There are now less than 13 days until the vote and the cyber security community, civil society and the public are still unable to read the proposed regulation, let alone scrutinize its impacts.
In a media Q&A given by the European Commission on Thursday (9th November), the Commission characterized the risks raised in the open letter from cyber security experts and civil society as a ‘misunderstanding’. The Commission went on to state that the open letter had been discussed with their experts, who concluded ‘there is no risk of government spying, nor breaching the confidentiality of internet connections’.
> I have access to the near-final text of the regulation, which is not yet public, but was leaked to me by a confidential source.
‘qualified certificate for website authentication’ means a certificate for website authentication, which is issued by a qualified trust service provider and meets the requirements laid down in Annex IV; Evaluation of compliance with those requirements shall be carried out in accordance with the standards and the specifications referred to in paragraph 3.
Qualified certificates for website authentication issued in accordance with paragraph 1 shall be recognised by web-browsers. Web-browsers shall ensure that the identity data attested in the certificate and additional attested attributes are displayed in a user-friendly manner. Web-browsers shall ensure support and interoperability with qualified certificates for website authentication referred to in paragraph 1
Qualified certificates for website authentication shall not be subject to any mandatory requirements other than the requirements laid down in paragraph 1.
1. Web-browsers shall not take any measures contrary to their obligations set out in Art 45, notably the requirement to recognise Qualified Certificates for Web Authentication, and to display the identity data provided in a user friendly manner.
2. By way of derogation to paragraph 1 and only in case of substantiated concerns related to breaches of security or loss of integrity of an identified certificate or set of certificates, web-browsers may take precautionary measures in relation to that certificate or set of certificates
3. Where measures are taken, web-browsers shall notify their concerns in writing without undue delay, jointly with a description of the measures taken to mitigate those concerns, to the Commission, the competent supervisory authority, the entity to whom the certificate was issued and to the qualified trust service provider that issued that certificate or set of certificates. Upon receipt of such a notification, the competent supervisory authority shall issue an acknowledgement of receipt to the web-browser in question.
4. The competent supervisory authority shall consider the issues raised in the notification in accordance with Article 17(3)(c). When the outcome of that investigation does not result in the withdrawal of the qualified status of the certificate(s), the supervisory authority shall inform the web-browser accordingly and request it to put an end to the precautionary measures referred to in paragraph 2.
This prevents governments, ISPs, etc from identifying which websites people are visiting and censoring their connections. Firefox are enabling it by default.
Right because even with HTTPS, it's possible to know the domain you're accessing, even though you can't tell high individual urls you are accessing. Interesting.
It's - technically - a problem with TLS, not HTTPS. TLS requires the server to pick a key way before user sends first encrypted bytes (like a HTTP host header). It's not a problem when every HTTPS server has another IP, but that internet is gone. So if there are two domains with different TLS certificated hosted on a single IP:port, the webserver has to guess which key to use (usually one is the default).
To fix this, SNI extension to TLS was introduced. Now TLS client will optionally send a plaintext domain name it tries to connect to, and the webserver picks a key for that domain. Which is nice but... now the client is leaking their domain name. Encrypted hello in TLS finally fixes this problem.
My read is that Mozilla were much more concerned about the shared ownership and operations with Measurement System, than the presence of the malware. I think we can agree that you can't be doing crimes under one company name and simultaneously operate a trusted CA under another?
I do agree that we shouldn’t allow something that overt.
But, if I read correctly, Rachel claimed that there was no longer any shared ownership and tried to explain that ownership in the sense that the word was being use was not a correct term in the first place. I believe she said it was a shared incorporation services / legal council / investor, at most, and that the speculation as to that relationship conferring any authority pertaining to the CA’s operations was entirely incorrect since the executive authority had long since been signed over to actual company officers.
I read the full thread (except for paragraphs where she pasted from previous responses).
She failed to reasonably and convincingly refute some allegations. There were repeated requests to provide information, some of which would be trivial to produce if acting in good faith.
