. The platform was no longer formally relaunched for numerous years when it was introduced asMsgSafe.ioas confirmed right here://trustcor.com/files/12012016.php. Even after relaunching it, numerous extra years handed before all domains had been migrated to the production registrar, DNSimple, and we’re no longer even definite they had been all migrated — some DecoyMail customers did no longer transition their accounts entirely and a few lookalike domains weren’t acknowledged because they had been lookalikes or homoglyphs and no longer serious to the firm branding or efficiency.

—————————————

To contend with Serge’s (Berkely/AppCensus) concerns,

In Response to: “Why did MsgSafe appear to bundle an unobfuscated version of this SDK in their app? How was it got, if as Rachel says, they’ve nothing to enact with the firm that is spreading it? In step with her e-mail, they would no longer internet a public app; somebody may possibly well furthermore neutral unexcited doubtlessly picture that to their social media particular person…”:

Our firm never published a production or supported version of the MsgSafe cell app containing the Measurement Programs SDK. Relative to the little population of Beta product-testers (which were largely our private workers) who chose to verify a Beta version of the app containing that SDK, I will add that all the most life like likely device thru the attain stages of MsgSafe’s BETA cell app, our developers sought out the assist from third occasion software products and services to accomplish better app analytic s. We are mindful that they evaluated different SDKs and instruments care for Firebase, Bugsnag, and lots of others. nonetheless they claimed to no longer assist principal in troubleshooting and bettering the app efficiency across all software producers and OS variations. There was a time all the most life like likely device thru this course of where they integrated further software developers to assist with the points we had been dealing with. Whether or no longer the SDK was added for a developer’s private monetary produce or in every other case is beyond us and we don’t care to speculate. Again, the MsgSafe BETA cell app was never launched in a production supported version and has been abandoned for years, and we can confirm the cell-first web UI, which is the fully supported cell interface in-exhaust these days and for the previous few years, which would not possess any SDK from any individual.

As far as how the MsgSafe cell app got an “unobfuscated version” of the SDK? It’s not any longer our attach of living to speculate, nonetheless it undoubtedly fully makes sense that any firm would provide updates to their software over time. The third-occasion app archive web attach containing MsgSafe’s APK, as referenced in the researcher’s publish, is over 3 years aged. It’ll furthermore neutral unexcited approach as no shock that the software stumbled on there doesn’t match up precisely to the software stumbled on in apps they reported about in April 2022. Our developers doubtlessly didn’t even peer refined adjustments care for this because it’s no longer our put collectively to reverse engineer different firm’s software and violate license agreements.

TC_CA-Quantifying_Value_Statement.pdf

TC_Wylie_Letter_Attach.pdf

A143A9A0-CC51-41E5-9EFC-9B9009AD35ED[1].png

Watson Ladd

unread,

Nov 18, 2022, 11:05:24 PM (12 days in the past)Nov 18

to Rachel McPherson, MDSP, Clint Wilson, Ryan Dickson, Kathleen Wilson, joel.r…@ucalgary.ca, Serge Egelman

On Fri, Nov 18, 2022 at 2:14 PM Rachel McPherson rac…@trustcor.ca> wrote:

Kathleen, Ryan, Clint and the remainder of the community:

I was reminded by a couple of of you right here’s a monumental public forum with non-CA-operators and non-browser/platform-developers brand, and that people internet a form of ardour in these topics nonetheless no longer always the an identical level of journey or familiarity with the CA operations and root CA program guidelines or technical knowhow because the intended target audience. As a result of this fact let me originate by announcing THANK YOU to my fellow CA/B Dialogue board people and people of the better community for reminding me of that, and individually thanks for those of you that internet despatched very good and provocative, supportive emails (you know who you are). I adore working with a lot of you for a lot of years and your definite messages had been very main and heartfelt. Given the publicity of this forum, I will enact my easiest to appreciate folk by no longer constantly utilizing their names or calling out different root program member organizations as examples, even when it’d be priceless to enact so. As one more I will query you to purchase into consideration that side in my response. Also, I will exhaust “our firm” when speaking of TrustCor (the CA operator) and MsgSafe (the electronic mail provider). I will exhaust “the researchers” when speaking about Serge Edelman, Joel Reardon, their commercial enterprise AppCensus, or the colleges for which they work (College of California, Berkeley and the College of Calgary, respectively).

It’s miles serious readers brand now we internet never been accused of, and there may possibly be not any proof to point out that TrustCor violated conduct, protection, or procedure, or wrongfully issued depended on certificates, or labored with others to enact so. We internet got no longer achieved any of those things. It’s furthermore vital to adore TrustCor operates a certificate authority (TrustCor CA) which provides CA products and services true and insulated by an exclusion settlement, and TrustCor operates a privateness-bettering communications provider (MsgSafe.io) as two obvious industry units.

My I am no longer accused of missiuance t-shirt is raising questions answered by my t-shirt.

I will enact my easiest to succinctly respond to the questions and concerns from the representatives from the basis programs representatives first, after which for the readers wanting further detail, I will provide extra context in the sections below basically the most pertinent files of my response. I undoubtedly internet furthermore linked a memo from Wylie who wished to be heard as allotment of this course of. For those of you who’re searching to veil (journalism) the topic, thanks upfront for pondering the total message and attachments before you write anything or before you name us, please.

———————————

In Response to Kathleen’s (Mozilla) concerns, offering further clarification as requested:

In Response to “How was an unobfuscated version of the Measurement Programs SDK integrated into MsgSafe?”:

Our firm never published a production or supported version of the MsgSafe cell app containing the Measurement Programs SDK. Relative to the little population of Beta product-testers (which were largely our private workers) who chose to verify a Beta version of the app containing that SDK, I will add that all the most life like likely device thru the attain stages of MsgSafe’s BETA cell app, our developers sought out the assist from third occasion software products and services to accomplish better app analytics. We are mindful that they evaluated different SDKs and instruments care for Firebase, Bugsnag, and lots of others. nonetheless they claimed to no longer assist principal in troubleshooting and bettering the app efficiency across all software producers and OS variations. There was a time all the most life like likely device thru this course of where they integrated further software developers to assist with the points we had been dealing with. Whether or no longer the SDK was added for a developer’s private monetary produce or in every other case is beyond us and we don’t care to speculate. Again, the MsgSafe BETA cell app was never launched in a production supported version and has been abandoned for years, and we can confirm the cell-first web UI, which is the fully supported cell interface in-exhaust these days and for the previous few years, which would not possess any SDK from any individual.

As far as how the MsgSafe cell app got an “unobfuscated version” of the SDK? It’s not any longer our attach of living to speculate, nonetheless it undoubtedly fully makes sense that any firm would provide updates to their software over time. The third-occasion app archive web attach containing MsgSafe’s APK, as referenced in the researcher’s publish, is over 3 years aged. It’ll furthermore neutral unexcited approach as no shock that the software stumbled on there doesn’t match up precisely to the software stumbled on in apps they reported about in April 2022. Our developers doubtlessly didn’t even peer refined adjustments care for this because it’s no longer our put collectively to reverse engineer different firm’s software and violate license agreements.

In Response to “Explanation of the possession, governance, and relationship between Trustor, Measurement Programs and Packet Forensics Global, notably focusing on how the documented actions by different Vostrom Holdings organizations akin to Measurement Programs affect TrustCor and its operations.

To what extent does TrustCor these days protect a industry relationship or allotment possession/ corporate officers with Measurement Programs or Packet Forensics?”:

TrustCor would not internet or protect any industry relationship or allotment any officers or possession with Measurement Programs or Packet Forensics, or any different defense firm. The documented actions and opinions enact no longer affect TrustCor’s CA operations in any manner. Furthermore, any shareholders would no longer internet any maintain an eye on over our CA operations (as enforced by our exclusion settlement), and any misbehaviour of organizations or folk external to us are a outcomes of their choices and enact no longer internet an affect on our operations.

In Response to “If Trustcore these days would not protect a industry relationship or allotment possession/corporate officers, has it achieved so in the previous?  If so, when? When was the connection disolved?”:

Unknown till neutral nowadays by any employee officers of TrustCor we and Measurement Programs S de RL had on the total a community of traders who represented funds (teams of corporations and different funds), no longer folk. Even despite the fact that we shared a total community of funding funds, now we internet always operated our industry independently of any different firm and internet exclusion provisions in attach of living to guard the CA industry from having fetch entry to-to or being controlled by or influenced from any third-occasion, traders, equity-holders, or any individual different than TrustCor’s CA Approving Officers and workers. To basically the most efficient of our files (and our focused investigation) there may possibly be not any longer and has never been shared possession with any defense firm or any USA firm. This total community of traders with Measurement Programs S de RL. had already dissolved mid 2021, before these most recent claims had been publicized, which manner as a pure course of industry and no longer as a reaction to any claims or adversarial occasions. In 2021 TrustCor possession was transferred from the preliminary traders/founders to the workers of TrustCor. The apt course of has been very step-by-step and undoubtedly gradual, notably due to the protracted remedy and most recent dying of 1 key founder, Ian Abramowitz. Nonetheless, it’s underway and irreversible, and the total funding automobile was dissolved over a 365 days in the past.

I enact no longer brand how “having a community of traders on the total” is the an identical as “there may possibly be not any longer and has never been shared possession with any defense firm or USA firm”. Could possibly well perchance you clarify the corporate development and possession of all predominant traders as well to shared officers amongst all entities?

In Response to “What in usual explains the shared corporate officers across the corporations?”:

The preliminary traders/founders of every preserving corporations had been known to every different and determined to diversify their investments across extra than one corporations and in extra than one territories, which is outwardly a total funding put collectively. They’re strictly passive traders, rather then Ian Abramowitz.

This resolution would not create sense to me. If the traders and founders had been engaged in a diversification transaction, and that lead to shared corporate officers, that wouldn’t be “passive” as continuously understood, e.g.  as per SEC guidance in //www.sec.gov/corpfin/divisionscorpfinguidancereg13d-interphtm#103.11. Would it be that you may possibly well well be furthermore mediate of to allotment a comprehensive checklist of dramatis personae?

In Response to “Have you internet separate corporate registration documentation demonstrating that the TrustCor CA is a provocative group than the Trustcor entity that shares corporate officers with Measurements Programs.  If so, please provide it.”:

(from above) The apt course of has been very step-by-step and undoubtedly gradual, notably due to the protracted remedy and most recent dying of 1 key founder, Ian Abramowitz. Nonetheless, it’s underway and irreversible, and the total funding automobile was dissolved over a 365 days in the past. As soon because it completes we are in a position to feel free to allotment the final public files, nonetheless we cannot maintain an eye on how long it takes varied attorneys to deem adjustments upon dying, and lots of others. Obviously Ian’s title is on many files already publicized and procuring for his title lets in any individual to admire his memorial web attach from June 2022 (nonetheless he had been in remedy for a while) and different public files of this kind. Since its inception in 2013, TrustCor’s CA industry unit has been fully insulated and true from any shareholders thru its exclusion settlement, which separates equity possession from fetch entry to-to or maintain an eye on-over the CA industry unit.

Is that this settlement along with articles of incorporation one thing you may possibly well furthermore allotment? It appears to be out of your resolution that these weren’t separated entities till neutral nowadays: may possibly well well you confirm that every step in the alternate of maintain an eye on was properly mirrored in the CCADB?

In Response to “Recount the quantity of SMIME certificates whose deepest keys had been saved in variations of the MsgSafe app which included the acknowledged malware. Recount TrustCor CA’s thought for those certificates; e.g. timeline for revoking them.”:

No deepest keys had been ever saved on the MsgSafe cell application, along side in the unreleased BETA version referenced by the researchers. As a result of this fact, we enact no longer admire any reason to revoke any of the S/MIME certificates issued within the timeframe that the MsgSafe Beta cell app was in circulation. To boot, all of TrustCor’s S/MIME certificates are issued with a validity interval equal to 365 days or less. Any S/MIME certificates issued to MsgSafe customers all the most life like likely device thru the timeframe of the BETA app would all be expired and invalid a truly long time in the past.

In Response to “Self-evaluation of threat versus profit of the TrustCor CA’s root certificates being included in Mozilla’s root store with the procure sites (TLS) and e-mail (S/MIME) belief bits enabled. Please admire//wiki.mozilla.org/CA/Quantifying_Valuefor the ideas to be provided.”:

We internet got provided the CA-Quantifying Price Assertion as a separate doc, linked.

We are going to discuss about this doc intimately: I stumbled on it highly superficial and agree with that main factors of the questions weren’t answered.

In Response to “Assertion of Auditor’s Abilities, as explained right here://wiki.mozilla.org/CA/Audit_Statements#Providing_Auditor_Qualifications”:

TrustCor’s WebTrust audit is performed by Princeton Audit Neighborhood, Inc. (“PAG”), with the accreditation stumbled on right here://www.cpacanada.ca/en/industry-and-accounting-sources/audit-and-assurance/overview-of-webtrust-products and services/licensed-webtrust-practitioners-international

PAG’s lead auditor is Vijay Khosla and PAG’s team of auditors lift CISA and CISM certifications and relevant in-house practising. Moderate years of journey, in belief products and services or an identical files programs, for the audit team includes 34 years in IT Audit Audits, 10 years in SOC 1,2,3 reporting, 5 years in SOX, 10 years in WebTrust Audits. Abilities contain: over 10 years in: IT and Infrastructure Audit, SDLC and Risk Overview; Data Heart Audits; Encryption practising; Price Accounting Experience; Physical Security; Network Security; and Cloud Computing.
Credentials contain: CPA, CISA, CISM, AICPA, CPA Canada PAG audit team people are drag by law to comply with requirements acceptable to their respective qualifications and furthermore as required for e.g. AICPA, CISA, CISM and CPA Canada. As of TrustCor’s 2021 audit interval, PAG would not count on any third-occasion consultants or affiliate audit corporations.

PAG appears to internet fully audited TrustCor amongst CAs. I alas may possibly well well not get a historical previous of the audits: has TrustCor always aged PAG? Does TrustCor internet a thought to rotate auditors as is per monetary easiest practices?

In Response to the worries and questions from the researcher’s publish as particularly referenced by Kathleen are included in-line below:

In Response to “There may possibly be monumental proof that Measurement Programs and TrustCor are carefully linked: Both had their domains registered by Vostrom Holdings. (as illustrated on this publish by AppCensus on the basis of whois lookups)”:

Upon further investigation into our domains and with further files from our apt team, now we internet stumbled on that TrustCor received the DecoyMail machine decades in the past because the basis of ourMsgSafe.ioproduct and provider. First obtainable in October 2000 (over 22 years in the past), the DecoyMail product (and its successor, ourMsgSafe.io) is an incredibly refined and sufficiently complex machine with many parts. A single component ofMsgSafe.iolets in domains to be very with out peril purchased thru the software’s web interface which triggers a backend domain-registration ‘register’ mechanism that is pointed to an API or registrar yarn. Within the early days of the long transition and upgrading (porting to a provocative programming language) of the software from the DecoyMail provider to theMsgSafe.ioprovider (which took years), these domains had been registered while the software was unexcited pointed to the an identical registrar yarn of the outdated owner which owned many change domains along side others unrelated DecoyMail buyer domains and furthermore domains of the registrar yarn owner. Even unexcited, it was no longer even a corporate/wholesale yarn, it was a deepest yarn with a diversity of domains held by one of many fashioned DecoyMail shareholders. The platform was no longer formally relaunched for numerous years when it was introduced asMsgSafe.ioas confirmed right here://trustcor.com/files/12012016.php. Even after relaunching it, numerous extra years handed before all domains had been migrated to the production registrar, DNSimple, and we’re no longer even definite they had been all migrated — some DecoyMail customers did no longer transition their accounts entirely and a few lookalike domains weren’t acknowledged because they had been lookalikes or homoglyphs and no longer serious to the firm branding or efficiency.

Are you asserting that the Measurement Programs and TrustCor domains had been each registered thru Decoy Mail?

In Response to “They internet got an identical corporate officers: Measurement Programs, Trustcor Programs”:

This observation is unsuitable since the funding/preserving corporations in seek files from had been already dissolved in 2021. We internet got explained our restructuring (above) and can no longer keep up a correspondence on the field of different firm because we enact no longer know them. It’s miles worth noting that the media’s protection would not narrate who’s the beneficial owner of Measurement Programs.

2021 was final 365 days. I will engage occasions from final 365 days with some extent of reliability. With out a doubt it be that you may possibly well well be furthermore mediate of to display cover who the house owners had been of the firm final 365 days and the transactions that modified it.

The reporting and public files merely narrate that an particular particular person affiliated with a defense firm (investor or used employee) may possibly well also be an investor in one or each of the funds/preserving corporations and therefore doubtlessly was at a while an investor in our firm thru an funding in one other firm.

Most corporations are in a position to presenting an correct checklist of their stock holders, and reaching thru their preserving corporations if on factual phrases. Is it no longer that you may possibly well well be furthermore mediate of to absolutely display cover the possession of those linked corporations?

The researchers’ conclusions that the journalists further expound are confusing the information. For instance, if it holds that any “investor” in one firm (making them an “affiliate” of that firm) is furthermore affiliated as an “investor” in one other firm, links the 2 corporations collectively as affiliates, after which even when one of those two corporations further invests in a third firm (one allotment eradicated), fundamentally most corporations and even CAs approach into seek files from due to the instructed transitive property. Also conflated by the researchers and media is the level about American corporations bearing an identical (no longer precisely the an identical) names to those of the funds/preserving corporations in seek files from. We’re no longer now and never were owned by any American firm with any names akin to those identified by the researchers. We would no longer internet any thought what those corporations are or what are their purpose, nonetheless they aren’t affiliated with our firm or any individual known to us.Our industry was formed in Panama over 9 years in the past and any kinds filed in the previous few years, pointing to an American or an identical-named firm was no longer executed by us or affiliated with us in any manner.

In Response to “TrustCor operates the mail encryption product MsgSafe and a beta version of MsgSafe contained the fully known unobfuscated version of the spyware SDK. (Beta APK, inspected by Joel and signed by Google)”:

Our firm never published a production or supported version of the MsgSafe cell app containing the Measurement Programs SDK. Relative to the little population of Beta product-testers (which were largely our private workers) who chose to verify a Beta version of the app containing that SDK, I will add that all the most life like likely device thru the attain stages of MsgSafe’s BETA cell app, our developers sought out the assist from third occasion software products and services to accomplish better app analytics. We are mindful that they evaluated different SDKs and instruments care for Firebase, Bugsnag, and lots of others. nonetheless they claimed to no longer assist principal in troubleshooting and bettering the app efficiency across all software producers and OS variations. There was a time all the most life like likely device thru this course of where they integrated further software developers to assist with the points we had been dealing with. Whether or no longer the SDK was added for a developer’s private monetary produce or in every other case is beyond us and we don’t care to speculate. Again, the MsgSafe BETA cell app was never launched in a production supported version and has been abandoned for years, and we can confirm the cell-first web UI, which is the fully supported cell interface in-exhaust these days and for the previous few years, which would not possess any SDK from any individual.

This appears to narrate that

* TrustCor operated MsgSafe

* TrustCor did no longer put collectively the an identical requirements to MsgSafe model because it may possibly possibly perchance well to its core CA products and services, or did.

In both manner the conclusion would be that TrustCor is unable to exert effective maintain an eye on  over the attain course of or is blithe to reputational risks from associated industry exercise.

As far as how the MsgSafe cell app got an “unobfuscated version” of the SDK? It’s not any longer our attach of living to speculate, nonetheless it undoubtedly fully makes sense that any firm would provide updates to their software over time. The third-occasion app archive web attach containing MsgSafe’s APK, as referenced in the researcher’s publish, is over 3 years aged. It’ll furthermore neutral unexcited approach as no shock that the software stumbled on there doesn’t match up precisely to the software stumbled on in apps they reported about in April 2022. Our developers doubtlessly didn’t even peer refined adjustments care for this because it’s no longer our put collectively to reverse engineer different firm’s software and violate license agreements.

In Response to “The MsgSafe product depends in allotment on SMIME certificates issued by TrustCor (MsgSafe Website online)”:

MsgSafe.iois each a product and industry, operated individually and independently from TrustCor CA, albeit owned by TrustCor.MsgSafe.iointegrates with TrustCor’s S/MIME certificate API for issuance of S/MIME certificates, correct care for every different CA buyer of TrustCor would enact. To boot,MsgSafe.iofurthermore lets in potentialities to lift their private S/MIME certificates (so no longer all of MsgSafe user’s certificates are generated by TrustCor CA).

———————————

InResponse to Ryan’s (Google) concerns, offering further clarification as requested:

In Response to “Coincidence #1 Audit Irregularities”:

TrustCor uses Princeton Audit Neighborhood (PAG) as its auditor.
In step with CCADB files, PAG would not audit any different publicly-depended on CAs.

It’s not any longer within our firm’s purview to clutch which auditors are licensed or favorite to manufacture the main WebTrust audits. We merely follow the basis program and CA/B guidelines and care for out from the published checklist. Our founders at the foundation called and spoke with lots of the auditors on the published checklist at the time and internet aged the an identical one ever since because as I’m sure you’ve viewed with different program people, after getting an auditor it’s more uncomplicated and further price effective to continue utilizing the an identical one 365 days after 365 days. The checklist is published right here and as you may possibly well furthermore admire our auditor remains an favorite auditor (PAG was on the checklist since before our firm was founded and unexcited is these days). If there may possibly be a compelling reason you or any root program supervisor has to care for out one other auditor, we’re no doubt commence to changing if that is required, and it appears to be as despite the fact that the checklist is now for far longer practically ten years after we first had to clutch.

Utilizing the an identical auditor for 10 years, regardless of how moral, introduces risks of excessive chumminess and normalization of deviance. I would purchase into consideration it an cheap alternate to CA/B guidelines to require rotation correct as SOX does for audits of public corporations. Nonetheless, it’s comely that TrustCor management did no longer purchase into consideration this in change of auditors.

//www.cpacanada.ca/en/industry-and-accounting-sources/audit-and-assurance/overview-of-webtrust-products and services/licensed-webtrust-practitioners-international

TrustCor’s most most recent audit statements ([Standard] and [BR – TLS]) characterize CA operations in Toronto, Ontario, Canada.
PAG is listed as a licensed practitioner fully in the United States.
TrustCor’s CPS signifies the ideas amenities are positioned in Phoenix.
Even supposing the management assertion references Phoenix, PAG’s attestation would not.

As you mentioned, it was included in the management’s assertion and it appears to be to be a clerical error that PAG’s attestation did no longer furthermore contain the positioning of TrustCor’s files amenities particularly, nonetheless we did confirm with our auditor that this would perchance well also be included in PAG’s 2022 attestation. To boot, below5.1.1 Situation Station and Construction, of TrustCor’s CPS, we furthermore screech that TrustCor CA’s files amenities are positioned in Phoenix, Arizona, USA, that are visited and audited yearly.

Past [1], [2]and [3]we stumbled on puny public files particular to audits performed by PAG.