After reading the exchange, I (as a reasonable bystander with no material interest in either side):
* Don't understand the relationship between TrustCor and the malware distributor in a clear way that company ownership records would provide
* Take it as a false statement that the mail service doesn't have apps, as its website advertises them
* Don't understand how their auditor audited them when they don't appear to have a presence in Canada that would be factual based on the extracts from the auditor findings
Unrelated to her responses, I could take in on faith that a rogue developer added spyware from a company with the same owners, but the finding that the payloads were send to TrustCor servers diminish the acceptance that sufficient controls exist in the company to not question the security of them as a CA.
Re: your last point: I find it especially concerning that all the questions about TrustCor's apparently compromised server were answered with, "MsgSafe's and TrustCor CA's infrastructure is separate". The concern was that TrustCor's practices led to their servers being compromised, which isn't a great sign for a company which operates a CA, even though it wasn't the CA servers themselves which were compromised. Nothing Rachel wrote indicated that the CA servers are operated in a more secure way than the MsgSafe servers, nor that they have changed any practices in response to the compromise.
"no longer any shared ownership" was asserted, but never backed up because (it was claimed) issues with getting legal documents updated in a timely fashion.
Combining that with basic questions about how exactly ownership changed that were never answered and instead obfuscated behind reams of "nothing speak".
The final basis for the determination seems to be that the main loss of from distrusting the TrustCor CA was thier sibling company's private email service that is, at best, advertising itself under a very shady definition of E2EE.
Thus this seems like an easy decision to me.
The interesting conclusion that follows from that is that if you are going to operate a shady CA, it behooves you to find some large clients to make cost of revoking your trust higher.
>The interesting conclusion that follows from that is that if you are going to operate a shady CA, it behooves you to find some large clients to make cost of revoking your trust higher.
...Which in essence means CA's probably shouldn't exist as a standalone thing, and everyone should learn to build their own trust networks. None of this vouch nonsense, or Trust theater.
But she never said who actually owned these companies or how they were related, and said doing so would lead to tax problems. That was rather suspicious.
I have no problem saying that if your ownership structure is such that your lawyers or accountants have advised you not to reveal it publicly, you should not be in the CA business.
Apple runs a bunch of crap through a tax loophole in Ireland. Should they be trusted running the entire mobile ecosystem that underpins all of this in the first place? I actually agree that shady companies shouldn't be swept under the rug. But I don't agree with the hypocrisy of singling out some random CA for doing things that most every other company out there does because we lack the backbone as a society to put a stop to the shadiness.
If they are transparent about what they're doing, then it's not the same case I was talking about.
I can't see Apple saying "Well, on advice of our lawyers we can't actually explain our corporate structure to you." Is it a secret that they have a corporate entity in Ireland, is it a secret what they do with it? Or is it public knowledge that they don't hide?
So I wouldn't describe secret ownership structures as a thing "most every company out there does." But I'm not going to say Apple doesn't do unethical things. (Also is Apple even a trusted root CA for mozilla or microsoft browsers?)
I think non-transparency is an even higher level of problem for a CA. Secrecy about your corporate structure does not seem okay for a CA -- we need to know who they are and who controls them, non-negotiably. Secrecy of corporate structure does not seem like a thing most every company (or every CA) out there does.
But it's quite possible Apple should _not_ be trusted to "run the entire mobile ecosystem" that uses Apple products. You can make that argument. And we can talk about what the heck any of us can do about it individually or collectively if so. That's a different question than who should be allowed as a trusted CA root, or who Mozilla or Microsoft should allow as a trusted CA root.
When you say "that underpins all of this in the first place", I'm not sure what you mean; Mozilla and Microsoft trusted CA roots effect people who aren't doing anything with Apple products, Apple does not in fact "underpin" the entire SSL CA system in the first place. I don't know what to do about the Apple ecosystem if Apple can't be trusted, but I support Mozilla, Microsoft, or anyone else removing trusted CA roots belonging to companies with secretive corporate structures, ownership, or governance. All of this can be true. Apple doing unethical things doesn't mean mozilla or microsoft should allow a trusted root CA with secretive corporate ownership structure.
Sure. The Apple stuff is just an example, I don't mean to suggest they're a CA, but they are trusted to ship the list of CAs that you trust to your devices as are MS and Mozilla, so the exact same question of "should we trust them if they are a corporation of questionable ethics that do the same sort of tax things" exists and is apropos. Why is there a double standard? I find it rather inconsistent that we're going after some "shady" CA for essentially not being forthcoming in response to allegations that they consider false and have no duty to set straight without material proof that the allegations are to be taken seriously, and who look to be the target of a journalistic smear campaign involving forming similarly named corporate entities in the US to try and extract private information about the company via extrajudicial means. I mean why stop with TrustCor? Let's deploy the arsenal! Let's examine the interests of all parties funding all of the systems we trust in society. Seriously. If we're going to give a shit about something why is it some CA nobody's heard of where there is absolutely zero evidence of non-compliance with the required CA processes? Why spend effort on this? It's hardly news that companies try to minimize tax liability by structuring themselves in advantageous ways. What, pray, is a hallmark of a trustworthy company? Perhaps the public should vote on CA inclusion in the root trust list. Fuck the CA oligarchy.
To be honest, it sounded like Rachel herself did not know exactly how the company ownership was structured. It seemed obvious that it was a US company that incorporated abroad for some reason, and that alone is pretty sketchy. It looks like they are trying to hide who actually controls the company. That alone should be reason not to trust them.
It's not a strawman. Literally we're saying "you see TrustCor CA didn't do anything wrong by the books, but we can't trust them anymore because they can't articulate their corporate structure on demand after scandalous allegations". Well, I simply ask people to consider how any other corporation in the same situation would response. My bet is they'd also be less than forthcoming. And my example is Apple, who we know exploits tax loopholes via complex corporate governance structures, who everyone seems okay with trusting. It just doesn't make sense to me.
Apple is a public company and it's very clear who owns and who controls the company. They're a multinational company that consists of multiple legal entities, and it's generally not a secret who you are doing business with.
TrustCor is a company that looks like a front for a Spyware maker, and when asked about that they say: "It's not like you think, but we don't want to tell you what the actual situation is, so you'll have to trust us, it's fine! Also the spyware we were caught distributing is totally not our fault, it's from a contractor in a completely different business unit and is totally independent from our CA business, but again we can't tell you more because it is secret. But trust us, the CA business is completely legit. And the sketchy things you found were all the idea of a guy who passed away recently, so we unfortunately can't ask him why he did it, but it's all legit don't worry trust us."
> I think we can agree that you can't be doing crimes under one company name and simultaneously operate a trusted CA under another?
Playing devil's advocate: Why not? I mean yes, obviously if you end up in jail that might interfere with your ability to operate a CA (or any company for that matter). But barring that, as long as they haven't done anything to affect the security or proper operation of the CA certificate itself, why is that a basis for removing them from root stores? To the best of my knowledge this action is unprecedented.
> can you trust an entity in one context when they have proven themselves untrustworthy in another
We do that all the time. If, rather than TrustCor being associated with a company making malware we'd instead found out the company's CEO had cheated on his wife, would that be grounds for removing them from the root certificate store? Context matters.
I agree there was a lot of mud slinging in that thread, but this is the key bit from Mozilla's response, supported by statements which Trustcor haven't disagreed with:
> Certificate Authorities have highly trusted roles in the internet ecosystem and it is unacceptable for a CA to be closely tied, through ownership and operation, to a company engaged in the distribution of malware. Trustcor’s responses via their Vice President of CA operations further substantiates the factual basis for Mozilla’s concerns.
It's not some other company, its the same owners and operators doing malware under one name and running a CA under another.
The most shocking aspect of this is how it reveals that Mozilla, Microsoft and Google do zero due diligence before adding a new root CA. Relying on independent researchers to find problems.
Is that still the case? Or is it just new root CAs get the appropriate amount of scrutiny, but a lot of existing CAs have been effectively grandfathered in because they were added two decades ago when folks weren't as diligent?