It’s not any longer within our firm’s purview to clutch which auditors are licensed or favorite to manufacture the main WebTrust audits. We merely follow the basis program and CA/B guidelines and care for out from the published checklist. Our founders at the foundation called and spoke with lots of the auditors on the published checklist at the time and internet aged the an identical one ever since because as I’m sure you’ve viewed with different program people, after getting an auditor it’s more uncomplicated and further price effective to continue utilizing the an identical one 365 days after 365 days. The checklist is published right here and as you may possibly well furthermore admire our auditor remains an favorite auditor (PAG was on the checklist since before our firm was founded and unexcited is these days). If there may possibly be a compelling reason you or any root program supervisor has to care for out one other auditor, we’re no doubt commence to changing if that is required, and it appears to be as despite the fact that the checklist is now for far longer practically ten years after we first had to clutch.

//www.cpacanada.ca/en/industry-and-accounting-sources/audit-and-assurance/overview-of-webtrust-products and services/licensed-webtrust-practitioners-international

In Response to “Coincidence #2 WIPO Complaint”:

This page summarizes a 2018 criticism filed with the WIPO Arbitration and Mediation Heart against Trustcor Programs S. De R.L. by Compagnie Générale des Etablissements Michelin, owner of BFGOODRICH.
The criticism cites concerns linked to TrustCor registeringbfgoodrichpromotions.procureand the threat of a linked phishing procedure due to the registration and corresponding e-mail servers configured on the disputed domain title.
Within the raze, the Panel stumbled on TrustCor’s passive preserving of the disputed domain title indicated “spoiled religion”. Furthermore, the Panel furthermore stumbled on that TrustCor’s failure to respond to the Complainant’s close-and-desist letters was an further circumstance evidencing the TrustCor’s “spoiled religion”.
One of these behavior is per that described by Joel Reardon right here (admire dialogue foundation with “Yet every other provocative whine is that whois files lists Wylie Swanson because the registrant for a quantity of domains that carefully mimic different encrypted e-mail products [26]).
We’ve individually confirmed the domain registrations described above had been once registered as indicated by Joel.

Thebfgoodrichpromotions.procurecriticism was no longer linked to TrustCor CA’s products and services or products nonetheless toMsgSafe.io’s privateness-focused e-mail provider. Sadly, free or low-price e-mail provider suppliers are in total abused by phishing, ransomware, and different abuse because they lend to privateness and anonymity and how with out peril spoiled actors can produce them. For instance,bfgoodrichpromotions.procurewas registered by user who signed up forMsgSafe.io‘s provider with, and had their e-mail forwarding to, their Gmail yarn. In 2018,MsgSafe.io’s improve crew indeed didn’t handle this tournament neatly timed due to being overwhelmed by the high quantity of abuse going down at that time. As a consequence,MsgSafe.ioimplemented numerous abuse-cutting back solutions, dramatically cutting back the success of spoiled actors on the platform and internet since added improve team people to respond within a neatly timed manner to all improve tickets.

To quote Ryan, “TrustCor’s provider offering may possibly well furthermore neutral unexcited no longer be regarded as a illustration of the provider, or TrustCor, itself.”

Would you care to handle the remainder of the sentence of Ryan?

I undoubtedly internet questions: may possibly well well you clarify the that you may possibly well well be furthermore mediate of existence of a US entity employing the persons in Phoenix Arizona, and its relation to the entities in Canada and Panama? In usual I agree with it be provocative for international corporations to straight make exhaust of folk across borders, and in total operate up a native entity wholly owned by the guardian to exhaust in such actions.

—————————————

To contend with Joel’s (College of Calgary/AppCensus) concerns,

In Response to: “Alongside with investigative journalists at the Wall Road Journal, we chanced onthat Vostrom Holdings is doing industry as Packet Forensics [6]afirm that sells staunch-intercept products [7].”:

We won’t comment on the exercise of one other firm, as any comment would be purely our speculation.

Could possibly well perchance you clarify the connection between Vostrom Holdings and TrustCor, each now and in the previous?

In Response to: “The Measurement Programsfirm was furthermore registered in Virginia [8] by “Raymond Alan Saulino”, which wasthen made indolent when Google took action against the SDK[9].”:

We won’t comment on the exercise of one other firm, as any comment would be purely our speculation.

In Response to: “Raymond ASaulino” is furthermore an officer for Packet Forensics Global LLC [10]andregardless of the center title no longer being an precise match, they each checklist the an identicalresidential contend with [11, 12].”:

We won’t comment on the exercise of one other firm or particular particular person, as any comment would be purely our speculation.

In Response to: “Domains had been registered by Vostrom:Among the domains stood out:trustcor.cowhich redirected atthe time to the TrustCor CA’s web attach. The NS files continue to narratensX.msgsafe.io[14]the an identical astrustcor.comitself [15]. Msgsafe is a TrustCorencrypted e-mail product [16].”:

Upon further investigation into our domains and with further files from our apt team, now we internet stumbled on that TrustCor received the DecoyMail machine decades in the past because the basis of ourMsgSafe.ioproduct and provider. First obtainable in October 2000 (over 22 years in the past), the DecoyMail product (and its successor, ourMsgSafe.io) is an incredibly refined and sufficiently complex machine with many parts. A single component ofMsgSafe.iolets in domains to be very with out peril purchased thru the software’s web interface which triggers a backend domain-registration ‘register’ mechanism that is pointed to an API or registrar yarn. Within the early days of the long transition and upgrading (porting to a provocative programming language) of the software from the DecoyMail provider to theMsgSafe.ioprovider (which took years), these domains had been registered while the software was unexcited pointed to the an identical registrar yarn of the outdated owner which owned many change domains along side others unrelated DecoyMail buyer domains and furthermore domains of the registrar yarn owner. Even unexcited, it was no longer even a corporate/wholesale yarn, it was a deepest yarn with a diversity of domains held by one of many fashioned DecoyMail shareholders. The platform was no longer formally relaunched for numerous years when it was introduced asMsgSafe.ioas confirmed right here://trustcor.com/files/12012016.php. Even after relaunching it, numerous extra years handed before all domains had been migrated to the production registrar, DNSimple, and we’re no longer even definite they had been all migrated — some DecoyMail customers did no longer transition their accounts entirely and a few lookalike domains weren’t acknowledged because they had been lookalikes or homoglyphs and no longer serious to the firm branding or efficiency.

All domains registered thru msgsafe (akin totr ustcor.coand furthermoretrustcor.com), and any domain dropped at msgsafe utilizing the lift-your-private-domain operate would possessmsgsafe.iotitle server files that narrate bothnsX.msgsafe.ioornsX.dnsimple.comthat are synonymous, hosted at the an identical IP contend with, and are operated by DNSimple.

In Response to: “Enjoy Measurement Programs, Trustcor is furthermore registered in Panama [17]. They had beenregistered a month apart they on occasion allotment an an identical operate of corporate officers”:

Unknown till neutral nowadays by any employee officers of TrustCor we and Measurement Programs S de RL had on the total a community of traders who represented funds (teams of corporations and different funds), no longer folk. Even despite the fact that we shared a total community of funding funds, now we internet always operated our industry independently of any different firm and internet exclusion provisions in attach of living to guard the CA industry from having fetch entry to-to or being controlled by or influenced from any third-occasion, traders, equity-holders, or any individual different than TrustCor’s CA Approving Officers and workers. To basically the most efficient of our files (and our focused investigation) there may possibly be not any longer and has never been shared possession with any defense firm or any USA firm. This total community of traders with Measurement Programs S de RL. had already dissolved mid 2021, before these most recent claims had been publicized, which manner as a pure course of industry and no longer as a reaction to any claims or adversarial occasions. In 2021 TrustCor possession was transferred from the preliminary traders/founders to the workers of TrustCor. The apt course of has been very step-by-step and undoubtedly gradual, notably due to the protracted remedy and most recent dying of 1 key founder, Ian Abramowitz. Nonetheless, it’s underway and irreversible, and the total funding automobile was dissolved over a 365 days in the past.

You notify “employee officers”. What operate of corporate officers is that this? Why is it relevant to your ability to provide files on the connection of those entities that the officers in seek files from, who undoubtedly realized that they had been doing the job at two different corporations, weren’t workers?

In Response to: “One of those officers is Frigate Bay Maintaining LLC [18]. Shortly afterthe WSJ article was printed, a “Raymond Saulino” filed kinds for Frigate BayHoldings LLC listed as its supervisor [19]. Raymond Saulino has furthermore spoken to presspublicly on behalf of Packet Forensics.”:

We’re no longer now, and never were, owned by any American firm with any names akin to those identified by the researchers. We would no longer internet any thought what those corporations are or what are their purpose, nonetheless they aren’t affiliated with our firm or any individual known to us.Our industry was formed in Panama over 9 years in the past and any kinds filed this 365 days was no longer executed by our firm. Our lawyer has instructed us no longer to narrate the refined variations in names, spelling, dates of incorporation, or apt territories wherein corporate entities had been formed, as litigation is a skill final consequence of this publication.

I brand being from Canada you may possibly well furthermore neutral no longer be accustomed to US libel law. I point out you fetch a lawyer who’s before you brandy spherical threats care for this.

In Response to: “Trustcor furthermore talks about their “geo-jurisdiction advantage” on a total page[21] where they screech that “TrustCor is a Panamanian registered firm, withtechnical operations based mostly entirely mostly in Curaçao—one of basically the most true, privateness orientedjurisdictions on this planet.” No topic that, they’ve job openings for PKIEngineer and Programs Engineering in Phoenix, AZ [22, 23]the latter declaring thatthe applicant “MUST be positioned approach the Phoenix, AZ attach of living – job is remote withoccasional trips to files center amenities”. Their very private audit reports screech thatthey are Canadian, with their files centres in Phoenix, AZ [24]. I am no longernotably skittish by where they’ve their technical operations, nonetheless I mediatethat it’s provocative to leave out that the ideas centres are in Arizona on the prolongeddescriptions of the “geo-jurisdiction advantage”. Certificate authorities areabout belief.”:

We discover that most CAs don’t publicly narrate the areas of their CA files centre predicament on the house page of their marketing web sites. The side of our industry which operates the encrypted e-mail product and retail outlets true buyer explain material, MsgSafe, hastechnical operations based mostly entirely mostly in Curaçao(hence the“geo-jurisdiction advantage”)whereas the CA industry unit has files amenities positioned in Arizona. Within the ardour of belief andtransparency, to be definite, TrustCor’s CA industry unit would not fabricate key escrow products and services and therefore would not store buyer deepest-keys, as mentioned in our CPS.

Let me spell out my thought based mostly entirely totally on what’s been mentioned to this level.

TrustCor CA is a firm in Canada, wholly owned and operated by TrustCor, an Panamanian firm running in a cash laundering haven with feeble rule of law.  TrustCor furthermore owns MsgSafe, which it operates in Curacao. But TrustCor CA is not any longer undoubtedly adversarial to discovering industry operations in the US, a nation which along with Canada has a functioning and depended on court docket machine. So why precisely may possibly well furthermore neutral unexcited I belief TrustCor with the protection of every attach on the Web? What’s disagreeable with Canada or Arizona? Why Panama?

Alongside with the reluctance to narrate funding and house owners I will mediate of some solutions to this seek files from, none of that are notably encouraging for my belief in TrustCor.

In Response to: “I undoubtedly internet furthermore tested the Msgsafe encrypted e-mail product in the browser, whilesaving the following web site visitors utilizing Firefox and Chrome’s “assign to HAR” file likelihood.I am no longer gay there may possibly be E2E encryption or that Msgsafe can no longer study customers’emails. I admire that e-mail contents and attachments are despatched plaintext(over TLS) toapi.msgsafe.ioeven when sending to different Msgsafe customers or whenutilizing PGP or SMIME to ship to non-Msgsafe customers. The SMIME cert is despatched inboundfrom the server, and there may possibly be not any outbound web site visitors that embodies the final public keyto be signed. The password is despatched plaintext to the server (over TLS) and thusany key derived from that password would furthermore be known by the server. Hanlon’srazor tells me I may possibly well furthermore neutral unexcited no longer attribute these errors to malice; it may possibly possibly perchance well correct be adevelopmental failure [25]. Nonetheless, I mediate it’s practical expectationthat a root certificate authority can fetch the crypto factual, and so I am projectregardless of the reason.”:

MsgSafe.io’s platform may possibly well furthermore neutral furthermore be utilized in a quantity of suggestions,along side utilizing the electronic mail forwarding factors and no longer utilizing the procure-based mostly entirely mostly interface in any appreciate. It’s miles extremely no longer going to speculate what you experienced or tested with out comprehensive files of the yarn configuration, forwarding addresses, user identities and contacts, and their associated GPG and S/MIME certificates.

As far as you no longer believing the product is offering enough encryption capabilities, let me first notify that I enact no longer are searching to hunch the names of any different encryption products and services or products thru the mud. To deal along with your concerns, based mostly entirely totally on our teams exhausted evaluation into many change suppliers offering an identical products and services, one usual rule applies; whether the encryption or decryption capabilities are going down on the client (in total in javascript) or on the server, the server is unexcited storing and dealing with basically the fundamental field topic in the technique. Our implementation is one of two continuously aged by true messaging products and services and chosen for a couple of reasons. If encryption happens on the client then basically the fundamental field topic is handed from the server to the browser over TLS. If the encryption happens on the server then the message is transferred from the client to the server over TLS, then encrypted. Because the MsgSafe web attach explains, our team has stumbled on that implementing basically the fundamental field topic and encryption/decryption processing on the server provides safety with out the further processing requirement on the client. Among the benefits of this implementation is that it lets in slower/older gadgets (telephones) to exhaust our cell-first web journey (since, as we beforehand mentioned, we abandoned model of a cell app, which may possibly well internet achieved the encryption/decryption course of on the cell cell phone), while furthermore supporting desktop customers. To be definite, at no level is files handed in the definite while utilizing the provider, it’s both encrypted with the user key field topic or encrypted with industry-usual TLS.

ManyMsgSafe.iocustomers never journey sending or receiving mail utilizing the procure browser, which manner you’re fully taking a ogle at one implementation of the provider that is doubtlessly the least aged.

Unnecessary to notify we can settle for the change of a weakness inMsgSafe.io‘s user interface, we purchase such reports very severely, nonetheless we would be bowled over to hunt down that to be the case right here. Whereas you unexcited internet questions or doubts, we query that you please file a worm yarnwithMsgSafe.iostraight thru their buyer improve channels.

It’s miles furthermore vital to brand thatMsgSafe.ioand TrustCor’s CA enact no longer allotment model sources or infrastructure and are fully different traces of industry.

In Response to: “Yet every other provocative whine is that whois files lists Wylie Swanson because theregistrant for a quantity of domains that carefully mimic different encrypted e-mailproducts [26]. This includeshushemail.procure,protonmails.comandtutanoto.com,which shadow competing products and services, and which redirect customers who seek recommendation from them tomsgsafe.io. Wylie Swanson is the co-founder of Trustcor [27]. In my peek,it appears to be care for typo squatting and I wouldn’t ask that a root certificateauthority to be engaged on this extra or less behaviour.”:

When the domains had been registered, it was furthermore total for advertisers to remove Google search keywords of their opponents as allotment of their Website positioning marketing.

Here is not any l onger undoubtedly relevant to typosquatting.

On the time, it was perceived as a low-price manner for a minute originate-up electronic mail provider to reveal a extremely minute quantity of web site visitors toMsgSafe.io’s original privateness-focused e-mail products and services.

It was no longer an strive to lie to customers in any manner — customers very clearly understood where they’d been directed. It’s not any longer the firm’s stance or easiest put collectively to register domains akin to opponents, fully took attach of living with a minute quantity of domains, and did no longer occur again after 2016.

The redirect is unexcited up as are the registrations. It’s miles 2022, rather a while after 2016.

In Response to: “A final twist of destiny: one of Msgsafe’s e-mail domains isdecoymail.comwhichMsgsafe customers can demand and which redirects tomsgsafe.io[28]. In 2014 it wasregistered to VOSTROM Holdings, Inc., while in 2015 it was registered to TRUSTCORSYSTEMS S. de R.L. [29]. DecoyMail was a firm created by Rodney Joffe [30],who’s the actual individual that furthermore filed the fashioned registration of Packet Forensics[31] and was unexcited an licensed agent for Packet Forensics in a 2019 filing[32] and a Supervisor for Packet Forensics in a 2021 filing [33]. The e-mailrjo…@centergate.comis linked to the domainsrodneyjoffe.com,packetforensics.comanddecoymail.procure[34]. Decoymail.procure currently redirectstomsgsafe.io.”:

It’s miles public files that TrustCor received the DecoyMail machine decades in the past because the basis of ourMsgSafe.ioproduct and provider. First obtainable in October 2000 (over 22 years in the past), the DecoyMail product (and its successor, ourMsgSafe.io) is an incredibly refined and sufficiently complex machine with many parts. A single component ofMsgSafe.iolets in domains to be very with out peril purchased thru the software’s web interface which triggers a backend domain-registration ‘register’ mechanism that is pointed to an API or registrar yarn. Within the early days of the long transition and upgrading (porting to a provocative programming language) of the software from the DecoyMail provider to theMsgSafe.ioprovider (which took years), these domains had been registered while the software was unexcited pointed to the an identical registrar yarn of the outdated owner which owned many change domains along side others unrelated DecoyMail buyer domains and furthermore domains of the registrar yarn owner. Even unexcited, it was no longer even a corporate/wholesale yarn, it was a deepest yarn with a diversity of domains held by one of many fashioned DecoyMail shareholders. The platform was no longer formally relaunched for numerous years when it was introduced asMsgSafe.ioas confirmed right here://trustcor.com/files/12012016.php. Even after relaunching it, numerous extra years handed before all domains had been migrated to the production registrar, DNSimple, and we’re no longer even definite they had been all migrated — some DecoyMail customers did no longer transition their accounts entirely and a few lookalike domains weren’t acknowledged because they had been lookalikes or homoglyphs and no longer serious to the firm branding or efficiency.

—————————————

To contend with Serge’s (Berkely/AppCensus) concerns,

In Response to: “Why did MsgSafe appear to bundle an unobfuscated version of this SDK in their app? How was it got, if as Rachel says, they’ve nothing to enact with the firm that is spreading it? In step with her e-mail, they would no longer internet a public app; somebody may possibly well furthermore neutral unexcited doubtlessly picture that to their social media particular person…”:

Our firm never published a production or supported version of the MsgSafe cell app containing the Measurement Programs SDK. Relative to the little population of Beta product-testers (which were largely our private workers) who chose to verify a Beta version of the app containing that SDK, I will add that all the most life like likely device thru the attain stages of MsgSafe’s BETA cell app, our developers sought out the assist from third occasion software products and services to accomplish better app analytics. We are mindful that they evaluated different SDKs and instruments care for Firebase, Bugsnag, and lots of others. nonetheless they claimed to no longer assist principal in troubleshooting and bettering the app efficiency across all software producers and OS variations. There was a time all the most life like likely device thru this course of where they integrated further software developers to assist with the points we had been dealing with. Whether or no longer the SDK was added for a developer’s private monetary produce or in every other case is beyond us and we don’t care to speculate. Again, the MsgSafe BETA cell app was never launched in a production supported version and has been abandoned for years, and we can confirm the cell-first web UI, which is the fully supported cell interface in-exhaust these days and for the previous few years, which would not possess any SDK from any individual.

As far as how the MsgSafe cell app got an “unobfuscated version” of the SDK? It’s not any longer our attach of living to speculate, nonetheless it undoubtedly fully makes sense that any firm would provide updates to their software over time. The third-occasion app archive web attach containing MsgSafe’s APK, as referenced in the researcher’s publish, is over 3 years aged. It’ll furthermore neutral unexcited approach as no shock that the software stumbled on there doesn’t match up precisely to the software stumbled on in apps they reported about in April 2022. Our developers doubtlessly didn’t even peer refined adjustments care for this because it’s no longer our put collectively to reverse engineer different firm’s software and violate license agreements.

Within the raze let me brand that the usual evasiveness, thinly veiled apt threats, and contemptuous perspective this full e-mail contains internet gay me that TrustCor would not internet the correct perspective for a CA.  Quite than brazenly allotment files to assuage the community and rebuild that most treasured and unexcited field topic of human family people, belief, Rachel has chosen to obfuscate, feign lack of consciousness and give partial solutions to a pair very serious questions.

Sincerely,

Watson Ladd

The stars and the gradual death

Prof. Reardon

unread,

Nov 19, 2022, 2:59:52 AM (11 days in the past)Nov 19

to dev-secur…@mozilla.org, watso…@gmail.com, MDSP, cli…@apple.com, ryand…@google.com, kwi…@mozilla.com, Prof. Reardon, ege…@cs.berkeley.edu, rac…@trustcor.ca

Hey:

I are searching to thank TrustCor for his or her detailed response and for taking my concerns
severely, as well to the cordial tone of their response. Please perfect-making an try me if I
am disagreeable, nonetheless from my thought there appears to be to be nothing in what I
introduced to this forum that is being disputed as unsuitable or imagined.
TrustCor holds that a couple of of what I introduced is ragged or no longer correct
files, and a few is regarded as beside the level files or a twist of destiny. I
infer from this that TrustCor generally has the same opinion with me that concerns that I
raised had been indeed legitimate and worth the honour and scrutiny of this
community. Please perfect-making an try me if right here’s no longer the case.

Thanks,
Joel Reardon

Prof. Reardon

unread,

Nov 19, 2022, 5:03:44 AM (11 days in the past)Nov 19

to dev-secure…@mozilla.org; Reardon, Watso…@gmail.com, MDSP, Cli…@apple.com, Ryand…@google.com, Kwi…@mozilla.com, Ege…@cs.berkeley.edu , rac…@trustcor.ca

Hey again:

I must create a extremely vital correction to the citations and their juxtaposition in the starting attach posting. In writing:

“One of those officers is Frigate Bay Maintaining LLC [18]. Shortly after
the WSJ article was printed, a “Raymond Saulino” filed kinds for Frigate Bay
Holdings LLC listed as its supervisor [19]”

I had intended to jot down:

“One of those officers is Frigate Bay Maintaining LLC [17]. Shortly after

the WSJ article was printed, a “Raymond Saulino” filed kinds for Frigate Bay

Holdings LLC [18] listed as its supervisor [19]”

I undoubtedly internet linked the fashioned file, the corrected file, and a diff.

Joel Reardon

diff:

@@ -31,9 +31,9 @@ Enjoy Measurement Programs, Trustcor is furthermore registered in Panama [17]. They had been

registered a month apart they on occasion allotment an an identical operate of corporate officers

(cf. [1]). It’s miles my thought that these officers fully are provocative on three
corporations, so it would not seem that they register, e.g., many corporations in

-Panama.  One of those officers is Frigate Bay Maintaining LLC [18]. Shortly after
+Panama.  One of those officers is Frigate Bay Maintaining LLC [17]. Shortly after

the WSJ article was printed, a “Raymond Saulino” filed kinds for Frigate Bay

-Holdings LLC listed as its supervisor [19]. Raymond Saulino has furthermore spoken to press
+Holdings LLC [18] listed as its supervisor [19]. Raymond Saulino has furthermore spoken to press

publicly on behalf of Packet Forensics in the context of a Wired article about
subverting SSL [20].

Prof. Reardon

unread,

Nov 20, 2022, 6:54:21 PM (10 days in the past)Nov 20

to dev-secure…@mozilla.org; Reardon, Watso…@gmail.com, MDSP, Cli…@apple.com, Ryand…@google.com, Kwi…@mozilla.com, Ege…@cs.berkeley.edu , rac…@trustcor.ca

I undoubtedly internet listed a couple of of the final public audits I undoubtedly internet stumbled on right here [1]and Mozilla
furthermore has them listed right here [2]. What I’ve stumbled on is that in the usual and BR
audits for 2018, 2019, 2020, and 2021, as well to the code signing audits for
2020 and 2021, their auditor constantly characterize the CA’s “Certification
Authority (CA) operations at Toronto, Ontario, Canada”. In step with what I’ve
learned from this thread (please perfect-making an try me if I am disagreeable) TrustCor was no longer a
Canadian firm all the most life like likely device thru this time and did no longer internet an attach of living of enterprise in Canada.
Here is ten different audits over four years.

Relating to the SDK, I agree that speculating why it was included is neither
helpful nor priceless. It’ll furthermore neutral unexcited be that you may possibly well well be furthermore mediate of to fetch the next thought of
how it was included. For instance, supply code version maintain an eye on historical previous and
commit messages may possibly well furthermore neutral give some context. In step with reporting by the Wall
Road Journal who interviewed app makers who included this SDK that
“A lot of developers mentioned Measurement Programs required them to trace
nondisclosure agreements.” [3] As neatly, the code is not any longer obtainable for acquire nonetheless
was ship to developers who agreed to contain it. This was indeed some years in the past,
and I agree that the manner of transport, and lots of others., may possibly well furthermore neutral internet modified. Nonetheless
if such emails or different communications come in to you it will furthermore neutral assist
elucidate the context spherical how this SDK was got.

[1] //pages.cpsc.ucalgary.ca/~joel.reardon/trustcor/
[2] //bugzilla.mozilla.org/show_bug.cgi?identification=1801504
[3] //archive.ph/AuNOy

Serge Egelman

unread,

Nov 21, 2022, 12:56:19 AM (10 days in the past)Nov 21

to Prof. Reardon, dev-secur…@mozilla.org, watso…@gmail.com, cli…@apple.com, ryand…@google.com, kwi…@mozilla.com, rac…@trustcor.ca

On condition that it’s no longer but explained how the fully known unobfuscated version of Measurement Programs’ SDK made it into the MsgSafe app, I made up my mind to employ a puny of bit time beyond regulation exploring it. (Again, as background, right here’s an SDK that was stumbled on in MsgSafe’s public beta of their Android app, which perceived to be obtainable in the Play Store up till earlier this 365 days.)

Within the obfuscated version of the SDK, many string constants had been encrypted and decrypted at runtime. Nonetheless, in the version I stumbled on in MsgSafe’s app, you may possibly well furthermore simply grep for all strings and flit over the

  • Within coelib/c/couluslibrary/plugin/AK.smali:

    const-string v0, “LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tDQpNSUlGclRDQ0E1VUNBaHJpTUEwR0NTcUdTSWIzRFFFQkN3VUFNSUdiTVFzd0NRWURWUVFHRXdKRFZ6RVRNQkVHDQpBMVVFQ0F3S1EzVnlZY09Ed3FkaGJ6RVRNQkVHQTFVRUJ3d0tWMmxzYkdWdGMzUmhaREVRTUE0R0ExVUVDZ3dIDQpUWE5uVTJGbVpURVRNQkVHQTFVRUN3d0tUM0JsY21GMGFXOXVjekVYTUJVR0ExVUVBd3dPWVc0eExtMXpaM05oDQpabVV1YVc4eElqQWdCZ2txaGtpRzl3MEJDUUVXRTNObFkzVnlhWFI1UUcxelozTmhabVV1YVc4d0hoY05NVGN4DQpNREV5TVRneU9ERXdXaGNOTWpJeE1qSXdNVGd5T0RFd1dqQ0JtekVMTUFrR0ExVUVCaE1DUTFjeEV6QVJCZ05WDQpCQWdNQ2tOMWNtSERnOEtuWVc4eEV6QVJCZ05WQkFjTUNsZHBiR3hsYlhOMFlXUXhFREFPQmdOVkJBb01CMDF6DQpaMU5oWm1VeEV6QVJCZ05WQkFzTUNrOXdaWEpoZEdsdmJuTXhGekFWQmdOVkJBTU1EbUZ1TVM1dGMyZHpZV1psDQpMbWx2TVNJd0lBWUpLb1pJaHZjTkFRa0JGaE56WldOMWNtbDBlVUJ0YzJkellXWmxMbWx2TUlJQ0lqQU5CZ2txDQpoa2lHOXcwQkFRRUZBQU9DQWc4QU1JSUNDZ0tDQWdFQXljcGFxN2R6S3I0UldJZjdMOW00WUlWWlRBTFBqN0VlDQpZMGJmOUJWMmtoa08xVm55RWx4Nm5mM2lDUGhUTVYwSVV2T2JFVnoxYlIvaU1CejRuWWVZSFdWdGxDZm0vZmxIDQpEZmszSmZvVmdwdU0xeFpsdCsrT0xtSmVkdnhCRFE3amo1KzVyeUl0WWt5TnRTYlUvb2w5OCtaanovc0pnVkNoDQpvclY0QnZReXc5TzRVR2Y3ckxOQ1NyUlBZelVpU1FHVFRFUVlqMjJwZ0k4Y0RJTC8ydDVtenpWUFo0WmMvYkkwDQpZeE9UL3pyNkJrQTNWcS9EVE5NQ1VPMTVJZUpMUm9aQTJwZ2tXYjVuOUk5MEZPUDZwSkNMTkZnS3Z2V0pqdlFPDQpBRFAwS2JnMGNncTYvSTJaWFptcnU3Z0lMbDQ4SEZNRlVCS1FSS1pQTGRXRUVEUjVtdkw1Z0tPZ2t6bTFSbGVCDQo0bHdHUkxURkhzUSt6Q1Z2cUpidUlIbVU1bkx2ZVF3YVpYU2l2V2NCNWMwTmhlZkhYbHVnRno3aVBCWXRmaTFrDQpIelI4SWRyc1pPazg1a0dYMGI2RExxWUtOc2duK01hU1JpRnpQeXBKY0tRcjhFSW1CcGxBUFpuV2MwbHdEUXg5DQpvZjA1dEh4OTRLVzNqZlN0R0o3ZUZmb1RTQVllaVdsSmR5OVdiYkdIT1FKQnBmbzgyZzRza3RHbjBiSSt2NzJO”

    return-object v0

    .discontinuance manner

    .manner sm()Ljava/lang/String;

    .locals 1

    const-string v0, “UmM1NUg4VWdaUFF2aytDYVg1dzByVmQ4SjJKNFlQU0d3ejh6MlpTTEhMRHFFOWZWczlsc0pTajlZMWp3bGhsYg0KRjJHSHA1QlIxQWR5RlJaSjhSVHI2aDlhZU5WN2FMd256MjIvbkc5UjRWSG5XaTFzWU9uK1RjeWZjRXlGZXhTbw0KRWlkbitqK0RGL3NDQXdFQUFUQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FnRUF2YVRNN0YyNEVJbHpSSlc4bktwOA0KdndqWkg0eGtEWnpTTHlWbXhSOG5uQitFS2F1ekI4S0RMVUNjSjRoaDJoRnFrbUR3UHFweGQ4TkcwLzl1V1NNNg0KTDExSjhqUlRMb1o2N2hPYTJhWm9KQTNuM21zTWt4UExYVy94bXdwbnN2RlQ1RkQ3L1M4OW1UM2E0RThrVXRTMA0KYjZYbmMrZFdiOE9MRDhQRm9rZ0FUOVRld1lySkNsSklaenA4QWsvSjRBQXFUc3pjeVUyL1l0TVhCSlQ2UzVIWg0KdmR6bmQwTnlvdEN3TG1zUXZodmNiK3BIZ3JyYjlkdVNudFVaWUlacEtvaFFGSlVMaW1TMmNsLzVtN3FPSXpCUg0KZStBY3haRDYwTVBrSnE0ejdHZU9vWFRQaHFMblBmU3VRR21EdDd4UFFNOHZ5NzZOSG5GTHZyMEFvTng2S1RVbw0KNWp2UmVsL3pJOGxpVE9sd1MwVnF4dVF1eHJBTWc3OHhhOWVJNFhlclZIQjlkblJPQkFTdFRaZFZab0xudmR5Uw0KR1V6bUZDbGZ2WjFOSnA3TDdTM1dETjNMQ0dFcHZWTUhyMlFsMjhwL2tYamdHTy9CcENPTTQ0SHhuQkJXbTlyWg0Kd1kzZjNYcFgvWkZpOUI0eUdMV2pHN3lQV2NvRTJSdVhvaGwxOHhvZDZpaFNtNVNQdXd1MmtjemszVVRQUDEzWA0KOGRJZXAzdklMajdIUUFHcFRxWUJ2N0QxWXUvRHA2WmhQdWNlOFAzRmVmcHdYQjA3aDZlS1BxN3V0TFBuQ2gySg0KZ0ttMjJNc0h5K1JPUG41L0FtWGtZd3B5cDQyVE5XcDZvQ3FLOTBZSnYzTUl6RE9BVnFjZ0JicHVwZUF4Qmt1VQ0KWkJyU2NRU29wOHVLQmY4Q2RFVmR0WG89DQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tDQo=”

Whereas you concatenate these two strings collectively and base64 decode them, you fetch a certificate:

—–BEGIN CERTIFICATE—–
MIIFrTCCA5UCAhriMA0GCSqGSIb3DQEBCwUAMIGbMQswCQYDVQQGEwJDVzETMBEG
A1UECAwKQ3VyYcODwqdhbzETMBEGA1UEBwwKV2lsbGVtc3RhZDEQMA4GA1UECgwH
TXNnU2FmZTETMBEGA1UECwwKT3BlcmF0aW9uczEXMBUGA1UEAwwOYW4xLm1zZ3Nh
ZmUuaW8xIjAgBgkqhkiG9w0BCQEWE3NlY3VyaXR5QG1zZ3NhZmUuaW8wHhcNMTcx
MDEyMTgyODEwWhcNMjIxMjIwMTgyODEwWjCBmzELMAkGA1UEBhMCQ1cxEzARBgNV
BAgMCkN1cmHDg8KnYW8xEzARBgNVBAcMCldpbGxlbXN0YWQxEDAOBgNVBAoMB01z
Z1NhZmUxEzARBgNVBAsMCk9wZXJhdGlvbnMxFzAVBgNVBAMMDmFuMS5tc2dzYWZl
LmlvMSIwIAYJKoZIhvcNAQkBFhNzZWN1cml0eUBtc2dzYWZlLmlvMIICIjANBgkq
hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAycpaq7dzKr4RWIf7L9m4YIVZTALPj7Ee
Y0bf9BV2khkO1VnyElx6nf3iCPhTMV0IUvObEVz1bR/iMBz4nYeYHWVtlCfm/flH
Dfk3JfoVgpuM1xZlt++OLmJedvxBDQ7jj5+5ryItYkyNtSbU/ol98+Zjz/sJgVCh
orV4BvQyw9O4UGf7rLNCSrRPYzUiSQGTTEQYj22pgI8cDIL/2t5mzzVPZ4Zc/bI0
YxOT/zr6BkA3Vq/DTNMCUO15IeJLRoZA2pgkWb5n9I90FOP6pJCLNFgKvvWJjvQO
ADP0Kbg0cgq6/I2ZXZmru7gILl48HFMFUBKQRKZPLdWEEDR5mvL5gKOgkzm1RleB
4lwGRLTFHsQ+zCVvqJbuIHmU5nLveQwaZXSivWcB5c0NhefHXlugFz7iPBYtfi1k
HzR8IdrsZOk85kGX0b6DLqYKNsgn+MaSRiFzPypJcKQr8EImBplAPZnWc0lwDQx9
of05tHx94KW3jfStGJ7eFfoTSAYeiWlJdy9WbbGHOQJBpfo82g4sktGn0bI+v72NRc55H8UgZPQvk+CaX5w0rVd8J2J4YPSGwz8z2ZSLHLDqE9fVs9lsJSj9Y1jwlhlb
F2GHp5BR1AdyFRZJ8RTr6h9aeNV7aLwnz22/nG9R4VHnWi1sYOn+TcyfcEyFexSo
Eidn+j+DF/sCAwEAATANBgkqhkiG9w0BAQsFAAOCAgEAvaTM7F24EIlzRJW8nKp8
vwjZH4xkDZzSLyVmxR8nnB+EKauzB8KDLUCcJ4hh2hFqkmDwPqpxd8NG0/9uWSM6
L11J8jRTLoZ67hOa2aZoJA3n3msMkxPLXW/xmwpnsvFT5FD7/S89mT3a4E8kUtS0
b6Xnc+dWb8OLD8PFokgAT9TewYrJClJIZzp8Ak/J4AAqTszcyU2/YtMXBJT6S5HZ
vdznd0NyotCwLmsQvhvcb+pHgrrb9duSntUZYIZpKohQFJULimS2cl/5m7qOIzBR
e+AcxZD60MPkJq4z7GeOoXTPhqLnPfSuQGmDt7xPQM8vy76NHnFLvr0AoNx6KTUo
5jvRel/zI8liTOlwS0VqxuQuxrAMg78xa9eI4XerVHB9dnROBAStTZdVZoLnvdyS
GUzmFClfvZ1NJp7L7S3WDN3LCGEpvVMHr2Ql28p/kXjgGO/BpCOM44HxnBBWm9rZ
wY3f3XpX/ZFi9B4yGLWjG7yPWcoE2RuXohl18xod6ihSm5SPuwu2kczk3UTPP13X
8dIep3vILj7HQAGpTqYBv7D1Yu/Dp6ZhPuce8P3FefpwXB07h6eKPq7utLPnCh2J
gKm22MsHy+ROPn5/AmXkYwpyp42TNWp6oCqK90YJv3MIzDOAVqcgBbpupeAxBkuU
ZBrScQSop8uKBf8CdEVdtXo=
—–END CERTIFICATE—–

This certificate was issued by/to MsgSafe (it appears to be to be self-signed) and corresponds toan1.msgsafe.io. My presumption is that right here’s being aged for certificate pinning. But it undoubtedly begs the seek files from, why is a MsgSafe certificate hardcoded within Measurement Programs’ SDK? Here is, in the end, compiled code presumably written by Measurement Programs and provided to MsgSafe.

  • Within coelib/c/couluslibrary/plugin/En.smali:

    const-string v0, “Z3NhZmUuaW8vc3VydmV5Lw==”

    return-object v0

    .discontinuance manner

    .manner m()Ljava/lang/String;

    .locals 1

    const-string v0, “aHR0cHM6Ly9hbjEubXM=”

The URL above is one of fully three URLs that now we internet stumbled on hardcoded on this SDK (different, “nav.telematicsdirect.com” and “nav2.telematicsdirect.com“, seem like aged to title the cell phone’s public-dealing with IP). Both of thetelematicsdirect.comhostnames had been brand in the obfuscated version of the SDK stumbled on in different apps. Nonetheless, evaluating the allotment of code where MsgSafe’s URL was stumbled on, the obfuscated version of the SDK had a provocative URL://cell.measurelib.com/admire

This URL was the API endpoint to which the malware SDK was transmitting sensitive user files! Yet in the version of the SDK stumbled on in MsgSafe’s app, the fully known unobfuscated version of the SDK, it appears to be to be programmed to in its place ship files to MsgSafe’s private servers! Why are MsgSafe’s servers hardcoded to receive files from Measurement Programs’ SDK? I am speaking about compiled code that was practically no doubt written by Measurement Programs.

Thanks,

serge

/*
Serge Egelman, Ph.D.

Research Director, Usable Security & Privateness

Global Computer Science Institute (ICSI)

Research Scientist, Electrical Engineering and Computer Sciences (EECS)

College of California, Berkeley

*/

Rachel McPherson

unread,

Nov 21, 2022, 6:11:37 PM (9 days in the past)Nov 21

to MDSP, Clint Wilson, Ryan Dickson, Kathleen Wilson, joel.r…@ucalgary.ca, Serge Egelman

Kathleen, Ryan, Clint and the remainder of the community:

Again, we adore the change to respond to these concerns.

Readers may possibly well furthermore neutral unexcited purchase care to study our outdated response (first) and all attachments in repeat to adore the total context of all subsequent replies and our subsequent responses.

As before, given the publicity of this forum, I will enact my easiest to appreciate folk by no longer constantly utilizing their names or calling out different root program member organizations as examples, even when it’d be priceless to enact so. As one more I will query you to purchase into consideration that side in my response. Also, I will exhaust “our firm” when speaking of TrustCor (the CA operator) and MsgSafe (the electronic mail provider). I will exhaust “the researchers” when speaking about Serge Edelman, Joel Reardon, their commercial enterprise AppCensus, and the colleges for which they work (College of California, Berkeley and the College of Calgary, respectively).

Again as a blanket observation, it’s serious readers brand now we internet never been accused of, and there may possibly be not any proof to point out that TrustCor violated conduct, protection, or procedure, or wrongfully issued depended on certificates, or labored with others to enact so. We internet got no longer achieved any of those things. It’s furthermore vital to adore TrustCor operates a certificate authority (TrustCor CA) which provides CA products and services true and insulated by an exclusion settlement, and TrustCor operates a privateness-bettering communications provider (MsgSafe.io) as two discrete industry units.

In studying linked reporting and blogging off-checklist, I must contend with an elephant in the room. It appears to be it will also approach as a shock to a pair readers that different root program people are in truth international governments, and a few are furthermore defense corporations, or corporations who’re wholly-owned by defense corporations and/or screech-owned enterprises, which manner “corporations” that are fully owned or controlled by governments. Additional, a couple of of those governments are no longer free/democratic and in truth some internet histories of tragic human rights violations.

We are none of those things and our firm would not title with those values.

I will respond below to the further questions raised by the researchers.

—————————————

In Response to Joel’s (College of Calgary/AppCensus) supplemental concerns,

In Response to “Please perfect-making an try me if I am disagreeable, nonetheless from my thought there appears to be to be nothing in what I introduced to this forum that is being disputed as unsuitable or imagined.” and “… generally has the same opinion with me that concerns that I raised had been indeed legitimate and worth the honour and scrutiny of this community.”:

Professionally speaking we’re obliged to respond that there are factors of what Joel has mentioned each in his yarn and in his supplemental statements with which we disagree, would dispute or are factually unsuitable. We won’t ignore a blanket observation designed to substantiate our assent, of which there had been numerous of those. Nonetheless, now that I’ve made this level in response I won’t expound unnecessarily on this forum in favour of respondingconstructivelyto Joel’s supplemental factors assuming they are of ardour to the better community.

In Response to “I undoubtedly internet listed a couple of of the final public audits I undoubtedly internet stumbled on right here [1]and Mozillafurthermore has them listed right here [2]. What I’ve stumbled on is that in the usual and BRaudits for 2018, 2019, 2020, and 2021, as well to the code signing audits for2020 and 2021, their auditor constantly characterize the CA’s “CertificationAuthority (CA) operations at Toronto, Ontario, Canada”. In step with what I’velearned from this thread (please perfect-making an try me if I am disagreeable) TrustCor was no longer aCanadian firm all the most life like likely device thru this time and did no longer internet an attach of living of enterprise in Canada.Here is ten different audits over four years.”:

Prior context:

TrustCor’s Ontario Headquarters contend with was beforehand positioned at 7270 Woodbine Avenue, Suite 308 Markham ON L3R 4B9 Canada. When Ian’s neatly being began to decline, and provided that Ian, Ryan and I had been the fully Canadian workers, and our technical crew had been centrally positioned to our files centre areas, we selected a remote-work development in Canada. Whereas the Canadian filings resulted in 2016, we unexcited protect personnel, a true storage facility, and now we internet always maintained a fixed mailing contend with in Ontario where the final public can contact the TrustCor Coverage Authority in writing for defense linked enquiries and right here’s the an identical contend with printed on TrustCor’s letterhead and within our CPS paperwork.

Supplemental response:

Quoted from the WebTrust Illustrative Examination Reports Below SSAE 18 and SSAE 21, Version 2.0 Printed 1 February 2022.

“All reports issued may possibly well furthermore neutral unexcited checklist the screech/province, and nation of all physical areas of CA amenities that had been included in the scope of the engagement. CA amenities may possibly well furthermore neutral contain files centre areas (fundamental and alternate sites), registration authority areas (for registration authority operations performed by the CA), and all different areas where usual ITand industry course of controls that are relevant to CA operations in scope (along side cloud and remote areas).”


In step with the requirements coming straight from WebTrust, we agree with we’re reporting accurately within the managements assertions. It unexcited remains moral that a factual allotment of our industry course of controls, relevant to the CA operations, are performed by key personnel from Canada. As beforehand mentioned, now we internet always disclosed each our Canadian and United States areas in our CPS doc and management assertions.

In Response to “Relating to the SDK, I agree that speculating why it was included is neitherhelpful nor priceless. It’ll furthermore neutral unexcited be that you may possibly well well be furthermore mediate of to fetch the next thought ofhow it was included. For instance, supply code version maintain an eye on historical previous andcommit messages may possibly well furthermore neutral give some context. In step with reporting by the WallRoad Journal who interviewed app makers who included this SDK that“A lot of developers mentioned Measurement Programs required them to tracenondisclosure agreements.” [3] As neatly, the code is not any longer obtainable for acquire nonethelesswas ship to developers who agreed to contain it. This was indeed some years in the past,and I agree that the manner of transport, and lots of others., may possibly well furthermore neutral internet modified. Nonethelessif such emails or different communications come in to you it will furthermore neutral assistelucidate the context spherical how this SDK was got.“:

Prior context:

Our firm never published a production or supported version of the MsgSafe cell app containing the Measurement Programs SDK. Relative to the little population of Beta product-testers (which were largely our private workers) who chose to verify a Beta version of the app containing that SDK, I will add that all the most life like likely device thru the attain stages of MsgSafe’s BETA cell app, our developers sought out the assist from third occasion software products and services to accomplish better app analytics. We are mindful that they evaluated different SDKs and instruments care for Firebase, Bugsnag, and lots of others. nonetheless they claimed to no longer assist principal in troubleshooting and bettering the app efficiency across all software producers and OS variations. There was a time all the most life like likely device thru this course of where they integrated further software developers to assist with the points we had been dealing with. Whether or no longer the SDK was added for a developer’s private monetary produce or in every other case is beyond us and we don’t care to speculate. Again, the MsgSafe BETA cell app was never launched in a production supported version and has been abandoned for years, and we can confirm the cell-first web UI, which is the fully supported cell interface in-exhaust these days and for the previous few years, which would not possess any SDK from any individual.