EDIT: elsewhere in the thread someone linked the bugzilla request for TrustCor to be added. I had assumed that was a long time ago, but it's "only" 7 years ago.
"Certificate Authorities have highly trusted roles in the internet ecosystem and it is unacceptable for a CA to be closely tied, through ownership and operation, to a company engaged in the distribution of malware. Trustcor’s responses via their Vice President of CA operations further substantiates the factual basis for Mozilla’s concerns.
[...]
Our assessment is that the concerns about TrustCor have been substantiated and the risks of TrustCor’s continued membership in Mozilla’s Root Program outweighs the benefits to end users.
In line with our earlier communication, we intend to take the following actions:
1. Set “Distrust for TLS After Date” and “Distrust for S/MIME After Date” to November 30, 2022, for the 3 TrustCor root certificates (TrustCor RootCert CA-1, TrustCor ECA-1, TrustCor RootCert CA-2) that are currently included in Mozilla’s root store.
2. Remove those root certificates from Mozilla’s root store after the existing end-entity TLS certificates have expired."
>Trustcor’s responses via their Vice President of CA operations further substantiates the factual basis for Mozilla’s concerns.
So Mozilla is flatly stating that Rachel's Gish galloping bullshit responses in the discussion were a significant part of the reason they don't trust her. She should have just followed a good lawyer's advice and kept her mouth shut, because she made her own problems much worse with her own words.
> And from Mozilla "I tend to agree at this point that discussing the merits of the claims might be superfluous, because the conduct of the CA's representative is a more urgent issue [...]"
This comment was made by Filippo Valsorda, previously engineer at Google now independent, not Mozilla.
I agree there was a lot of mud slinging in that thread, but this is the key bit from Mozilla's response, supported by statements which Trustcor haven't disagreed with:
> Certificate Authorities have highly trusted roles in the internet ecosystem and it is unacceptable for a CA to be closely tied, through ownership and operation, to a company engaged in the distribution of malware. Trustcor’s responses via their Vice President of CA operations further substantiates the factual basis for Mozilla’s concerns.
It's not some other company, its the same owners and operators doing malware under one name and running a CA under another.
> It's not some other company, its the same owners and operators doing malware under one name and running a CA under another.
Right! That’s insane.
Even if they’re innocent, which they may be, it’s too close of a connection: I can’t bet on a parent company remaining ethical when they’re in a position to decrypt all the traffic they handle.
CAs need to be trusted absolutely. Given the many well-documented instances of unethical corporate behavior, I won’t wait for specific evidence of malconduct. This isn’t criminal justice, this is risk assessment 101. A CA’s parent company owning a company that produces malware the relationship of these companies to present a significantly higher risk of abuse versus a CA who does not have a sister company developing malware. Even if they don’t deliberately manufacture malware, the sister company demonstrated to be operational incompetence that’s ripe for abuse.
Was that true? I believe that amounts to speculation by the security reserachers. Rachel said that at most there was shared incorporation services / early investment but that the CA has no legal relationship with other company doing malware. And any similarity of names on founding documents is purely speculation and furthermore no longer relevant since TrustCor executives hold all authority.
"[6] The identical corporate officers were acknowledged in Rachel McPherson’s initial response and confirmed in a company document submitted privately by Rachel to Mozilla.
[7] Ian Abramowitz is described as the CFO of TrustCor on their website and Rachel McPherson’s initial response notes “They are strictly passive investors, with the exception of Ian Abramowitz”. In a company document submitted privately by Rachel to Mozilla, Ian Abramowitz signs an agreement with TrustCor on behalf of both CHIVALRIC HOLDING COMPANY LLC and FRIGATE BAY HOLDINGS LLC."
There are now less than 13 days until the vote and the cyber security community, civil society and the public are still unable to read the proposed regulation, let alone scrutinize its impacts.
In a media Q&A given by the European Commission on Thursday (9th November), the Commission characterized the risks raised in the open letter from cyber security experts and civil society as a ‘misunderstanding’. The Commission went on to state that the open letter had been discussed with their experts, who concluded ‘there is no risk of government spying, nor breaching the confidentiality of internet connections’.