As far as how the MsgSafe cell app got an “unobfuscated version” of the SDK? It’s not any longer our attach of living to speculate, nonetheless it undoubtedly fully makes sense that any firm would provide updates to their software over time. The third-occasion app archive web attach containing MsgSafe’s APK, as referenced in the researcher’s publish, is over 3 years aged. It’ll furthermore neutral unexcited approach as no shock that the software stumbled on there doesn’t match up precisely to the software stumbled on in apps they reported about in April 2022. Our developers doubtlessly didn’t even peer refined adjustments care for this because it’s no longer our put collectively to reverse engineer different firm’s software and violate license agreements.

Supplemental response:

Before my fashioned respond, we had already achieved an investigation linked to this exercise. Our software revision maintain an eye on machine printed straight when the software was introduced and which developer introduced it. As I had beforehand mentioned, “… they integrated further software developers to assist with the points we had been dealing with.” The further developers had been contract developers. Also as I beforehand mentioned, “Whether or no longer the SDK was added for a developer’s private monetary produce or in every other case is beyond us and we don’t care to speculate.” Our investigation stumbled on the developer in seek files from properly signed our usual “Confidentiality Duty and Invention Settlement” that requires any developer to accomplish a corporate license to any third occasion software or intellectual property the developer chooses to contain. We confirmed thru corporate files and e-mail searches that no such settlement was ever got by the firm or firm counsel. Also, none was included within the software/take a look at-in to revision maintain an eye on. We furthermore confirmed no acclaim for along side this third-occasion software was ever got from Wylie (technically the supervisor of the developers at that time). Technically that particular particular person developer violated our Confidentiality Duty and Invention Settlement.

After we discussed this with apt counsel, their idea that a labor dispute over an settlement violation that took attach of living over 3 years in the past would be minute/refined to pursue, notably for the reason that developer has no longer labored for the firm in 3 years since native app model was abandoned in prefer of our solution to level of curiosity on our cell-first web application, which involves fully-different skillsets / personnel. Additional, their idea was that damages may possibly well furthermore neutral no longer be readily provable because (as beforehand mentioned) the cell app was never “launched” or rather it was fully provided for making an try out in a BETA invent (that particularly admonished it was a beta and no longer supported) and aged essentially by our private workers making an try out it. I realize the existence or proposition of this fundamentally-unused beta software may possibly well furthermore neutral were a boon to AppCensus reporting and is of intellectual ardour to the researchers, nonetheless our firm sees no profit to any apt or different pursuit on the field of benefitting our potentialities, or any relying parties.

(extra to approach on this topic below in accordance with Serge)

—————————————

In Response toSerge’s (Berkely/AppCensus) supplemental concerns,

In Response to “… I made up my mind to employ a puny of bit time beyond regulation exploring it … [many lines of technical details] … This certificate was issued by/to MsgSafe (it appears to be to be self-signed)”:

Prior context:

Our firm never published a production or supported version of the MsgSafe cell app containing the Measurement Programs SDK. Relative to the little population of Beta product-testers (which were largely our private workers) who chose to verify a Beta version of the app containing that SDK, I will add that all the most life like likely device thru the attain stages of MsgSafe’s BETA cell app, our developers sought out the assist from third occasion software products and services to accomplish better app analytics. We are mindful that they evaluated different SDKs and instruments care for Firebase, Bugsnag, and lots of others. nonetheless they claimed to no longer assist principal in troubleshooting and bettering the app efficiency across all software producers and OS variations. There was a time all the most life like likely device thru this course of where they integrated further software developers to assist with the points we had been dealing with. Whether or no longer the SDK was added for a developer’s private monetary produce or in every other case is beyond us and we don’t care to speculate. Again, the MsgSafe BETA cell app was never launched in a production supported version and has been abandoned for years, and we can confirm the cell-first web UI, which is the fully supported cell interface in-exhaust these days and for the previous few years, which would not possess any SDK from any individual.

As far as how the MsgSafe cell app got an “unobfuscated version” of the SDK? It’s not any longer our attach of living to speculate, nonetheless it undoubtedly fully makes sense that any firm would provide updates to their software over time. The third-occasion app archive web attach containing MsgSafe’s APK, as referenced in the researcher’s publish, is over 3 years aged. It’ll furthermore neutral unexcited approach as no shock that the software stumbled on there doesn’t match up precisely to the software stumbled on in apps they reported about in April 2022. Our developers doubtlessly didn’t even peer refined adjustments care for this because it’s no longer our put collectively to reverse engineer different firm’s software and violate license agreements.

Supplemental response:
Sure, we agree this certificate you stumbled on embedded within that software / SDK appears to be to be for “an1.msgsafe.io” and that it was NOT issued by TrustCor CA — it appears to be to be self-signed by both the developer who added it, or extra likely the creator of the actual SDK. Here is a stable indication TrustCor CA was no longer provocative on the software / SDK. Given a legitimately-signed certificate may possibly well need been constructed-in by MsgSafe.io’s private model team who may possibly well well with out peril demand it from TrustCor’s CA team, it no doubt is proof that the TrustCor Certificate Authority was no longer provocative on this allotment of software or its temporary addition to MsgSafe.io. Additional, it signifies right here’s likely an act of an particular particular person developer, and no longer even the MsgSafe.io team being duped. We checked outallthe URLs you provided to your supplement and can confirm TrustCor CA has no longer issued any of those certificates at any time, and those URLs are no longer in every other case known to us.

In Response to “… it appears to be to be programmed to in its place ship files to MsgSafe’s private servers! Why are MsgSafe’s servers hardcoded to receive files from Measurement Programs’ SDK?”:

We had beforehand performed a forensic investigation of thean1.msgsafe.iohostname you stumbled on, along with its IP contend with historical previous and the host itself, as well to the certificate search (which again came up clean because it was no longer issued by TrustCor CA or any legitimate CA to this level as lets picture). The hostname you mentioned pointed to a Linux VM that had been provisioned by the an identical developer we discussed. We had been ready to get better from backup a copy of this VM and forensically analyze it. The fully user was a generic administration yarn (presumably known by the developer) and the fully customization beyond any usual VM configuration was a firewall configuration and the commence port 443 that favorite web site visitors from any place. The fully listener linked to port tcp/443 was a proxy program which appears to be to be this://github.com/kklis/proxyThe fully version of the VM we had been ready to retrieve had no customizations to the configuration file, nonetheless it undoubtedly was operate up utilizing “systemd” so our conclusion was that the developer was likely redirecting the actual TCP movement in different areas/offsite, and we confirmed the firewall configuration each on the host itself and the upstream router as far because the egress ACL/filter would internet allowed this as long as he was sending it to any of tcp/443, tcp/8080, tcp/8181 or a couple of others. There may possibly be not any longer a indication the developer was “web web hosting” anything at MsgSafe.io beyond a straightforward redirector designed to ship it in different areas. There was no web server on this kind and no certificates, so it was being redirected at the TCP level.

This above disagrees along with your observation “… MsgSafe’s servers hardcoded to receive files …” where you intimate that our firm is receiving the ideas. A moral characterization would be that a developer had operate up a TCP proxy to deem files in different areas, nonetheless no longer basically to receive it. What you wrote is at easiest a mischaracterization, or doubtlessly one other false declare because it shall be forensically confirmed to be false.

Thank you all,

Rachel McPherson

VP of Operations

Kathleen Wilson

unread,

Nov 23, 2022, 12:02:16 AM (8 days in the past)Nov 23

to dev-secur…@mozilla.org, rac…@trustcor.ca

All,

The dialogue to this level is favored and has been each informative and positive. My publish on November 8 indicated that if our concerns internet no longer been resolved by these days (November 22) and further investigation and dialogue is unexcited wished, that we may possibly operate the “Distrust for TLS After Date” and “Distrust for S/MIME After Date” to November 29, 2022, for the 3 TrustCor root certificates. Nonetheless, we’d clutch to allow time beyond regulation for any further dialogue or external tendencies to transpire before sharing our intended course of action. We are going to continue our evaluation and allotment out main next steps on Wednesday, November 30.

Thanks,
Kathleen

Prof. Reardon

unread,

Nov 23, 2022, 12:57:46 AM (8 days in the past)Nov 23

to dev-secur…@mozilla.org, kwi…@mozilla.com, rac…@trustcor.ca

Hey:

Thanks again for your solutions to my questions and echoing Kathleen I furthermore
adore the dialogue.

I correct wished to maybe summarize a puny of what I’ve learned from this to this level so we
can create definite I haven’t misunderstood anything and let TrustCor perfect-making an try
anything I am unsuitable about each for me and the community. Thus this checklist that
follows wishes to be interpreted as “is it perfect-searching to declare that … ?”, no longer
claims that I am asserting.

(i) The Panama commence corporate files had been correct in 2020 and earlier, nonetheless at
some level in 2021 internet modified. The companions had been CHIVALRIC HOLDING COMPANY,
LLC and FRIGATE BAY HOLDING, LLC. These are registered in Panama.

(ii) These corporations are furthermore companions for Measurement Programs S. De R. L.

(iii) The CHIVALRIC HOLDING COMPANY, LLC has no relation to the Chivalric Maintaining
Company LLC registered in New Mexico formed Sept 2020 dissolved June 2022 with
officer Vito Piacente, except the relation is due to an attack against TrustCor.

(iv) The FRIGATE BAY HOLDING, LLC has no relation to Frigate Bay Holdings LLC
(the latter having an “s” in holdings and no comma) registered in Wyoming formed
Sept 2020 dissolved June 2022 with officer Vito Piacente and supervisor Raymond
Saulino, again except the relation is due to an attack against TrustCor.

(v) Map produced by Measurement Programs was inserted by a rogue developer
into the Msgsafe app and that developer operated outside their authorization;
this inclusion was no longer sanctioned.

(vi) The Msgsafe web attach is implemented where basically the fundamental field topic and
PGP/SMIME encryption/decryption processing is performed on Msgsafe servers, with
industry usual TLS aged to true the connection from the browser to Msgsafe
servers.

(vii) Typosquatting was achieved deliberately for an identical e-mail products, encrypted
and in every other case, in 2016. But this was no longer achieved maliciously and no customers had been
deliberately lie to about where they ended up.

(viii) TrustCor is not any longer a Canadian firm, in that the TrustCor CA would not internet
any firm in Canada, filings in Canada, and lots of others.

Again, these are how I am decoding TrustCor’s response and I may possibly well well completely
be disagreeable, so please let me know.

I undoubtedly internet a couple of extra follow up questions:

(q1) The TrustCor web attach as I seek recommendation from it now from my attach of living of enterprise at the College of
Calgary states that: “TrustCor is a Panamanian registered firm, with technical
operations in one of basically the most true, privateness oriented jurisdictions in the
world. Outmoded true havens enact no longer even approach on the subject of the protection provided
by Curaçao’s strict privateness licensed guidelines.” It would not undoubtedly notify that technical
operations are in Curacao, nonetheless that is how I had interpreted it. Assuming

the privateness oriented jurisdiction being referenced by the paragraph is Arizona,

why is Curacao allotment of that paragraph? Show cover right here’s TrustCor’s web attach, no longer Msgsafe.

(q2) This web attach:
//www.dnb.com/industry-directory/firm-profiles.measurement_systems_s_de_rl.fe1d33ee8c1ff9a19bcc9c5b877cb483.html
refers to Measurement Programs S de RL having as key fundamental Ryan Abramowitz. I
haven’t aged dnb.com before, I undoubtedly internet fully no thought where they supply their
files or if their files is any factual. There may possibly be furthermore no sure wager that the Ryan
Abramowitz is the an identical because the Ryan Abramowitz who’s the co-founder’s son. But
it returns serve to this theme of coincidences. So I assume as clarifications: did
TrustCor’s founder Ian Abramowitz or his son Ryan Abramowitz ever act as a
representative for Measurement Programs or for its companions, particularly CHIVALRIC
HOLDING COMPANY, LLC and FRIGATE BAY HOLDING, LLC? (the Panama ones, no longer the
copycat US ones)

(q3) Is there any threat that the rogue developer may possibly well internet compromised TrustCor
in any different manner different than running unauthorized TCP relays and getting
unauthorized code dedicated? How and when had been these actions detected and are
they referenced in any audit?

(q4) In what international locations is TrustCor a apt entity?

Thanks again,
Joel Reardon, College of Calgary

Rachel McPherson

unread,

Nov 27, 2022, 4:14:36 AM (3 days in the past)Nov 27

to MDSP, Kathleen Wilson, Ryan Dickson, Clint Wilson

Kathleen, Ryan, Clint and the remainder of the community:

Again, we adore the change to respond to the community’s concerns.

Readers may possibly well furthermore neutral unexcited purchase care to study our numerous outdated responses (first) and all attachments in repeat to adore the total context of all subsequent replies and our subsequent responses. Then, please refer-serve to our November 8, 2022 publish entitled “Fraudulent Claims and Media,” for the total memoir.

As before, given the publicity of this forum, I will enact my easiest to appreciate folk by no longer constantly utilizing their names or calling out different root program member organizations as examples, even when it’d be priceless to enact so. As one more I will query you to purchase into consideration that side in my response. Also, I will exhaust “our firm” when speaking of TrustCor (the CA operator) andMsgSafe.io(the electronic mail provider). I will exhaust “the researchers” when speaking about Serge Edelman, Joel Reardon, their commercial enterprise AppCensus, and the colleges for which they work (College of California, Berkeley and the College of Calgary, respectively).

It’s miles serious readers brand now we internet never been accused of, and there may possibly be not any proof to point out that TrustCor violated conduct, protection, or procedure, or wrongfully issued depended on certificates, or labored with others to enact so. We internet got no longer achieved any of those things. It’s furthermore vital to adore TrustCor operates two individually-managed corporations: a certificate authority (TrustCor CA) as a industry unit which provides CA products and services true and insulated by an exclusion provision (that lets in it to operate untouchably from different management and equity possession at the the board-level), and TrustCor individually operates a privateness-bettering communications provider (MsgSafe.io) as two discrete industry units.

To place it evidently and straight, TrustCor (along sideMsgSafe.io) has never cooperated with files requests from the US Authorities or any government for that topic. Likewise, now we internet no l onger assisted or enabled any firm or third occasion to surveil, video display or in any manner internet files on our potentialities for the capabilities of offering it to any individual else in any invent, nor will we sell or broker buyer files. Whether you’re a buyer that has never paid us anything and you revel in a free provider level, or when you’re a buyer who can pay us for our most premium tier of provider, your files is true from prying eyes from the skin, and it always has been. With the assist of our e-mail products and services, now we internet enough premium paying potentialities to internet passable cash to create our downmarket products and services low-price or free swiftly, and assist folks to employ cash and toughen for extra factors. Our e-mail provider operates at a statistically low level of abuse because we enact things robotically to diminish the change for abuse, akin to limiting outbound e-mail per yarn and robotically closing accounts when successive jump notifications are purchased, and we course of different complaints manually as efficiently as we can.

TrustCor has never allowed a certificate and/or key field topic to be generated outside of our audited and published usual processes, total amongst your complete industry. We live in an international with:

  • certificate transparency logs;
  • face to face audits once or extra per 365 days with third occasion auditors visiting our areas and having reveal fetch entry to to within files, offices and gear;
  • network safety audits by separate, acknowledged industry consultants;
  • industry-common, mounted operate of alternate solutions for auditors controlled by WebTrust/AICPA;
  • the CA/B Dialogue board and CCADB;
  • and hyper-social accountability.

To screech there was any violation or bypass of those safety measures would be foolish, or at the least fully impractical, and would render the criteria a extinguish of all people’s cash and time—which may possibly well perchance operate a brand original precedent. What’s extra, now we internet never even been accused of any false issuance or mishandling of field topic. Between the further safety afforded by our board-level exclusion provision designed to guard our CA industry unit, and our nearly decade-long be aware yarn of getting no alternate on high of things (fully the cost of debt to prior shareholders), we operate a precious, rising enterprise that serves world public ardour and provides provocative price to the community.

In studying linked reporting and blogging off-checklist, I must contend with an elephant in the room. It appears to be it will also approach as a shock to a pair readers and the researchers themselves that different root program people are in truth international governments, and a few are furthermore defense corporations, or corporations who’re wholly-owned by defense corporations and/or screech-owned enterprises, which manner “corporations” that are fully owned or controlled by governments. Additional, a couple of of those governments are no longer free/democratic and in truth some internet tragic up-to-the-minute histories of usual human rights violations. We are none of those things and our firm would not title with those values. Given this level above, why of all skill targets are these researchers drawn to TrustCor? They may possibly well hunch after international locations with human rights violations that internet placed a CA on this draw. They may possibly well hunch after international locations that suppress free speech that internet placed a CA on this draw. They may possibly well hunch after corporations that are smaller CA/issuers than us, or principal better ones. They may possibly well hunch after CAs that are undoubtedly screech-owned enterprises (owned by governments). But they aren’t. So why? Why clutch to employ their time on this and on us notably?  We’ve been asking ourselves this because it began. We’ve fully approach up with 2 that you may possibly well well be furthermore mediate of solutions.  (1) They saw that single domain title in an aged registrar yarn and simply fell into recursive affirmation bias to purchase every little thing stemmed from that… or (2) They invent cash in their for-profit enterprise in the event that they can get any American nexus, so they can possess the American government and the FTC and produce tension with American journalists. Well, this thriller solves itself. They

enact

fetch paid by FTC in their private web of corporations. They

enact

tip American journalists utilizing their university affiliation after which plugging their firm in the articles. And their American potentialities interestingly don’t reward them to hunch after international corporations. So this represented a colossal change for them in the event that they are going to furthermore neutral brand the American corporations they saw had anything to enact with us — unfortunately for them, they don’t. We’re no longer an American firm or a firm owned by American citizens. Within the event that they’d known beforehand, they’d internet doubtlessly paid no consideration correct care for they’re no longer paying attention to different program individuals who actually

are

governments or screech-owned/defense corporations. I mediate right here’s all about self-aggrandizing: getting themselves and their firm known, and about making cash. These guys are in industry, they on occasion’re bullies. They place on the hat and shirt of university researchers from different multinational universities and but they’re provocative on the an identical startup firm/industry and different linked corporations that profit financially from the publicity and follow-on work, they on occasion’re misusing this platform and betraying the aim of this mailing checklist. It’s furthermore worth noting: the researchers adopted no semblance of responsible disclosure processes that are neatly established in the industry. They never tried to work with our product team or management to particular their project, or point out improvements, or discuss about skill vulnerabilities. As one more they opted for maximum public affect and tried to tension this industry physique with journalism following their sensational false memoir. They had been even ready to fetch an American journalist to publish a memoir with out moral fact checking, and with out talking to any representative of our firm even supposing two of us answered to the journalist straight. Our CTO provided proof of this in writing in his letter with screenshots.

Some may possibly well argue this discourse is all wholesome to shine extra gentle onto this minute community searching to create the Web better and safer. Nonetheless, the accusations and false claims against us internet debilitating affect on our ability to provider our potentialities, and in its place internet essentially served the self-ardour of the accusers who strive and force web site visitors and intrigue into their startup firm, regardless of their overt university affiliations.

And what precisely is the researchers’ memoir? We’ve been accused of a “shady” corporate development, nonetheless what they introduced wasn’t an correct reflection of our corporate development even a 365 days in the past (which by the manner was no longer considerably different than different corporate constructions in any firm). We’ve been accused of along side some different firm’s “spoiled” third occasion software in an app, nonetheless that app never made it out of beta, and was already abandoned over 3 years in the past, never having been launched in production as a supported endpoint. Now they continue to recursively shake trees to strive and companion shareholders-of-shareholders (2 or extra factors eradicated) from the firm and prior (already-dissolved) preserving corporations to strive and place any link with any different firm, even supposing our exclusion provision would render that ineffective and immaterial and thus it may possibly possibly perchance well would no longer internet any affect on CA operations. Likewise, because they don’t internet journey in the CA ecosystem, they’ve already gone many steps beyond the scrutiny placed on any different member of those root CA programs because 2-degrees-eradicated shareholder enumeration is with out peril no longer a feasible requirement to levy on any firm, and is terribly pointless when the equity holder ardour can no longer threaten CA operations (due to exclusion provisions).

The same to our response of the outdated feedback made by Joel, we’re obliged to respond that there are factors of what Joel has mentioned each in his yarn and in his supplemental statements with which we disagree, would dispute or are factually unsuitable. We won’t ignore blanket statements designed to substantiate our assent, of which there had been numerous of those again.

I will respond below to the summarization factors and further questions raised by the researchers, a lot of which internet already been addressed by our outdated replies.

—————————————

In Response to Joel’s (College of Calgary/AppCensus) summarization and restatement (simplification) of outdated responses,

Enable me to first contend with the summarized factors, nonetheless please first brand that now we internet addressed most (if no longer all) of those in-context in earlier replies. I agree with in factual religion you’re searching to simplify these topics, nonetheless it undoubtedly’s no longer easy or at the least it’s no longer easy to enact that. A lot of those summarized factors are factually unsuitable and possess misused apt terminology, which makes this extremely refined for readers since the statements are deceptive, notably when mentioned out of context as they are. I am no longer an attorney, and likewise you are no longer an attorney (except you furthermore internet a JD, you have not any longer shared that). That makes this unhealthy because corporate law is not any longer easy correct care for computer science is not any longer easy. In case you add the complexities of multinational jurisdictions,variations in language of the an identical apt phrases having a provocative which manner across apt territories,and applying terminology and constructs that change between those territories, there’s a lot of room for misinterpretation and mistake that neither of us intend to cause. To supply you with a tangible example of how slippery a slope right here’s and how it will furthermore neutral furthermore be with out peril misinterpreted: the commence corporates guys strive and normalize files from many change apt territories and as an instance, they checklist corporate “officers” and “people” in the an identical checklist. Obviously a “firm” can no longer be an “officer” within one other firm (maybe it will elect apt representatives to serve on a board of directors, nonetheless that’s different), correct as an officer doesn’t basically mean somebody is an owner or managing member of a firm. As a result of this fact that checklist is fully ambiguous. It’s no longer their fault, they’re getting files in different languages that’s translated and “normalized” for them so by the time they “fetch it” the ideas is already doubtlessly “spoiled,” so to keep up a correspondence. Also, as you internet already confirmed, filings may possibly well furthermore neutral furthermore be created by attorneys or “others” itemizing controlling people or officers utilizing “different folks’s names” for a diversity of reasons that will perchance furthermore neutral furthermore be priceless or maybe malicious.

Here is precisely why management assertions and auditing requirements are so vital. Apt territories are no longer the an identical for all people, so at the least the auditing requirements may possibly well furthermore neutral furthermore be made the an identical for all people (as they’ve been). The public has to count on management assertions being third-occasion-validated by common auditors. That’s how the machine has labored as long as any of us can bear in mind, and it’s a reasonably factual machine. Could possibly well perchance it get better? Maybe, nonetheless bear in mind you could always solve the project for the total world on this, no longer correct North The USA.

In step with: “(i) The Panama commence corporate files had been correct in 2020 and earlier, nonetheless at some level in 2021 internet modified. The companions had been CHIVALRIC HOLDING COMPANY, LLC and FRIGATE BAY HOLDING, LLC. These are registered in Panama.”

I don’t mediate you strive and conflate these items, nonetheless your unsuitable exhaust of apt terminology linked to corporate structuring may possibly cause a form of bewilderment that I don’t mediate you intend. We internet got already explained the “investor” and “funding automobile” designation and station (for TRUSTCOR SYSTEMS S. DE R.L.) of the preserving corporations you mentioned. We’ve shared detail that is principal beyond what different root program people provide, even below the original documentation requirements imposed by this draw(s). You’re no longer correct in the weeds and going far beyond our already-generous level of detail, nonetheless now you’re in the weeds utilizing legally unsuitable terminology akin to “companions” and others when now we internet already provided that level of detail in context.

In step with: “(ii) These corporations are furthermore companions for Measurement Programs S. De R. L.”

As soon as extra, I don’t mediate you strive and conflate these items, nonetheless your unsuitable exhaust of apt terminology linked to corporate structuring may possibly cause a form of bewilderment that I don’t mediate you intend.e.g., what constitutes a “partnership” or what constitutes “funding” or what constitutes “management” or “membership” in a going project.Even as I ogle previous that and in factual religion strive my easiest to provide further detail attentive to what I mediate is your ardour,

we cannot comment on the exercise of 1 other firm, as any comment would be purely our speculation

.

Within the spirit once again of searching to provide extra detail in factual religion to be as responsive as that you may possibly well well be furthermore mediate ofone level worth remembering pertinent to this level is that each the preserving corporations you’re relating to (and that we referred-to in extra than one earlier responses) had been already dissolved all the most life like likely device thru 2021, before any of the researchers inquiries, and as a usual progression of TrustCor’s industry. Whereas again I will’t speculate, my level is barely that making statements about those corporations wouldn’t fully be speculation, nonetheless it undoubtedly would be speculation in a course that is neatly-known to be false, which manner your premise and observation is a false declare. You can furthermore neutral no longer intend for it to be, nonetheless it undoubtedly is. If a firm is already dissolved, it wouldn’t be that you may possibly well well be furthermore mediate of for it to be a “partner” (again disagreeable apt time-frame, nonetheless searching to be priceless to you) in any different corporations. You aged “are” in brand worrying, but as of bigger than a 365 days in the past that wouldn’t be correct for any firm in the an identical manner because it was no longer correct for us. I don’t know the disposition of that different firm or its interactions with its shareholders in the previous or brand, nonetheless what we enact know for definite is that the preserving corporations you mentioned had been already dissolved. As a result of this fact, we know that as of bigger than a 365 days in the past, those preserving corporations (once dissolved) weren’t “provocative on” that different firm both.

It’s no longer my attach of living to keep up a correspondence for any individual different than TrustCor, nonetheless you may possibly well furthermore be disagreeable about that different firm—maybe no longer because you didn’t strive to fetch it factual, nonetheless because you had outdated-long-established files and possibly didn’t keep up a correspondence to them to create definite you had basically the latest or most correct files. Also in the event that they’re no longer field to audits care for we’re then maybe you couldn’t or wouldn’t agree with them anyway, nonetheless again there’s no level in speculating.

In step with: “(iii) The CHIVALRIC HOLDING COMPANY, LLC has no relation to the Chivalric MaintainingCompany LLC registered in New Mexico formed Sept 2020 dissolved June 2022 withofficer Vito Piacente, except the relation is due to an attack against TrustCor.

We won’t comment on the exercise of 1 other firm, as any comment would be purely our speculation. I undoubtedly were warned by our counsel to lead definite of finger pointing as far as what constitutes an attack versus a mistake versus regardless of are somebody’s intentions for opening any industry in any title at any time. All I will notify is that it isn’t us, and that it wouldn’t create any sense for it to be us, and I don’t know anything about it. Truly, had you no longer introduced a couple of of these items into the final public highlight, they are going to furthermore neutral internet gone overlooked by us fully because any one can commence a industry in any title fundamentally any place, anytime. That can violate trademarks, nonetheless that will perchance mean the fellow who owns the marks would must understand it took attach of living and screech themselves.  Who knows, there may possibly well furthermore neutral even be a “Joel and Rachel Corp” in Haiti for all I know, and no-one wishes my or your permission to register it, commence or close it. It appears to be in some areas / states in the USA you don’t even must brand who you are to commence a firm in any title, or provide an ID. So I assume technically even supposing it was registered by an particular particular person, that particular person may possibly well furthermore neutral no longer even be the actual person whose title it’s registered below. I purchase you may possibly well furthermore’t commence a checking yarn (at the least I hope you may possibly well furthermore’t!) with out an ID and with out being the actual person you notify you are, nonetheless interestingly those principles enact no longer put collectively to folks registering corporations. Clearly you and I are each manner out of our part. We leave this to attorneys.

In step with: “(iv) The FRIGATE BAY HOLDING, LLC has no relation to Frigate Bay Holdings LLC(the latter having an “s” in holdings and no comma) registered in Wyoming formedSept 2020 dissolved June 2022 with officer Vito Piacente and supervisor RaymondSaulino, again except the relation is due to an attack against TrustCor.

We won’t comment on the exercise of 1 other firm, as any comment would be purely our speculation. Nonetheless, I answered extra informatively in my outdated response straight above this and would put collectively the actual same response right here.

In step with: “(v) Map produced by Measurement Programs was inserted by a rogue developerinto the Msgsafe app and that developer operated outside their authorization;this inclusion was no longer sanctioned.”

Prior context:

Our firm never published a production or supported version of theMsgSafe.iocell app containing the Measurement Programs SDK. Relative to the little population of Beta product-testers (which were largely our private workers) who chose to verify a Beta version of the app containing that SDK, I will add that all the most life like likely device thru the attain stages ofMsgSafe.io’s BETA cell app, our developers sought out the assist from third occasion software products and services to accomplish better app analytics. We are mindful that they evaluated different SDKs and instruments care for Firebase, Bugsnag, and lots of others. nonetheless they claimed to no longer assist principal in troubleshooting and bettering the app efficiency across all software producers and OS variations. There was a time all the most life like likely device thru this course of where they integrated further software developers to assist with the points we had been dealing with. Whether or no longer the SDK was added for a developer’s private monetary produce or in every other case is beyond us and we don’t care to speculate. Again, theMsgSafe.ioBETA cell app was never launched in a production supported version and has been abandoned for years, and we can confirm the cell-first web UI, which is the fully supported cell interface in-exhaust these days and for the previous few years, which would not possess any SDK from any individual.

Before my fashioned respond, we had already achieved an investigation linked to this exercise. Our software revision maintain an eye on machine printed straight when the software was introduced and which developer introduced it. As I had beforehand mentioned, “… they integrated further software developers to assist with the points we had been dealing with.” The further developers had been contract developers. Also as I beforehand mentioned, “Whether or no longer the SDK was added for a developer’s private monetary produce or in every other case is beyond us and we don’t care to speculate.” Our investigation stumbled on the developer in seek files from properly signed our usual “Confidentiality Duty and Invention Settlement” that requires any developer to accomplish a corporate license to any third occasion software or intellectual property the developer chooses to contain. We confirmed thru corporate files and e-mail searches that no such settlement was ever got by the firm or firm counsel. Also, none was included within the software/take a look at-in to revision maintain an eye on. We furthermore confirmed no acclaim for along side this third-occasion software was ever got from Wylie (technically the supervisor of the developers at that time). Technically that particular particular person developer violated our Confidentiality Duty and Invention Settlement.

After we discussed this with apt counsel, their idea that a labor dispute over an settlement violation that took attach of living over 3 years in the past would be minute/refined to pursue, notably for the reason that developer has no longer labored for the firm in 3 years since native app model was abandoned in favour of our solution to level of curiosity on our cell-first web application, which involves fully-different skillsets / personnel. Additional, their idea was that damages may possibly well furthermore neutral no longer be readily provable because (as beforehand mentioned) the cell app was never “launched” or rather it was fully provided for making an try out in a BETA invent (that particularly admonished it was a beta and no longer supported) and aged essentially by our private workers making an try out it. I realize the existence or proposition of this fundamentally-unused beta software may possibly well furthermore neutral were a boon to AppCensus reporting and is of intellectual ardour to the researchers, nonetheless our firm sees no profit to any apt or different pursuit on the field of benefitting our potentialities, or any relying parties.

Supplemental response:

As soon as extra, this tournament has nothing to enact with the TrustCor CA industry unit or CA operations or shared personnel between the TrustCor CA and theMsgSafe.iomodel team. The BETA application in seek files from was developed by a community of developers with fetch entry to fully toMsgSafe.io’s atmosphere and NOT TrustCor CA’s atmosphere. Map model for theMsgSafe.ioBETA application was performed within the MsgSafe.io network and never touched TrustCor CA programs, networks or files amenities.

Specifically addressing Joe’s language “… that developer operated outside their authorization; this inclusion was no longer sanctioned.”:

Attributable to the separation between TrustCor CA andMsgSafe.iothose developers never had fetch entry to to the an identical physical gear, the an identical network, or the an identical files center. Also, neitherMsgSafe.ionor TrustCor CA programs had been ever compromised by the developer. We beforehand explained how we predict about the SDK made its manner into our BETA app and our& nbsp;findings referring to the machine aged to proxy web site visitors, each of which were setup by the developer while engaged on the application we in the raze determined to desert 3+ years in the past all the most life like likely device thru our private pure course of industry, years before any of this came to gentle. Reckoning on the definition you’re utilizing for “authorization” this would perchance well also be viewed differently. Greater mentioned, the developer in seek files from took it upon themselves to integrate that code with out the firm’s files and with out seeking their boss’s permission upfront, which violates our “Confidentiality Duty and Invention Settlement.”

In step with: “(vi) The Msgsafe web attach is implemented where basically the fundamental field topic andPGP/SMIME encryption/decryption processing is performed on Msgsafe servers, with industry usual TLS aged to true the connection from the browser to Msgsafeservers.

Your observation is incomplete and furthermore no longer correct with out further context, and the respond is extra advanced than an “always” and “never” project because it’shighlyreckoning on a user’s particular particular person configuration and the alternate solutions customers clutch to put into effect, which may possibly well perchance be different than any default software behaviours. We internet got beforehand addressed this in our comprehensive response on 11/18. Oversimplifying our response is a disservice to the community. I furthermore point out you evaluation how different common web-based mostly entirely mostly e-mail encryption solutions operate so you may possibly well better brand whyMsgSafe.ioprovides provocative factors that allow customers to true their messages as or extra effectively than others solutions.

Old context:

MsgSafe.io’s platform may possibly well furthermore neutral furthermore be utilized in a quantity of suggestions, along side utilizing the electronic mail forwarding factors and no longer utilizing the procure-based mostly entirely mostly interface in any appreciate. It’s miles extremely no longer going to speculate what you experienced or tested with out comprehensive files of the yarn configuration, forwarding addresses, user identities and contacts, and their associated GPG and S/MIME certificates.

As far as you no longer believing the product is offering enough encryption capabilities, let me first notify that I enact no longer are searching to hunch the names of any different encryption products and services or products thru the mud. To deal along with your concerns, based mostly entirely totally on our team’s exhausted evaluation into many change suppliers offering an identical products and services, one usual rule applies; whether the encryption or decryption capabilities are going down on the client (in total in javascript) or on the server, the server is unexcited storing and dealing with basically the fundamental field topic in the technique. Our implementation is one of two continuously aged by true messaging products and services and chosen for a couple of reasons. If encryption happens on the client then basically the fundamental field topic is handed from the server to the browser over TLS. If the encryption happens on the server then the message is transferred from the client to the server over TLS, then encrypted. Because theMsgSafe.ioweb attach explains, our team has stumbled on that implementing basically the fundamental field topic and encryption/decryption processing on the server provides safety with out the further processing requirement on the client. Among the benefits of this implementation is that it lets in slower/older gadgets (telephones) to exhaust our cell-first web journey (since, as we beforehand mentioned, we abandoned model of a cell app, which may possibly well internet achieved the encryption/decryption course of on the cell cell phone), while furthermore supporting desktop customers. To be definite, at no level is files handed in the definite while utilizing the provider, it’s both encrypted with the user key field topic or encrypted with industry-usual TLS.

ManyMsgSafe.iocustomers never journey sending or receiving mail utilizing the procure browser, which manner you’re fully taking a ogle at one implementation of the provider that is doubtlessly the least aged.

Unnecessary to notify we can settle for the change of a weakness inMsgSafe.io‘s user interface, we purchase such reports very severely, nonetheless we would be bowled over to hunt down that to be the case right here. Whereas you unexcited internet questions or doubts, we query that you please file a worm yarnwithMsgSafe.iostraight thru their buyer improve channel.

It’s miles furthermore vital to brand thatMsgSafe.ioand TrustCor’s CA enact no longer allotment model sources or infrastructure and are fully different traces of industry.

As already mentioned,MsgSafe.io’s platform may possibly well furthermore neutral furthermore be configured by the client in a quantity of suggestions, along side utilizing the electronic mail forwarding provider. When customers enable this likelihood (which is statistically total) they are precipitated so that you have to add a “public” key thatMsgSafe.iowill exhaust to encrypt messages to them. This lets in (as an instance) an iOS buyer to exhaust his or her platform’s constructed-in S/MIME implementation in their mail client to decrypt incoming mail and to encrypt messages to their contacts. On this project, as an instance,MsgSafe.ionever has the user’s deepest key. This deepest secret’s never in our possession, and customers can put into effect this with S/MIME or with GPG, and never giveMsgSafe.iotheir deepest key.

These key management challenges the researchers narrate are no longer linked to firm behaviours, they’re technical challenges linked to giving somebody the flexibility to stroll up to any computer on this planet, enter an online contend with and securely alternate emails, bringing nothing with them. The fully manner that’s achieved these days is for at the least a couple of of the deepest keys to be saved on the server. Whether the decryption goes on in javascript or in python or in any language, on the client or on the server, if the user came with “nothing” from a public computer, then the keys are basically on the server. The precise difference is what different factors a security platform care forMsgSafe.ioprovides to toughen the total journey and/or to true messages in every other case. The challenges, in and amongst themselves, are total and neatly understood across the industry. Again, I point out you evaluation how different common web-based mostly entirely mostly e-mail encryption solutions operate so you may possibly well better brand whyMsgSafe.ioprovides provocative factors that allow customers to true their messages as or extra effectively than different solutions. Whereas you unexcited internet questions or doubts, we query that you please file a worm yarn withMsgSafe.iostraight thru their buyer improve channels. This can allow that team to work with you and toughen the product.

In step with: “(vii) Typosquatting was achieved deliberately for an identical e-mail products, encryptedand in every other case, in 2016. But this was no longer achieved maliciously and no customers had beendeliberately lie to about where they ended up.

We internet got beforehand addressed this in our comprehensive response on 11/18.

Old context:

When the domains had been registered, it was total for advertisers to remove Google search keywords of their opponents as allotment of their Website positioning marketing. On the time, it was perceived as a low-price manner for a minute originate-up electronic mail provider to reveal a extremely minute quantity of web site visitors toMsgSafe.io’s original privateness-focused e-mail products and services. It was no longer an strive to lie to customers in any manner —

customers very clearly understood where they’d been directed.

It’s not any longer the firm’s stance or easiest put collectively to register domains akin to opponents, fully took attach of living with a minute quantity of domains, and did no longer occur again after 2016.

In instances care for phishing or others where customers are deliberately misled, typo squatting is with out peril an project. Nonetheless, on this project, there was no longer even a personalised touchdown page or a reverse-proxy sort project where the URL or title was retained—actually customers had been despatched to the usualMsgSafe.ioweb attach straight, changing the URL to theMsgSafe.ioURL, and making them mindful they’d reached theMsgSafe.ioprovider. Within the event that they most neatly-favored one other provider they are going to furthermore neutral no doubt alternate online pages they had been visiting. We won’t conceive of any project wherein a user may possibly well feel misled. Whereas now we internet chosen no longer to exhaust this invent of promoting or web site visitors generation in 6 years, we acknowledge it’s unexcited aged these days by many others and we don’t condemn a exhaust case care for this when implemented the manner it was.

In step with: “(viii) TrustCor is not any longer a Canadian firm, in that the TrustCor CA would not internetany firm in Canada, filings in Canada, and lots of others.

Again, I agree with you are utilizing apt terminology and conflating industry complexities that are no longer as easy as you create them out to be.

Old context:

TrustCor’s Ontario (Canada) Headquarters contend with was beforehand positioned at 7270 Woodbine Avenue, Suite 308 Markham ON L3R 4B9 Canada. When Ian’s neatly being began to decline, and provided that Ian, Ryan and I had been the fully Canadian workers, and our technical crew had been centrally positioned to our files centre areas, we selected aremote-work development in Canada. Whereas the Canadian filings resulted in 2016,we unexcited protect personnel, a true storage facility, and now we internet always maintained a fixed mailing contend with in Ontario where the final public can contact the TrustCor Coverage Authority in writing for defense linked enquiries and right here’s the an identical contend with printed on TrustCor’s letterhead and within our CPS paperwork.


To straight contend with and assuage the final public’s project, we are in a position to change the discover “Headquarters” with “Tackle” in future documentation.

Quoted from the WebTrust Illustrative Examination Reports Below SSAE 18 and SSAE 21, Version 2.0 Printed 1 February 2022.

“All reports issued may possibly well furthermore neutral unexcited checklist the screech/province, and nation of all physical areas of CA amenities that had been included in the scope of the engagement. CA amenities may possibly well furthermore neutral contain files centre areas (fundamental and alternate sites), registration authority areas (for registration authority operations performed by the CA), and all different areas where usual ITand industry course of controls that are relevant to CA operations in scope (along side cloud and remote areas).”


In step with the requirements coming straight from WebTrust, we agree with we’re reporting accurately within the management’s assertions.It unexcited remains moral that a factual allotment of our industry course of controls, relevant to the CA operations, are per formed by key personnel from Canada. As beforehand mentioned, now we internet always disclosed each our Canadian and United States areas in our CPS doc and management assertions.

Sir, it’s care for asking if one of your favorite producers is a Canadian firm. They will furthermore neutral internet a division in Canada. They will furthermore neutral internet filings in Canada. They will furthermore neutral no longer. They will furthermore neutral internet those things after which close at some level. They will furthermore neutral originate up again at some level, in total determined by tax and quantity of workers and benefits vital factors. Are you speaking historically as in the “genesis” of a industry, or asking about its fresh management and filings? Again, you’re no longer an attorney and neither am I, nonetheless we’re adhering to policies basically the most efficient manner our lawyers, accountants and auditors can resolve, and we’re reporting on them that manner too in our management assertions. There’s no lack of transparency right here, and we’ve answered this with supporting detail advert infinitum.

—————————————

In Response to Joel’s (College of Calgary/AppCensus) supplemental concerns,

In step with “(q1) … Assuming the privateness oriented jurisdiction being referenced by the paragraph is Arizona, why is Curacao allotment of that paragraph? Show cover right here’s TrustCor’s web attach, no longer Msgsafe.”:

The researchers appear to protect ignoring the fact that TrustCor itself operates each the TrustCor CA industry and the MsgSafe.io industry as effectively standalone industry running units, each of which it owns. This has been mentioned time and time again.

Prior context:

In Response to: “Trustcor furthermore talks about their “geo-jurisdiction advantage” on a total page[21] where they screech that “TrustCor is a Panamanian registered firm, with technical operations based mostly entirely mostly in Curaçao—one of basically the most true, privateness oriented jurisdictions on this planet.” No topic that, they’ve job openings for PKI Engineer and Programs Engineering in Phoenix, AZ [22, 23]the latter declaring that the applicant “MUST be positioned approach the Phoenix, AZ attach of living – job is remote with occasional trips to files center amenities”. Their very private audit reports screech that they are Canadian, with their files centres in Phoenix, AZ [24]. I am no longer notably skittish by where they’ve their technical operations, nonetheless I mediate that it’s provocative to leave out that the ideas centres are in Arizona on the prolonged descriptions of the “geo-jurisdiction advantage”. Certificate authorities are about belief.”:

We discover that most CAs don’t publicly narrate the areas of their CA files centre predicament on the house page of their marketing web sites. The side of our industry which operates the encrypted e-mail product and retail outlets true buyer explain material,MsgSafe.iohas technical operations based mostly entirely mostly in Curaçao (hence the “geo-jurisdiction advantage”) whereas the CA industry unit has files amenities positioned in Arizona. Within the ardour of belief and transparency, to be definite, TrustCor’s CA industry unit would not fabricate key escrow products and services and therefore would not store buyer deepest-keys, as mentioned in our CPS.


Supplemental response:

TrustCor is a for-profit industry that provides products and services. A made from TrustCor isMsgSafe.io, and TrustCor’s CA industry unit is a line of products and services. TrustCor is in the industry of promoting its products and services, and as beforehand mentioned in an earlier response, the “geo-jurisdiction advantage” is relating to TrustCor’s product beingMsgSafe.io. TrustCor’sMsgSafe.io product is fully isolated from TrustCor CA products and services—now we internet a individually provisioned files center, computer gear, databases, network, and in some cases furthermore native crew particularly forMsgSafe.ioso as that none of theMsgSafe.ioatmosphere (files center, network, servers, and lots of others.)is ever sharing the an identical sources because the TrustCor CA industry unit. We purchase indulge in our CA industry and make sure it’s always up to the highest requirements and compliant with the NetSec Requirements. Furthermore, our solution to host ourMsgSafe.ioproduct in a predicament with a geo-jurisdiction advantage was so the electronic mail product wouldn’t be field to requiring to comply with orders to accomplish files fromMsgSafe.iocustomers.

If right here’s about making the page on TrustCor’s web attach extra definite to the final public (despite the fact that, we mediate that it’s currently rather definite) that the geo-jurisdiction advantage textual explain material is in reference to itsMsgSafe.ioproduct, we can create that happen. We adore your positive criticism right here and are always striving to toughen our industry in any manner that you may possibly well well be furthermore mediate of. Whereas you internet particular suggestions for this text please provide them to us for consideration.

In step with “(q2) … did TrustCor’s founder Ian Abramowitz or his son Ryan Abramowitz ever act as a representative for Measurement Programs or for its companions, particularly CHIVALRIC HOLDING COMPANY, LLC and FRIGATE BAY HOLDING, LLC? (the Panama ones, no longer the copycat US ones)

Prior context:

To what extent does TrustCor these days protect a industry relationship or allotment possession/ corporate officers with Measurement Programs or Packet Forensics?”:

TrustCor would not internet or protect any industry relationship or allotment any officers or possession with Measurement Programs or Packet Forensics, or any different defense firm. The documented actions and opinions enact no longer affect TrustCor’s CA operations in any manner. Furthermore, any shareholders would no longer internet any maintain an eye on over our CA operations (as enforced by our exclusion settlement), and any misbehaviour of organizations or folk external to us are a outcomes of their choices and enact no longer internet an affect on our operations.

In Response to “If Trustcore these days would not protect a industry relationship or allotment possession/corporate officers, has it achieved so in the previous?  If so, when? When was the connection disolved?”:

Unknown till neutral nowadays by any employee officers of TrustCor we and Measurement Programs S de RL had on the total a community of traders who represented funds (teams of corporations and different funds), no longer folk. Even despite the fact that we shared a total community of funding funds, now we internet always operated our industry independently of any different firm and internet exclusion provisions in attach of living to guard the CA industry from having fetch entry to-to or being controlled by or influenced from any third-occasion, traders, equity-holders, or any individual different than TrustCor’s CA Approving Officers and workers. To basically the most efficient of our files (and our focused investigation) there may possibly be not any longer and has never been shared possession with any defense firm or any USA firm. This total community of traders with Measurement Programs S de RL. had already dissolved mid 2021, before these most recent claims had been publicized, which manner as a pure course of industry and no longer as a reaction to any claims or adversarial occasions. In 2021 TrustCor possession was transferred from the preliminary traders/founders to the workers of TrustCor. The apt course of has been very step-by-step and undoubtedly gradual, notably due to the protracted remedy and most recent dying of 1 key founder, Ian Abramowitz. Nonetheless, it’s underway and irreversible, and the total funding automobile was dissolved over a 365 days in the past.

In Response to “What in usual explains the shared corporate officers across the corporations?”:

The preliminary traders/founders of every preserving corporations had been known to every different and determined to diversify their investments across extra than one corporations and in extra than one territories, which is outwardly a total funding put collectively. They’re strictly passive traders, rather then Ian Abramowitz.

In Response to “Have you internet separate corporate registration documentation demonstrating that the TrustCor CA is a provocative group than the Trustcor entity that shares corporate officers with Measurements Programs.  If so, please provide it.”:

(from above) The apt course of has been very step-by-step and undoubtedly gradual, notably due to the protracted remedy and most recent dying of 1 key founder, Ian Abramowitz. Nonetheless, it’s underway and irreversible, and the total funding automobile was dissolved over a 365 days in the past. As soon because it completes we are in a position to feel free to allotment the final public files, nonetheless we cannot maintain an eye on how long it takes varied attorneys to deem adjustments upon dying, and lots of others. Obviously Ian’s title is on many files already publicized and procuring for his title lets in any individual to admire his memorial web attach from June 2022 (nonetheless he had been in remedy for a while) and different public files of this kind. Since its inception in 2013, TrustCor’s CA industry unit has been fully insulated and true from any shareholders thru its exclusion settlement, which separates equity possession from fetch entry to-to or maintain an eye on-over the CA industry unit.

In Response to “They internet got an identical corporate officers: Measurement Programs, Trustcor Programs”:

This observation is unsuitable since the funding/preserving corporations in seek files from had been already dissolved in 2021. We internet got explained our restructuring (above) and can no longer keep up a correspondence on the field of different firm because we enact no longer know them. It’s miles worth noting that the media’s protection would not narrate who’s the beneficial owner of Measurement Programs.

The reporting and public files merely narrate that an particular particular person affiliated with a defense firm (investor or used employee) may possibly well also be an investor in one or each of the funds/preserving corporations and therefore doubtlessly was at a while an investor in our firm thru an funding in one other firm. The researchers’ conclusions that the journalists further expound are confusing the information. For instance, if it holds that any “investor” in one firm (making them an “affiliate” of that firm) is furthermore affiliated as an “investor” in one other firm, links the 2 corporations collectively as affiliates, after which even when one of those two corporations further invests in a third firm (one allotment eradicated), fundamentally most corporations and even CAs approach into seek files from due to the instructed transitive property. Also conflated by the researchers and media is the level about American corporations bearing an identical (no longer precisely the an identical) names to those of the funds/preserving corporations in seek files from. We’re no longer now and never were owned by any American firm with any names akin to those identified by the researchers. We would no longer internet any thought what those corporations are or what are their purpose, nonetheless they aren’t affiliated with our firm or any individual known to us. Our industry was formed in Panama over 9 years in the past and any kinds filed in the previous few years, pointing to an American or an identical-named firm was no longer executed by us or affiliated with us in any manner.

In Response to: “Enjoy Measurement Programs, Trustcor is furthermore registered in P to my mother [17]. They had been registered a month apart they on occasion allotment an an identical operate of corporate officers”:

Unknown till neutral nowadays by any employee officers of TrustCor we and Measurement Programs S de RL had on the total a community of traders who represented funds (teams of corporations and different funds), no longer folk. Even despite the fact that we shared a total community of funding funds, now we internet always operated our industry independently of any different firm and internet exclusion provisions in attach of living to guard the CA industry from having fetch entry to-to or being controlled by or influenced from any third-occasion, traders, equity-holders, or any individual different than TrustCor’s CA Approving Officers and workers. To basically the most efficient of our files (and our focused investigation) there may possibly be not any longer and has never been shared possession with any defense firm or any USA firm. This total community of traders with Measurement Programs S de RL. had already dissolved mid 2021, before these most recent claims had been publicized, which manner as a pure course of industry and no longer as a reaction to any claims or adversarial occasions. In 2021 TrustCor possession was transferred from the preliminary traders/founders to the workers of TrustCor. The apt course of has been very step-by-step and undoubtedly gradual, notably due to the protracted remedy and most recent dying of 1 key founder, Ian Abramowitz. Nonetheless, it’s underway and irreversible, and the total funding automobile was dissolved over a 365 days in the past.

In Response to: “One of those officers is Frigate Bay Maintaining LLC [18]. Shortly after the WSJ article was printed, a “Raymond Saulino” filed kinds for Frigate Bay Holdings LLC listed as its supervisor [19]. Raymond Saulino has furthermore spoken to press publicly on behalf of Packet Forensics.”:

We’re no longer now, and never were, owned by any American firm with any names akin to those identified by the researchers. We would no longer internet any thought what those corporations are or what are their purpose, nonetheless they aren’t affiliated with our firm or any individual known to us. Our industry was formed in Panama over 9 years in the past and any kinds filed this 365 days was no longer executed by our firm. Our lawyer has instructed us no longer to narrate the refined variations in names, spelling, dates of incorporation, or apt territories in which corporate entities had been formed, as litigation is a skill final consequence of this publication.

Supplemental response:

We’ve already answered and addressed our possession (with the weather, in context, above) and internet furthermore explained that our house owners would no longer internet any maintain an eye on or affect over our operations, per our signed exclusion settlement:now we internet always operated our industry independently of any different firm and internet exclusion provisions in attach of living to guard the CA industry from having fetch entry to-to or being controlled-by or influenced from any third-occasion, traders, equity-holders, or any individual different than TrustCor’s CA Approving Officers and workers.”The researcher’s strive to purchase factors out of context does no longer provide the final public with any original files and now we internet already explained our possession vs. operational maintain an eye on. We are minute to truth and fact that we know or maintain an eye on, and were cautioned again and again again no longer to speculate as to the disposition or possession of entities we enact no longer maintain an eye on (Measurement Programs S. De R.L., CHIVALRIC HOLDING COMPANY,LLC, or.FRIGATE BAY HOLDING, LLC).


As we beforehand mentioned “the preliminary traders/founders of every preserving corporations had been known to every different and determined to diversify their investments across extra than one corporations and in extra than one territories, which is outwardly a total funding put collectively. They’re strictly passive traders, rather then Ian Abramowitz.”In improve of that fact I will allotment that now we internet within TrustCor industry files from 2013 where Ian Abramowitz signed on behalf of (as a apt representative of) each preserving corporations, nonetheless we enact no longer know or care to speculate if Ian was provocative on the formation of those corporations or was merely an licensed apt representative at any given time.Something the preserving corporations invested in different than us is unknown to us and would be purely speculation.

In step with “(q3) Is there any threat that the rogue developer may possibly well internet compromised TrustCor in any different manner different than running unauthorized TCP relays and getting unauthorized code dedicated?”:

Prior context:

In Response to “TrustCor operates the mail encryption product MsgSafe and a beta version of MsgSafe contained the fully known unobfuscated version of the spyware SDK. (Beta APK, inspected by Joel and signed by Google)”:

Our firm never published a production or supported version of the MsgSafe cell app containing the Measurement Programs SDK. Relative to the little population of Beta product-testers (which were largely our private workers) who chose to verify a Beta version of the app containing that SDK, I will add that all the most life like likely device thru the attain stages of MsgSafe’s BETA cell app, our developers sought out the assist from third occasion software products and services to accomplish better app analytics. We are mindful that they evaluated different SDKs and instruments care for Firebase, Bugsnag, and lots of others. nonetheless they claimed to no longer assist principal in troubleshooting and bettering the app efficiency across all software producers and OS variations. There was a time all the most life like likely device thru this course of where they integrated further software developers to assist with the points we had been dealing with. Whether or no longer the SDK was added for a developer’s private monetary produce or in every other case is beyond us and we don’t care to speculate. Again, the MsgSafe BETA cell app was never launched in a production supported version and has been abandoned for years, and we can confirm the cell-first web UI, which is the fully supported cell interface in-exhaust these days and for the previous few years, which would not possess any SDK from any individual.

As far as how the MsgSafe cell app got an “unobfuscated version” of the SDK? It’s not any longer our attach of living to speculate, nonetheless it undoubtedly fully makes sense that any firm would provide updates to their software over time. The third-occasion app archive web attach containing MsgSafe’s APK, as referenced in the researcher’s publish, is over 3 years aged. It’ll furthermore neutral unexcited approach as no shock that the software stumbled on there doesn’t match up precisely to the software stumbled on in apps they reported about in April 2022. Our developers doubtlessly didn’t even peer refined adjustments care for this because it’s no longer our put collectively to reverse engineer different firm’s software and violate license agreements.

In Response to: “Why did MsgSafe appear to bundle an unobfuscated version of this SDK in their app? How was it got, if as Rachel says, they internet nothing to enact with the firm that is spreading it? In step with her e-mail, they would no longer internet a public app; somebody may possibly well furthermore neutral unexcited doubtlessly picture that to their social media particular person…”:

Our firm never published a production or supported version of the MsgSafe cell app containing the Measurement Programs SDK. Relative to the little population of Beta product-testers (which were largely our private workers) who chose to verify a Beta version of the app containing that SDK, I will add that all the most life like likely device thru the attain stages of MsgSafe’s BETA cell app, our developers sought out the assist from third occasion software products and services to accomplish better app analytics. We are mindful that they evaluated different SDKs and instruments care for Firebase, Bugsnag, and lots of others. nonetheless they claimed to no longer assist principal in troubleshooting and bettering the app efficiency across all software producers and OS variations. There was a time all the most life like likely device thru this course of where they integrated further software developers to assist with the points we had been dealing with. Whether or no longer the SDK was added for a developer’s private monetary produce or in every other case is beyond us and we don’t care to speculate. Again, the MsgSafe BETA cell app was never launched in a production supported version and has been abandoned for years, and we can confirm the cell-first web UI, which is the fully supported cell interface in-exhaust these days and for the previous few years, which would not possess any SDK from any individual.

As far as how the MsgSafe cell app got an “unobfuscated version” of the SDK? It’s not any longer our attach of living to speculate, nonetheless it undoubtedly fully makes sense that any firm would provide updates to their software over time. The third-occasion app archive web attach containing MsgSafe’s APK, as referenced in the researcher’s publish, is over 3 years aged. It’ll furthermore neutral unexcited approach as no shock that the software stumbled on there doesn’t match up precisely to the software stumbled on in apps they reported about in April 2022. Our developers doubtlessly didn’t even peer refined adjustments care for this because it’s no longer our put collectively to reverse engineer different firm’s software and violate license agreements.

In Response to “Relating to the SDK, I agree that speculating why it was included is neither helpful nor priceless. It’ll furthermore neutral unexcited be that you may possibly well well be furthermore mediate of to fetch the next thought of how it was included. For instance, supply code version maintain an eye on historical previous and commit messages may possibly well furthermore neutral give some context. In step with reporting by the Wall Road Journal who interviewed app makers who included this SDK that “A lot of developers mentioned Measurement Programs required them to trace nondisclosure agreements.” [3] As neatly, the code is not any longer obtainable for acquire nonetheless was ship to developers who agreed to contain it. This was indeed some years in the past,  and I agree that the manner of transport, and lots of others., may possibly well furthermore neutral internet modified. Nonetheless if such emails or different communications come in to you it will furthermore neutral assist elucidate the context spherical how this SDK was got.”:

Prior context:

Our firm never published a production or supported version of the MsgSafe cell app containing the Measurement Programs SDK. Relative to the little population of Beta product-testers (which were largely our private workers) who chose to verify a Beta version of the app containing that SDK, I will add that all the most life like likely device thru the attain stages of MsgSafe’s BETA cell app, our developers sought out the assist from third occasion software products and services to accomplish better app analytics. We are mindful that they evaluated different SDKs and instruments care for Firebase, Bugsnag, and lots of others. nonetheless they claimed to no longer assist principal in troubleshooting and bettering the app efficiency across all software producers and OS variations. There was a time all the most life like likely device thru this course of where they integrated further software developers to assist with the points we had been dealing with. Whether or no longer the SDK was added for a developer’s private monetary produce or in every other case is beyond us and we don’t care to speculate. Again, the MsgSafe BETA cell app was never launched in a produ ction supported version and has been abandoned for years, and we can confirm the cell-first web UI, which is the fully supported cell interface in-exhaust these days and for the previous few years, which would not possess any SDK from any individual.

As far as how the MsgSafe cell app got an “unobfuscated version” of the SDK? It’s not any longer our attach of living to speculate, nonetheless it undoubtedly fully makes sense that any firm would provide updates to their software over time. The third-occasion app archive web attach containing MsgSafe’s APK, as referenced in the researcher’s publish, is over 3 years aged. It’ll furthermore neutral unexcited approach as no shock that the software stumbled on there doesn’t match up precisely to the software stumbled on in apps they reported about in April 2022. Our developers doubtlessly didn’t even peer refined adjustments care for this because it’s no longer our put collectively to reverse engineer different firm’s software and violate license agreements.

Supplemental response:

Before my fashioned respond, we had already achieved an investigation linked to this exercise. Our software revision maintain an eye on machine printed straight when the software was introduced and which developer introduced it. As I had beforehand mentioned, “… they integrated further software developers to assist with the points we had been dealing with.” The further developers had been contract developers. Also as I beforehand mentioned, “Whether or no longer the SDK was added for a developer’s private monetary produce or in every other case is beyond us and we don’t care to speculate.” Our investigation stumbled on the developer in seek files from properly signed our usual “Confidentiality Duty and Invention Settlement” that requires any developer to accomplish a corporate license to any third occasion software or intellectual property the developer chooses to contain. We confirmed thru corporate files and e-mail searches that no such settlement was ever got by the firm or firm counsel. Also, none was included within the software/take a look at-in to revision maintain an eye on. We furthermore confirmed no acclaim for along side this third-occasion software was ever got from Wylie (technically the supervisor of the developers at that time). Technically that particular particular person developer violated our Confidentiality Duty and Invention Settlement.

After we discussed this with apt counsel, their idea that a labor dispute over an settlement violation that took attach of living over 3 years in the past would be minute/refined to pursue, notably for the reason that developer has no longer labored for the firm in 3 years since native app model was abandoned in prefer of our solution to level of curiosity on our cell-first web application, which involves fully-different skillsets / personnel. Additional, their idea was that damages may possibly well furthermore neutral no longer be readily provable because (as beforehand mentioned) the cell app was never “launched” or rather it was fully provided for making an try out in a BETA invent (that particularly admonished it was a beta and no longer supported) and aged essentially by our private workers making an try out it. I realize the existence or proposition of this fundamentally-unused beta software may possibly well furthermore neutral were a boon to AppCensus reporting and is of intellectual ardour to the researchers, nonetheless our firm sees no profit to any apt or different pursuit on the field of benefitting our potentialities, or any relying parties.

In Response to “… I made up my mind to employ a puny of bit time beyond regulation exploring it … [many lines of technical details] … This certificate was issued by/to MsgSafe (it appears to be to be self-signed)”:

Prior context:

In Response to “How was an unobfuscated version of the Measurement Programs SDK integrated into MsgSafe?”:

Our firm never published a production or supported version of the MsgSafe cell app containing the Measurement Programs SDK. Relative to the little population of Beta product-testers (which were largely our private workers) who chose to verify a Beta version of the app containing that SDK, I will add that all the most life like likely device thru the attain stages of MsgSafe’s BETA cell app, our developers sought out the assist from third occasion software products and services to accomplish better app analytics. We are mindful that they evaluated different SDKs and instruments care for Firebase, Bugsnag, and lots of others. nonetheless they claimed to no longer assist principal in troubleshooting and bettering the app efficiency across all software producers and OS variations. There was a time all the most life like likely device thru this course of where they integrated further software developers to assist with the points we had been dealing with. Whether or no longer the SDK was added for a developer’s private monetary produce or in every other case is beyond us and we don’t care to speculate. Again, the MsgSafe BETA cell app was never launched in a production supported version and has been abandoned for years, and we can confirm the cell-first web UI, which is the fully supported cell interface in-exhaust these days and for the previous few years, which would not possess any SDK from any individual.

As far as how the MsgSafe cell app got an “unobfuscated version” of the SDK? It’s not any longer our attach of living to speculate, nonetheless it undoubtedly fully makes sense that any firm would provide updates to their software over time. The third-occasion app archive web attach containing MsgSafe’s APK, as referenced in the researcher’s publish, is over 3 years aged. It’ll furthermore neutral unexcited approach as no shock that the software stumbled on there doesn’t match up precisely to the software stumbled on in apps they reported about in April 2022. Our developers doubtlessly didn’t even peer refined adjustments care for this because it’s no longer our put collectively to reverse engineer different firm’s software and violate license agreements.

Supplemental response:

Sure, we agree this certificate you stumbled on embedded within that software / SDK appears to be to be for “an1.msgsafe.io” and that it was NOT issued by TrustCor CA — it appears to be to be self-signed by both the developer who added it, or extra likely the creator of the actual SDK. Here is a stable indication TrustCor CA was no longer provocative on the software / SDK. Given a legitimately-signed certificate may possibly well need been constructed-in byMsgSafe.io’s private model team who may possibly well well with out peril demand it from TrustCor’s CA team, it no doubt is proof that the TrustCor Certificate Authority was no longer provocative on this allotment of software or its temporary addition toMsgSafe.io. Additional, it signifies right here’s likely an act of an particular particular person developer, and no longer even theMsgSafe.ioteam being duped. We checked out all the URLs you provided to your supplement and can confirm TrustCor CA has no longer issued any of those certificates at any time, and those URLs are no longer in every other case known to us.

In Response to “… it appears to be to be programmed to in its place ship files to MsgSafe’s private servers! Why are MsgSafe’s servers hardcoded to receive files from Measurement Programs’ SDK?”:

We had beforehand performed a forensic investigation of thean1.msgsafe.iohostname you stumbled on, along with its IP contend with historical previous and the host itself, in addition to the certificate search (which again came up clean because it was no longer issued by TrustCor CA or any legitimate CA to this level as lets picture). The hostname you mentioned pointed to a Linux VM that had been provisioned by the an identical developer we discussed. We had been ready to get better from backup a copy of this VM and forensically analyze it. The fully user was a generic administration yarn (presumably known by the developer) and the fully customization beyond any usual VM configuration was a firewall configuration and the commence port 443 that favorite web site visitors from any place. The fully listener linked to port tcp/443 was a proxy program which appears to be to be this://github.com/kklis/proxyThe fully version of the VM we had been ready to retrieve had no customizations to the configuration file, nonetheless it undoubtedly was operate up utilizing “systemd” so our conclusion was that the developer was likely redirecting the actual TCP movement in different areas/offsite, and we confirmed the firewall configuration each on the host itself and the upstream router as far because the egress ACL/filter would internet allowed this as long as he was sending it to any of tcp/443, tcp/8080, tcp/8181 or a couple of others. There may possibly be not any longer a indication the developer was “web web hosting” anything atMsgSafe.iobeyond a straightforward redirector designed to ship it in different areas. There was no web server on this kind and no certificates, so it was being redirected at the TCP level.

This above disagrees along with your observation “…MsgSafe.ios servers hardcoded to receive files …” where you intimate that our firm is receiving the ideas. A moral characterization would be that a developer had operate up a TCP proxy to deem files in different areas, nonetheless no longer basically to receive it. What you wrote is at easiest a mischaracterization, or doubtlessly one other false declare because it shall be forensically confirmed to be false.

Supplemental response:
First, to perfect-making an try your unsuitable assertion, neitherMsgSafe.ionor TrustCor CA programs had been ever compromised by the developer. The developer rightfully had fetch entry to to theMsgSafe.ioprograms (and never had fetch entry to to the TrustCor CA network and programs that are in truth operated individually).

The developer had fetch entry to fully toMsgSafe.io’s atmosphere and NOT TrustCor CA’s atmosphere. Map model for theMsgSafe.ioBETA application was performed within theMsgSafe.ionetwork and programs, and never touched TrustCor CA programs, networks or files amenities. Attributable to the strict separation between TrustCor CA andMsgSafe.iothe developer never had fetch entry to to the an identical gear, the an identical network, or the an identical files center. We beforehand explained how we predict about the SDK made its manner into our BETA app and our findings referring to the machine aged to proxy web site visitors, each of which were setup by the developer while engaged on the application we in the raze determined to desert for unrelated reasons numerous years before any of those questions arose.

In step with “How and when had been these actions detected and are they referenced in any audit?”

We deliberately created fully separate environments for the product and products and services we provide (this being further proof that it was a colossal thought); the developer did no longer internet fetch entry to to the TrustCor CA atmosphere. Thepurpose of the forensic examination was to adore if any individual left the MsgSafe.io atmosphere and entered the TrustCor CA atmosphere, which resulted in no discovering of that behaviour. Had we chanced on anything that affected the TrustCor CA industry unit then we would internet reported it, obviously.

In step with “(q4) In what international locations is TrustCor a apt entity?”:

TRUSTCOR SYSTEMS S. DE R.L. is a apt entity in Panama. Whereas we adore your comprehensive line of questioning, the intricacies and complexities of making and running multi-national corporations/entities that comply with each licensed guide lines and rules place in attach of living by the governing bodies is one thing that requires extra than one folks and a form of time to display cover, and an evolved files of multinational apt workings. For instance: there are corporations that fully contract with payroll corporations and make exhaust of folk notably international locations or areas, there are corporations that act as preserving corporations that undergo the firm title, nonetheless merely exist to aggregate regional employment entities. Likewise there are entities that simply maintain sources or trace leases. Here is principal too advanced and much out of scope for public dialogue and frankly a couple of of it’s confidential as those files internet folks linked to them and deepest files, and making yarn of them may possibly well well produce future tax liabilities or in every other case, while concurrently no longer being helpful to the community in anyway.

Our attorneys internet urged us that explaining these items in a public atmosphere will fully produce apt points for us later, which we’re hoping to lead definite of. If this response sounds pissed off to you, it’s because now we internet already established that regardless of the possession (even supposing it’s the devil himself/herslef), it’s beside the level because our exclusion provision separates our possession from our operations (as may possibly well furthermore neutral unexcited all CA’s in our idea). Whereas the complexities of implementing world corporations is more likely to be attention-grabbing academically, we enact no longer agree with it’s germane to this community because there are no longer any requirements to recursively enumerate possession or to title controlling parties in the event that they are (in our case) damage away our house owners.

I hope the community continues to hunt down this priceless and positive.

Kurt Seifried

unread,

Nov 27, 2022, 6:46:05 AM (3 days in the past)Nov 27

to Rachel McPherson, MDSP, Kathleen Wilson, Ryan Dickson, Clint Wilson

I am no longer sure declare this nonetheless:

I am no longer seeing any precise solutions. I am reminded of the TV narrate “Law enforcement officials” and the primary “who’s vehicle is that this?” adopted by some extremely long and convoluted memoir about how their cousin lent the vehicle to their easiest buddy who’s a dog groomer they on occasion’re correct deciding on up medicines for a sick grandmother, TL;DR: the vehicle was invariably stolen.

The respond across the Canadian firm bits is convoluted, there is narrate of workers and do business from house (which has actually nothing to enact with apt corporate constructions), and no narrate of possession/corporate directors/allotment kinds and possession, so how about this:

Please checklist any and all Canadian corporate constructions registered by, aged by or owned by Trustcor.

This would not internet to be advanced, hell, I private a numbered corporation and were doing this since 1998 in Alberta (which would not internet precisely the an identical licensed guidelines as Ontario, nonetheless close enough).

The true fact that we cannot fetch a straightforward and definite resolution (some random textual explain material about producers and apt recommendation about tax instances, aka “that’s how industry works”) is telling.

Watson Ladd

unread,

Nov 27, 2022, 6:11:10 PM (3 days in the past)Nov 27

to Rachel McPherson, MDSP, Kathleen Wilson, Ryan Dickson, Clint Wilson

Expensive Rachel,

It has never been the case that compliance with a narrow operate of principles creates belief in a human endeavor. The solution to belief a CA is an ongoing one, and the behavior of its representatives is evaluated in that gentle, as representative of the perspective taken by the group to its duties. Your aggressive bloviation and evasion contrasts rather negatively to the openness with which different CAs internet addressed points before, and is most no doubt affecting the belief that I would purchase into consideration practical to connect of living in TrustCor.

Specifically it just isn’t definite to me what the entities and folks being discussed who internet possession of TrustCore CA are, what the total jurisdictions where operations or entities had been formed are, how these constructions alternate over time, and what transactions had been supposed to enact these adjustments. All we hear is a couple of pieces and disputing that now we must care about the rest. You discuss about an operational insulation settlement, nonetheless haven’t provided any vital factors or indicated where vital factors is more likely to be stumbled on. This incompleteness makes it refined for me to assess your assertions about the entities alive to.  Nitpicking the worrying and grammar of questions rings a bell in my memory of nothing so principal as a used President.

Within the raze as now we internet viewed with WoSign, and lots of others the CA industry is principal care for banking. When it be a must to declare “now we internet got factual credit rating”, your credit rating is fully worthless already. And provided that TrustCor appears to internet fully one buyer, there undoubtedly is not any longer undoubtedly principal of a reason no longer to expel them.

Sincerely,

Watson Ladd

Philip Valsorda

unread,

Nov 27, 2022, 8:56:58 PM (3 days in the past)Nov 27

to dev-secur…@mozilla.org

Hi all,

I agree with Watson. The fashioned concerns, rather then the skill links to a spyware operation, didn’t feel care for grounds for distrust to me. Nonetheless, the manner this CA approached the claims leaves me without a belief in their operations. Every conversation was combative, condescending, no longer impending, vaguely threatening, and exhibiting contempt for the forum and the technique. Extra than one cases they level fingers at different operators, rather than purchase the change to brand skill enchancment areas. They picture us what we’re supposed to care about, rather than proactively striving for transparency.

Overall, I cannot picture if the core project—the link to a spyware operation—is assuaged or drowned and misdirected, nonetheless I enact leave with the affect that TrustCor can fully be relied upon to operate at the minimum total denominator of the baseline requirements. My thought is that the baseline requirements are correct that, a rock bottom that no CA may possibly well furthermore neutral fall below, and no longer a bar that is enough to definite to deserve belief. As one more, TrustCor appears to agree with meeting the baseline is all that is required of them, and disputes any different concerns by remarking they meed the baseline.

Basically, a baseline CA is not any longer notably precious, notably if it serves a single rather low-quantity buyer, and it may possibly possibly perchance well appear to me it exposes the Mozilla and WebPKI community to extra threat than it be worth.

Glorious,

Filippo

Cynthia Revstrom

unread,

Nov 28, 2022, 3:09:06 AM (2 days in the past)Nov 28

to Filippo Valsorda, dev-secur…@mozilla.org

Hi,

I agree with Watson and Filippo. The incapability to respond to a seek files from so
usual as “wherein jurisdictions are you a apt entity?” is not any longer
precisely colossal for building belief.
Furthermore Rachel is making it unnecessarily time spellbinding and
confusing to follow what’s going down by repeating themselves,
declaring beside the level things, and no longer answering the questions nonetheless
rather explaining why we seemingly don’t deserve to know fundamentally
anything about TrustCor.
The perfect-making an try course of action right here would were to present definite
solutions to the questions raised, which may possibly well perchance doubtlessly be rather easy to
enact if every little thing was in repeat I would mediate.
Most different CAs are ready to respond to questions about their operations
with out going into speculating about the motives of the folks that
before every little thing wondered them.

I have the an identical manner as Filippo about the preliminary concerns, I don’t
know in the event that they are precise points or no longer.
Nonetheless the replies from TrustCor made me lose any belief I may possibly well furthermore neutral need
had for them and for my allotment it may possibly possibly perchance well doubtlessly be for basically the most efficient if
Mozilla distrusted TrustCor, notably given the very minute
buyer heart-broken.

-Cynthia

> To peek this dialogue on the procure seek recommendation from //teams.google.com/a/mozilla.org/d/msgid/dev-safety-protection/59ce57f4-c47e-479d-b31d-c3467ae14c03%40app.fastmail.com.

Rachel McPherson

unread,

Nov 28, 2022, 6:05:12 AM (2 days in the past)Nov 28

to MDSP, Kathleen Wilson, Ryan Dickson, Clint Wilson

Expensive Kurt, Watson, Filippo & Cynthia,


Thank you alive to about chiming in. I’m no longer sure how precisely you’re provocative on the CA community, enact you characterize a CA? A browser maybe? Or any of the governing bodies? (I.e. CA/B forum member, WebTrust, ETSI, and lots of others.). Or are you alive to citizen customers?

Your feedback is precious regardless of the respond

nonetheless I mediate the respond furthermore matters to this public forum.

Since right here’s a public forum, and any individual in the final public can publish right here, regardless of taking half in an brisk operate in the CA community, it is more likely to be easy to lose thought of what this conversation is all about and why we’re undoubtedly right here. Every little bit of further files we’re offering right here, for the final public, is achieved in spirit of transparency. But we no doubt internet limits on what’s acceptable or beyond acceptable to respond to based mostly entirely totally on what files belongs in the final public domain versus what would not.

Please brand we’re searching to protect it easy. We purchased a form of messages off-checklist since this began. Within the final 24 hours we purchased a quantity of messages with recommendation on respond to all of your messages. We are concurrently receiving recommendation to “shorten and simplify” and furthermore concurrently receiving recommendation to “re-paste the context from the outdated resolution and add to it” and so we appear to be caught in the midst of every, which is clearly upsetting all people. From the foundation now we internet tried to be forthright and clear with this community and to exhaust prior points/solutions from prior occasions to create definite we had been offering an equal or better quantity of files—we’re. Sadly for us, this community is rather busy and appears to no longer are searching to study the total solutions or brand the total context in the serve of the solutions, so we’re doing our easiest. We strive and please all people and all of us know how that turns out. For the sake of simplification I’m going to strive and respond to these common objects extra simply below with out pasting anything from before, nonetheless every little thing before goes to be beneath it.

Whereas now we internet already answered these topics in context, it be discovering that our solutions seem long and boring based mostly entirely totally on the “TL;DR brand” out of your message, so again in the spirit of transparency, let me strive to simplify responses to your topics:

The topic of Canada retains being introduced up and interestingly subsequent posters are feeding off every different’s responses versus caring to knowwhyit was before every little thing introduced up. The reason Canada was introduced up in the first attach of living was because now we internet Canada listed on our audit documentation. Now that you know the “why”, right he re is the respond:

We continue to respond to this seek files from and by hook or by crook it’s both getting overlooked or skimmed-over by the researchers. So right here’s an further strive to create it as definite as that you may possibly well well be furthermore mediate of: We are required by WebTrust (our auditing physique) to checklist in our audit reports the screech/province, and nation ofall areas of Certificate Authority amenities(“CA Companies”) that had been included in the scope of the audit. WebTrust defines“CA amenities”as:

“files centre areas (fundamental and alternate sites), registration authority areas (for registration authority operations performed by the CA), and all different areas where usual IT and industry course of controls that are relevant to CA operations in scope (along side cloud and remote areas)”


This means now we must checklist every single predicament relevant to the Certificate Authority allotment of our industry, whether now we internet folks sitting someplace, or whether now we internet kinds registered there, and even supposing it’s correct gear/storage. Here is why we checklist each Canada and the US – our operational crew, validation team, off-attach/true serve-up storageare all performed out of Canadawhereas our technical operations (pertaining fully to the Certificate Authority-allotment of our industry) is performed out of the US. These are our requirements—we don’t create them up, it’s what’s being asked of us. Since that’s how our industry is broken up, that is what we’re required to contain.

As what was already identified, our tax presence in Canada resulted in 2016. If we simply instructed you “we don’t internet a firm currently in Canada” then the seek files from would be “Then why did you aged to, what took attach of living, did you fetch sold/sold or one thing else” so in its place we gave the total context that we had a physical attach of living of enterprise in Canada before, and we had a apt entity in Canada till 2016. Nonetheless, we continue to internet key crew there who work (remotely/nearly) for the firm, so as that is one reason we must continue to checklist it on the categories even supposing there’s no apt entity they work for in Canada except they’ve their private deepest tax entity/firm which some enact. How we got stuck and fixated on Canadian incorporation paperwork is beyond me (and beyond main disclosures).

Whereas you clutch to know how we’re ready to make exhaust of folk in extra than one international locations – purchase our US workers working out of Arizona as an instance, who’re paid thru a mechanism called 1099, wherein case they (or a apt tax entity they themselves operate up) can bill the predominant TrustCor firm and be paid that manner. We internet got a an identical setup in Canada. As now we internet grown from county to nation to nation, we’ve had to hunt down mechanisms care for this that allow us to make exhaust of correct a pair of folk in every attach of living, which turns out to be extra difficult than one may possibly well agree with.

We internet got never had a “alternate on high of things” in the firm. Since it was founded in 2013, we’ve had fully a pair of traders in our Panamanian apt entity (which is our fundamental apt entity) and our debit to those traders was gay in mid-2021 after we change into employee-owned (and I’m the supreme shareholder). Extra than a 365 days after that we unexcited would no longer internet any adjustments, on the other hand since our fashioned founder handed away we enact internet some kinds cleanup unexcited to enact. Furthermore, now we internet crew in Canada, as I mentioned, and we furthermore internet crew in the US andCuraçao.Curaçaois the fully running predicament for ourMsgSafe.ioproducts and services.

I’m furthermore being asked for files off-checklist. To substantiate that right here, referring to the app that never made it out of beta into production: Sure, a third occasion developer, who we reduced in measurement and paid as a skilled, (along with numerous others) to create the app for us appears to be to internet included different third occasion software we didn’t know about. Including third occasion software with out us shimmering violated our developer’s settlement. Again, this app was never launched into production, and we abandoned native app model

over 3 years in the past

. Till it was introduced this 365 days by the researchers, we had no thought this had took attach of living and that particular person has no longer labored for us in bigger than 3 years.

And to create definite right here’s evident as neatly: TrustCor andMsgSafe.iowork fully neutral of every different, and always internet. TrustCor andMsgSafe.iointernet fully separate files centre areas, gear, servers and developers engaged on every side of those corporations so there may possibly be not any likelihood, or ever the change, for that sameMsgSafe.iodeveloper to touch anything linked to the Certificate Authority.

I hope that helps…

Thank you. What follows is merely my final respond for those that need the further context, nonetheless there’s nothing original below — the “short and reveal” solutions are all above.

Rachel McPherson

VP of Operations

Kurt Seifried

unread,

Nov 28, 2022, 6:31:29 AM (2 days in the past)Nov 28

to Rachel McPherson, MDSP, Kathleen Wilson, Ryan Dickson, Clint Wilson

On Sun, Nov 27, 2022 at 9:05 PM Rachel McPherson rac…@trustcor.ca> wrote:

Expensive Kurt, Watson, Filippo & Cynthia,

Thank you alive to about chiming in. I’m no longer sure how precisely you’re provocative on the CA community, enact you characterize a CA? A browser maybe? Or any of the governing

I mediate all of us are with out peril stumbled on thru Google.

bodies? (I.e. CA/B forum member, WebTrust, ETSI, and lots of others.). Or are you alive to citizen customers?

Your feedback is precious regardless of the respond

nonetheless I mediate the respond furthermore matters to this public forum.

“the respond” to what precisely?


Since right here’s a public forum, and any individual in the final public can publish right here, regardless of taking half in an brisk operate in the CA community, it is more likely to be easy to lose thought of what this conversation is all about and why we’re undoubtedly right here. Every little bit of further files we’re offering right here, for the final public, is achieved in spirit of transparency. But we no doubt internet limits on what’s acceptable or beyond acceptable to respond to based mostly entirely totally on what files belongs in the final public domain versus what would not.

Uhm. Then why cannot you clearly resolution the questions?

Matt Palmer

unread,

Nov 28, 2022, 8:26:23 AM (2 days in the past)Nov 28

to MDSP

On Mon, Nov 28, 2022 at 04:05:01AM +0000, Rachel McPherson wrote:
> Thank you alive to about chiming in. I’m no longer sure how precisely you’re provocative on
> the CA community, enact you characterize a CA? A browser maybe? Or any of
> the governing bodies? (I.e. CA/B forum member, WebTrust, ETSI, and lots of others.).
> Or are you alive to citizen customers? Your feedback is precious no
> topic the respond, nonetheless I mediate the respond furthermore matters to this public
> forum.

Folk that clutch to convey their affiliations enact so in
//wiki.mozilla.org/CA/Policy_Participants. The true fact that it’s
no longer main to convey affiliations means that, in truth, an particular particular person’s
“station” in the CA community is not any longer notably relevant to the discussions
right here. If somebody raises a factual level, then the module owner and friends will
likely purchase into consideration it regardless of the nature of that particular person’s involvement in
“the CA community”.

This strive to enchantment to authority is not any longer going to engender better belief
in the organisation you characterize.

– Matt

Serge Egelman

unread,

Nov 28, 2022, 8:52:32 PM (2 days in the past)Nov 28

to MDSP

In step with our findings and Rachel’s emails, right here is my thought of things (please perfect-making an try me if any of right here’s disagreeable):

  1. On the level of its founding (despite the fact that no longer currently), TrustCor shared the an identical corporate possession with Measurement Programs, a shell corporation created to distribute cell spyware below the guise of advert-free app monetization. Measurement Programs is linked to Packet Forensics(a dba of Vostrom). TrustCor appears to be to exhaust the an identical Phoenix datacenter as Vostrom:
  • A rogue developer, employed by TrustCor as a contractor to produce the MsgSafe cell app, embedded Measurement Programs’ spyware SDK. This rogue developer had fetch entry to to the fully unobfuscated version of the SDK that now we internet viewed in the wild.
  • This version of the SDK was customized to ship sensitive user files to a MsgSafe hostname. This same rogue developer operate up a proxy to receive files despatched by the SDK after which forward it on in different areas. This alive to compromising one or extra machines owned by TrustCor. This compromise went undetected by TrustCor/MsgSafe for 3+ years.
  • MsgSafe provided this app (with the malware SDK) to the final public thru the Google Play store as allotment of a public beta, where it was free for any individual to acquire up till earlier this 365 days. MsgSafe publicized its cell app on social media. As of this writing, MsgSafe’s web attach unexcited links to the Google Play store(despite the fact that the app was eradicated earlier this 365 days):
    Screenshot 2022-11-28 at 9.26.56 AM.png
  • No topic promoting “discontinuance-to-discontinuance encrypted e-mail” (admire above screenshot, taken these days), MsgSafe would not undoubtedly provide discontinuance-to-discontinuance encryption (E2EE), because the time-frame is often understood. As one more, encryption/decryption is performed by MsgSafe’s servers, giving them the flexibility to study e-mail contents. (As background, the FTC went after Zoom for deceptively claiming it provided E2EE, when it didn’t.)
  • Moreover its MsgSage industry, TrustCor essentially points certificates for No-IP potentialities thru some form of partnership design. Whereas it be been assumed (I mediate, except I am misreading?) that No-IP is TrustCor’s fundamental buyer, no proof has been provided that they are undoubtedly a buyer. That’s, does No-IP pay TrustCor to present away their certificates with out cost? Or does TrustCor pay No-IP? I am no longer sure this has been answered.
  • In 2010, Packet Forensics was marketing its ability to subvert TLS. It was assumed they had been forging certificates, nonetheless beyond that, the specifics were cause for speculation.
  • In step with that thought (and again, please let me know if any of that is unsuitable), I for my allotment agree with it be that you may possibly well well be furthermore mediate of that Rachel would be a victim right here, if she undoubtedly is the predominant TrustCor shareholder (e.g., maybe the firm was given to workers, after it was no longer helpful). If TrustCor’s deepest keys had been compromised at its founding or before (e .g., so as that Packet Forensics may possibly well well sell TLS-interception containers), the firm itself would internet puny persisted price, as long because it handed its audits (and remained depended on by browsers and running programs). Or no longer it’s therefore that you may possibly well well be furthermore mediate of that Rachel had no consciousness of this, and this skill that is in the denial section of realizing that she’s the victim of a scam. Here is not any longer an announcement of fact, I am correct offering it as a likelihood.

    Within the raze, I are searching to clarify that beyond before every little thing discovering Measurement Programs’ spyware SDK and blogging about the technical vital factors, AppCensus has had no operate in any of this. We particularly asked that AppCensus no longer be mentioned in the WaPo article because AppCensus has had no involvement with the subsequent evaluation. If TrustCor wishes to ship specious apt demands, they are going to furthermore neutral unexcited reveal them to our university GCs.

    Thanks,

    serge

    Rachel McPherson

    unread,

    Nov 29, 2022, 8:09:26 PM (the day prior to this)Nov 29

    to MDSP, Kathleen Wilson, Ryan Dickson, Clint Wilson

    I despise to declare this Serge, and please perfect-making an try me if Im disagreeable, nonetheless it undoubtedly truly appears as despite the fact that your level of curiosity is ever-changing based mostly entirely totally on any files you are given, where you know a likelihood to adapt it to invent a consensus that easiest serves your memoir, due to your bias against us. I cannot assist to mediate this based mostly entirely totally on your final publish, notably since you may possibly well furthermore neutral internet now taken the manner of coming at me for my allotment, further validation to any individual studying this forum that every little thing you may possibly well furthermore neutral internet claimed on this dog and pony narrate stems from deepest speculation and nothing extra. I agree with going forward, its fully factual for you to preface your messages with “for my allotment” because that’s all that’s right here.

    I will continue to enhance this exercise of factual religion and transparency, by responding in-line to your publish below, even supposing I no longer agree along with your suggestions and ways, because I agree with its fully perfect-making an try that we operate the yarn straight, even supposing you continue to create out-of-context statements.

    On the level of its founding (despite the fact that no longer currently), TrustCor shared the an identical corporate possession with Measurement Programs,

    Here is not any longer perfect-making an try.A “shareholder” (of a “shareholder” or of a “preserving firm who’s a shareholder”) isno longerthe an identical as an “owner”. Please refer serve to my many outdated posts on this field.

    a shell corporation created to distribute cell spyware below the guise of advert-free app monetization. Measurement Programs is linked to Packet Forensics (a dba of Vostrom).

    Is that this a fact that those two corporations are linked to one one other? I don’t mediate it’s perfect-making an try or main to create claims about different corporations on this forum. Especially for the reason that fully precise affiliation I will get is the one made by you and your partner. If that is what you are relating to, it’s vital to let the final public know that these are fully your assumptions and no longer based mostly entirely totally on information. Then, you leave room for yourself utilizing phrases care for “linked to” since you know you may possibly well furthermore’t factually outline any relationship. I assume I’m linked to you furthermore, by that reasoning.

    TrustCor appears to be to exhaust the an identical Phoenix datacenter as Vostrom:

    This fully shows what networks are linked to who and when you ogle carefully you’ll admire dozens or hundreds of linked networks for each these corporations thru adjacencies and further than one Web exchanges. We’re linked to a lot of folk thru exchanges and it’s no shock different corporations are too.

    If right here’s moral that one of our files amenities happens to be in the an identical campus as one of 1 other firm’s files amenities, then it will furthermore neutral unexcited approach as no shock, and rarely a twist of destiny, that TrustCor uses a colossal and common SOC-2 compliant datacenter operator. Truly, we know of many change CAs that exhaust that same datacenter as neatly. Which by the manner is fully one of our datacenter areas.

    A rogue developer, employed by TrustCor as a contractor to produce the MsgSafe cell app, embedded Measurement Programs’ spyware SDK. This rogue developer had fetch entry to to the fully unobfuscated version of the SDK that now we internet viewed in the wild.

    We internet got explained all of this intimately in our outdated posts nonetheless you appear to fully pull out the explain material that benefits your memoir. It’s vital to brand that the developer was employed by MsgSafe and

    never

    had fetch entry to to any of the infrastructure aged for TrustCor’s Certificate Authority. But I assist readers to ogle at the extra detailed explanation of this to admire correct how far off right here’s from one thing noteworthy.

    Checking out that any individual on your crew went against firm policies and practices and developer’s agreements is terribly upsetting. We may possibly well perchance clutch to hope that this wasn’t achieved maliciously by that ex-developer, nonetheless I don’t mediate we are in a position to ever know for sure. As one more, all we can enact is confirm that no further damage was achieved – which it wasn’t and place further measures in attach of living to create definite this form of behaviour would not happen again – which now we internet.

    This version of the SDK was customized to ship sensitive user files to a MsgSafe hostname. This same rogue developer operate up a proxy to receive files despatched by the SDK after which forward it on in different areas. This alive to compromising one or extra machines owned by TrustCor. This compromise went undetected by TrustCor/MsgSafe for 3+ years.

    Here is not any longer perfect-making an try.As soon as extra, TrustCor andMsgSafe.iofabricate their industry capabilities fully neutral of every different. The fully machines and network that this developer had fetch entry to to had been fully aged by MsgSafe.io and strictly for the attain of the beta (making an try out) app. To mistake both of these items the manner you wrote them above makes itseem thatyou’ve both no longer study/understood our outdated replies, or you’re deliberately deceptive folks studying this.


    Since now we internet made it definite that TrustCor andMsgSafe.iowould no longer internet any shared sources, I am no longer sure how right here’s even unexcited relevant to the Certificate Authority side of our industry? To boot, this was no longer “ongoing” for over 3 years care for you speculated,

    this took attach of living over 3 years in the past

    .

    MsgSafe provided this app (with the malware SDK) to the final public thru the Google Play store as allotment of a public beta, where it was free for any individual to acquire up till earlier this 365 days. MsgSafe publicized its cell app on social media. As of this writing, MsgSafe’s web attach unexcited links to the Google Play store (despite the fact that the app was eradicated earlier this 365 days):

    Here is not any longer perfect-making an try.TheMsgSafe.iobeta app was undoubtedly a making an try out beta, which may possibly well well not be accessed by any individual thru the Google Play store. The fully manner the app was accessible was to our workers or thru a provocative social media link MsgSafe.io despatched out over 3 years in the past, and that link fully labored for a minute time. Utilizing that provocative social media link, we can picture that lower than 1/tenth of 1% of MsgSafe.io’s customers would internet had the change to acquire to verify the app, and the actual quantity that installed it was principal decrease. Also, your observation about the MsgSafe.io web attach unexcited linking to the Google play store is fully false. Did you even take a look at this before making this publish? Within the duvet-shot you shared, the icon labeled “Download on Google Play” would not reveal you to the Google play store, it directs you to//www.msgsafe.io/androidwhich undoubtedly takes you to a 404 page on the MsgSafe.io web attach – it never leaves the MsgSafe.io web attach. Had you hovered over this link you may possibly well internet viewed this. Unnecessary to notify we’re no longer ok with an outdated sort web attach and this wishes to be updated, nonetheless that doesn’t create your false declare moral.

    No topic promoting “discontinuance-to-discontinuance encrypted e-mail” (admire above screenshot, taken these days), MsgSafe would not undoubtedly provide discontinuance-to-discontinuance encryption (E2EE), because the time-frame is often understood. As one more, encryption/decryption is performed by MsgSafe’s servers, giving them the flexibility to study e-mail contents. (As background, the FTC went after Zoom for deceptively claiming it provided E2EE, when it didn’t.)

    As now we internet mentioned before, there are a form of that you may possibly well well be furthermore mediate of suggestions to exhaust theMsgSafe.ioplatform, one of which is for a user so that you have to add their private public keys and encrypt utilizing each S/MIME and GPG, or fully GPG, or fully S/MIME. Since there may possibly be a mode to exhaust the MsgSafe.io product that lets in for discontinuance-to-discontinuance encrypted e-mail, there may possibly be not any false declare or deception right here. Also, when you study the textual explain material below the E2EE heading you’ll admire it accurately describes a definition of what you’re complaining about, again making it no longer a false declare. You can furthermore neutral no longer agree with the definition or care for it, nonetheless we’re announcing precisely what it does. We furthermore let the user configure stable default settings. And even supposing the user doesn’t configure stronger settings, the settings are unexcited as succesful as different common e-mail encryption solutions regardless of what they’re called, and MsgSafe.io’s opponents exhaust an identical language on their web sites.

    Moreover its MsgSage industry, TrustCor essentially points certificates for No-IP potentialities thru some form of partnership design. Whereas it be been assumed (I mediate, except I am misreading?) that No-IP is TrustCor’s fundamental buyer, no proof has been provided that they are undoubtedly a buyer. That’s, does No-IP pay TrustCor to present away their certificates with out cost? Or does TrustCor pay No-IP? I am no longer sure this has been answered.

    We internet got answered every seek files from the final public has asked. I’ll purchase right here’s your extra special manner of along side a brand original seek files from about what’s our relationship with our potentialities. I will picture you that every particular person our resellers are on pre-paid plans whereby they pre-pay to accomplish a bulk quantity of credit rating (the extra they remove the less they pay every) for which they can then exhaust and price (within practical limits) regardless of they care for and exhaust regardless of industry mechanisms they care for. Some potentialities, as an instance, clutch to bundle short-timeframe (lower than a 365 days) certificates with some stages of their products, and furthermore sell full-timeframe (a couple of 365 days) certificates for premium $. That’s between them and their potentialities and how they clutch to market whereas our relationship with them (in repeat for them to qualify as a reseller) is alr eady been gay when they attach of living bulk quantity pre-paid orders.

    In 2010, Packet Forensics was marketing its ability to subvert TLS. It was assumed they had been forging certificates, nonetheless beyond that, the specifics were cause for speculation.

    How is that this in any appreciate relevant to us? We would no longer internet any relationship to that firm, nor am I willing to comment on any speculations you internet against any firm.

    In step with that thought (and again, please let me know if any of that is unsuitable), I for my allotment agree with it bethat you may possibly well well be furthermore mediate ofthat Rachel would be a victim right here, if she undoubtedly is the predominant TrustCor shareholder (e.g., maybe the firm was given to workers, after it was no longer helpful). If TrustCor’s deepest keys had been compromised at its founding or before (e.g., so as that Packet Forensics may possibly well well sell TLS-interception containers), the firm itself would internet puny persisted price, as long because it handed its audits (and remained depended on by browsers and running programs). Or no longer it’s therefore that you may possibly well well be furthermore mediate of that Rachel had no consciousness of this, and this skill that is in the denial section of realizing that she’s the victim of a scam. Here is not any longer an announcement of fact, I am correct offering it as a likelihood.

    To now theorize and publicly point out that “I am in a denial section of realizing that I am a victim of a scam” is disrespectful and queer. I mediate you take this too far by making claims against me for my allotment and I don’t mediate its a factual illustration of your professionalism. You can furthermore neutral internet forced us to be ready to protect our firm, nonetheless placing me ready to must protect myself for my allotment is crossing the toll road. Would you internet made the an identical assumption if I had been a particular person?

    For the yarn, I undoubtedly were with TrustCor since its inception and internet for my allotment bared scrutinize to the initialization and set up of the hardware baring TrustCor’s roots and deepest keys and can fully vouch for the true dealing with of TrustCor’s keys and credentials in any appreciate cases.

    Making up storylines with none merit, correct because theremay possibly wellbe a miles-fetched likelihood is correct disagreeable.

    TrustCor has always dedicated to follow industry tendencies and provide a level of safety, in most cases better than the baseline requirements to create the community feel tickled with our operations. I realize that the ideas now we internet provided in colossal detail in our outdated posts, would be a turnoff to most because its refined to study, nonetheless now we internet achieved every little thing in all equity and provided as principal files as we can to assist dissipate and display cover any of those concerns. I am sorry that our responses don’t assist to enhance your claims against us, nonetheless forsaking information and adopting bias is not any longer factual. Maybe you’re human and you correct overreached on anything that would be linked. Maybe that’s wholesome for a security specialist. But care for you mentioned, “Here is not any longer an announcement of fact, I am correct offering it as a likelihood.”

    – Rachel

    Philip Valsorda

    unread,

    Nov 30, 2022, 2:46:18 AM (24 hours in the past)Nov 30

    to dev-secur…@mozilla.org

    Hi,

    I are inclined to agree at this level that discussing the merits of the claims is more likely to be superfluous, since the conduct of the CA’s representative is a extra pressing project, nonetheless I figured that it’d be easy enough to substantiate how the Msgsafe product works.

    1. I visited the MsgSafe house page, which at the time of this e-mail claims “MsgSafe.io can no longer study your e-mail“.
    2. I signed up for a free yarn, specifying a restoration e-mail contend with. I chosen a stable password.
    3. At some level of the setup course of, I was confirmed a pair of hex strings of 40 characters every (implying a 160-bit price, the length of a SHA-1 hash) described as S/MIME and GPG fingerprints. I was no longer precipitated to acquire, add, or generate any key or secret.
    4. A webmail loaded in the browser. I may possibly well well not get any encryption-linked atmosphere having a cursory ogle thru the menus. I may possibly well furthermore neutral need overlooked it. I persisted with the default setup. (There was an likelihood to forward emails to a provocative contend with, optionally encrypted. As I brand it, this involves plaintext arriving on MsgSafe’s servers, after which encryption for the forwarding leg.)
    5. I despatched an e-mail from my regular mailbox to my original MsgSafe contend with. It regarded in the mailbox.
    6. I logged out and closed the browser window, after which opened a contemporary “incognito” browser window, which shares no native screech with the outdated session.
    7. I opened the MsgSafe house page, chosen Login, then Want Relieve?, then Reset Password, and typed my username.
    8. I purchased an e-mail at my restoration contend with. I clicked the link, typed the username again, and a original password.
    9. I was returned to the login page. I logged in with my username and original password.
    10. My inbox loaded, exhibiting the electronic mail I had despatched before resetting the password.

    The true fact that I may possibly well well reset my password and fetch entry to the electronic mail archive by fully proving maintain an eye on over my restoration contend with, with out offering any secret price, basically manner that MsgSafe can decrypt and skim my e-mail archive, which contradicts the house page declare. (Here is on occasion generally known because the mud puddle take a look at.)

    Stable e-mail is a laborious product to provide, for a lot of reasons, and products plunge on a spectrum by manner of what safety properties they provide. Lets debate where the toll road is for what may possibly well furthermore neutral furthermore be truly described as discontinuance-to-discontinuance encrypted. As far as I will picture, MsgSafe falls on the subject of a typical mailbox on that spectrum.

    Regards,

    Filippo

    Attachments:

    • signature.asc

    Peter Gutmann

    unread,

    Nov 30, 2022, 3:55:13 AM (23 hours in the past)Nov 30

    to Filippo Valsorda, dev-secur…@mozilla.org

    Filippo Valsorda fil…@ml.filippo.io> writes:

    >Here is on occasion generally known because the mud puddle take a look at.

    Attention-grabbing, I hadn’t heard that time-frame before. For any individual else provocative,
    it be from Matthew Inexperienced on this publish:

    //weblog.cryptographyengineering.com/2012/04/05/icloud-who-holds-key/

    There’s a substantial extra functional manner that I name the ‘mud puddle take a look at’:

    1. First, fall your software(s) in a dirt puddle.
    2. Next, drag in mentioned puddle and crack yourself on the head. In case you gather
    consciousness you’ll be perfectly perfect-making an try, nonetheless won’t for the lifetime of you be
    ready to engage your software passwords or keys.
    3. Now strive to fetch your cloud files serve.

    Did you succeed? If so, you’re screwed.

    Dimitris Zacharopoulos

    unread,

    Nov 30, 2022, 8:22:41 PM (6 hours in the past)Nov 30

    to dev-secur…@mozilla.org

    FWIW, I labored numerous cases with Trustcor’s representatives within the Server Certificate WG of the CA/Browser Dialogue board, and further carefully at the Network Security Subcommittee (now a separate Working Neighborhood). One particular Trustcor representative was very actively working with the remainder of the subcommittee on bettering the network safety requirements and elevate the bar for all CAs, offering factual guidance, stable requirements, all based mostly entirely totally on factual safety principles that they had already implemented internally. It’s miles terribly laborious for me to agree with that a CA that applies factual safety principles/practices in one attach of living (TLS Certificates) wouldn’t follow the an identical factual safety principles/practices in one other (S/MIME).

    Also, judging from the 4 closed safety incidents dealt with by Trustcor till now (//wiki.mozilla.org/CA/Closed_Incidents), this CA appears to were responsive and dealt with safety incidents meeting the expectations of this community.

    I brand that it’s an industry expectation for public CAs to must face varied challenges, along side areas that are no longer straight linked to Certificate issuance or Certificate management. It’s miles furthermore very refined and worrying to handle extra than one arguments in lots of areas along side apt proceedings care for firm formations, headquarter transfers, files correlation, and all at the an identical time. I am sympathetic to any CA representative who has been in such predicament where the manner forward for a industry (and its workers) is being threatened. The burden is refined to purchase. I purchase that into consideration when studying a couple of of Trustcor’s most most recent keen posts that would be taking the Mozilla Dialogue board Etiquette to its limits.

    I agree with a factual summary of the actual accusations and the precise proof, along with the CA responses against these particular accusations (leaving out any deepest assaults) would be priceless, because a couple of of the messages on this thread had been IMHO unnecessarily long and laborious to follow.

    Thank you,
    Dimitris.

    Matthew Hardeman

    unread,

    Nov 30, 2022, 8:59:06 PM (6 hours in the past)Nov 30

    to Dimitris Zacharopoulos, dev-secur…@mozilla.org

    On Wed, Nov 30, 2022 at 12:22 PM Dimitris Zacharopoulos ji…@it.auth.gr> wrote:

    FWIW, I labored numerous cases with Trustcor’s representatives within the Server Certificate WG of the CA/Browser Dialogue board, and further carefully at the Network Security Subcommittee (now a separate Working Neighborhood). One particular Trustcor representative was very actively working with the remainder of the subcommittee on bettering the network safety requirements and elevate the bar for all CAs, offering factual guidance, stable requirements, all based mostly entirely totally on factual safety principles that they had already implemented internally. It’s miles terribly laborious for me to agree with that a CA that applies factual safety principles/practices in one attach of living (TLS Certificates) wouldn’t follow the an identical factual safety principles/practices in one other (S/MIME).

    Also, judging from the 4 closed safety incidents dealt with by Trustcor till now (//wiki.mozilla.org/CA/Closed_Incidents), this CA appears to were responsive and dealt with safety incidents meeting the expectations of this community.

    I am merely an provocative relying occasion of the WebPKI ecosystem.  Whereas there was principal dropped at gentle that doubtlessly paints a couple of of those that are or had been alive to with Trustcor in a damaging gentle, Dimitris’ feedback are attention-grabbing in offering further context to the group’s participation in the ecosystem.

    Something that over again concerns me on this dialogue is an project that I touched on beforehand in the discussions linked to Unlit Topic: that except this draw is requiring transparency as to corporate governance and management/ operations authority, and establishing a basis for belief and accountability at the level of those folk empowered by participation on this draw, I agree with we are in a position to continue to admire these subjective belief choices again and again.  Ref://teams.google.com/g/mozilla.dev.safety.protection/c/nnLVNfqgz7g/m/CY95HQA3AQAJ

    I once again humbly submit that I agree with the manager and operational management teams of the CAs in the programs wishes to be required to undergo the basis program deepest attestations as to their predicament and authority along with a commitment to picture this draw promptly if anything has altered or replaced their authority.  I agree with there wishes to be an explain thought that screw ups by such particular person(s) would be held against such particular person(s) in my thought and would bar their involvement at different depended on CAs for an indefinite interval.

    I over again advocate for a measurable usual for preserving CAs responsible at the manager management / operations level with costs taxed upon those persons who internet made commitments to this draw and didn’t honor them.

    It appears more likely to me that one or extra right this moment included CA would be reasonably described as owned by Blackrock or Vanguard.  Powerful of the area is, with those institutions’ funds exercising maintain an eye on on behalf of the retiree funds they’ve been entrusted with.  These entities furthermore private/maintain an eye on some less delightful things.  Yet we don’t maintain those total possession concerns against program people.  And but, I mediate we would all are searching to know if the used supervisor of WoTrust had been now an admin at any depended on CA?

    Kathleen Wilson

    unread,

    12:01 AM (3 hours in the past)12:01 AM

    to dev-secur…@mozilla.org

    All,

    I adore the thoughtful and positive input that has been provided on this dialogue.

    In step with the findings that had been shared on this dialogue thread and the responses from Trustcor’s Vice President of CA Operations, we predict about that the following statements straight pertain to TrustCor’s predicament as a CA in Mozilla’s Root Program and internet no longer been disputed:

    • Measurement Programs is a firm that has engaged in the distribution of an SDK containing malware to Android customers. [1]

    • TrustCor operated a mail encryption product called MsgSafe which is operationally tied to its CA unit. Specifically

      • The same particular particular person was accountable for the day after day operation of every TrustCor’s CA industry and MsgSafe. They’re listed on TrustCor’s web attach because the VP of TrustCor’s CA operations and the Director of Operations for MsgSafe. [2]

      • MsgSafe depends upon TrustCor’s operate as an SMIME CA for its operation. [3]

      • MsgSafe is highlighted prominently in TrustCor’s private profit observation of its inclusion in Mozilla’s Root Program. [4]

      • An early, unobfuscated version of the malware SDK produced by Measurement Programs was included in TrustCor’s MsgSafe beta Android application. [5]

    • Measurement Programs and TrustCor internet in the previous had shared corporate officers, operational maintain an eye on and technical integrations:

      • Measurement Programs and TrustCor shared corporate officers till 2021 (or later). [6]

      • Ian Abramowitz, was energetic in the operation of TrustCor as CFO and an officer of the corporations which owned each TrustCor and Measurement Programs. [7]

      • A developer employed by Trustcor had unobfuscated fetch entry to to the availability code of Measurement System’s malware SDK and write fetch entry to to the availability code of the MsgSafe application and web web hosting atmosphere. [8]

    • There may possibly be not any longer a proof of TrustCor mis-issuing TLS or SMIME certificates.

    There are suggestions of further links between the corporations whose precise basis has neither been entirely substantiated nor refuted. For instance, Ryan Abramowitz was beforehand the  CEO of every TrustCor and Measurement Programs. Ryan’s LinkedIn profile beforehand listed: “Co-Founder / Digital Strategist TrustCor Programs · Jun 2013 – Dec 2016. And D&B (a respected industry files firm) shows Ryan as CEO of Measurement Programs.

    Certificate Authorities internet highly depended on roles in the procure ecosystem and it’s unacceptable for a CA to be carefully tied, thru possession and operation, to a firm engaged in the distribution of malware. Trustcor’s responses thru their Vice President of CA operations further substantiates the precise basis for Mozilla’s concerns.

    In step with our policies, Mozilla weighs the risks and benefits to discontinuance-user safety when deciding whether a CA wishes to be a member of our Root Program. Ordinarily, Mozilla wouldn’t straight evaluation the profit of the CA owner’s different products when pondering whether a CA wishes to be a member of our Root Program. Nonetheless, Trustcor’s quantifying price observation rests heavily on the worth of MsgSafe which has suffered from a quantity of problematic behaviors [9] that undermine the cost proposition of MsgSafe, and therefore undermine the purported benefits for the TrustCor CA to be a member of our Root Program.

    Our evaluation is that the worries about TrustCor were substantiated and the risks of TrustCor’s persisted membership in Mozilla’s Root Program outweighs the benefits to discontinuance customers.

    In step with our earlier conversationwe intend to purchase the following actions:

    1. Website online “Distrust for TLS After Date” and “Distrust for S/MIME After Date” to November 30, 2022, for the 3 TrustCor root certificates (TrustCor RootCert CA-1, TrustCor ECA-1, TrustCor RootCert CA-2) that are currently included in Mozilla’s root store.

    2. Snatch away those root certificates from Mozilla’s root store after the present discontinuance-entity TLS certificates internet expired.

    If proof is stumbled on that the CA has mis-aged certificates or the CA backdates certificates to avoid the distrust-after settings, then we are in a position to purchase the basis certificates from Mozilla’s root store in an expedited timeline, with out waiting for the head-entity TLS certificates to expire.

    Mozilla will no longer settle for gruesome-signing of the present TrustCor root certificates by different root CA Operators in Mozilla’s root store. If TrustCor chooses to change into a subordinate CA of 1 other root CA Operator in Mozilla’s root store, then all domain and e-mail contend with possession verification and certificate issuance internet to be performed on the programs operated by the basis CA Operator. I.e. The domain and e-mail contend with possession verification and certificate issuance must no longer be performed on programs operated by the TrustCor CA.

    Mozilla would clutch to thank the researchers who introduced this to our and the community’s consideration, as well to the contributions from different people of the community.

    Thanks,

    Kathleen

    References:

    [1] As reported in the Wall Road Journal, April 2022: //archive.ph/AuNOy.

    [2] Rachel McPherson is listed because the Vice President of Operations, having “fetch entry to-to and maintain an eye on-over the CA and CA Business Operations” in a firm doc submitted privately by Rachel to Mozilla. Press releases on TrustCor’s web attach checklist Rachel McPherson as MsgSafe.io’s Director of Operations, e.g. //web.archive.org/web/20221108224150///trustcor.com/files/02052016.php.

    [3] Rachel McPherson’s response to this thread on the 18th November 2022 states “MsgSafe.io

    integrates with TrustCor’s S/MIME certificate API for issuance of S/MIME certificates”. Additional, TrustCor’s quantifying price observation highlights that “Whereas that is more likely to be achievable thru partnership, as has been the case historically with S/MIME, industry challenges and economics hinder fashioned adoption which makes our persisted root program membership fully serious.”

    [4] TrustCor’s quantifying price observationbelow the heading “What Extra or less Benefits can Your CA provide to Mozilla?”.

    [5] Technical analysis (1, 2) produced by Serge Egelman. The inclusion of the malware was acknowledged in Rachel McPherson’s preliminary response and follow up responses as well to offering further vital factors on how it came to be included.

    [6] The an identical corporate officers had been acknowledged in Rachel McPherson’s preliminary response and confirmed in a firm doc submitted privately by Rachel to Mozilla.

    [7] Ian Abramowitz is described because the CFO of TrustCor on their web attach and Rachel McPherson’s preliminary response notes “They’re strictly passive traders, rather then Ian Abramowitz”. In a firm doc submitted privately by Rachel to Mozilla, Ian Abramowitz signs an settlement with TrustCor on behalf of every CHIVALRIC HOLDING COMPANY LLC and FRIGATE BAY HOLDINGS LLC.

    [8] Watch [5] and Rachel McPherson’s response on twenty first November 2022, referencing findings from their software revision maintain an eye on machine and their forensic investigation of the an1.msgsafe.io hostname and saved VM image.

    [9]Including, nonetheless no longer minute to: 1) the malware SDK produced by Measurement Programs was included in MsgSafe’s beta Android application. [5] 2) For a time-frame, user files was transmitted from MsgSafe’s beta Android application to a server operated by Trustcor, before being forwarded on to a third occasion. [10] 3) MsgSafe’s web application transmits user messages to MsgSafe’s servers in plaintext, even supposing MsgSafe is advertised as offering discontinuance to discontinuance encryption. [11]

    [10] Rachel McPherson’s response on twenty first November 2022, referencing TrustCor’s forensic investigation of the an1.msgsafe.io hostname and saved VM image.

    [11] Stop to discontinuance encryption is broadly understood to mean that fully the sender and receiver of a conversation wishes to be ready to study or alter the messages, rather then fetch entry to by third parties which operate servers or different middleman network products and services. MsgSafe’s web attach highlights the provision of discontinuance to discontinuance encryption, along side the observation “MsgSafe.io can no longer study your e-mail.”. Technical investigations by people of the community (1, 2) confirm that in truth the webmail client transmits purportedly encrypted messages in plaintext to the server and that the server is ready to get better the plaintext of those messages with out the user’s password. Rachel McPherson’s preliminary response describes this behavior as intentional, noting: “Because the MsgSafe web attach explains, our team has stumbled on that implementing basically the fundamental field topic and encryption/decryption processing on the server provides safety with out the further processing requirement on the client”.

    Related Articles

    8 Comments

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    Back to top button