Mozilla and Microsoft will remove three TrustCor root certificates. These certificates are no longer trusted by browsers.
Mozilla has set the detrust date for November 30, 2022, and Microsoft for November 1, 2022. Other browser manufacturers will follow.
Early concerns about TrustCor were expressed in Mozilla Dev Security forum in early November by Joel Reardon, a professor at the University of Calgary, and others.
The main allegation leveled against TrustCor was that it appeared to be linked to Measurement Systems, which “distributed an SDK containing spyware to Android users”. The following items were presented:
Measurement Systems and TrustCor registered their domains from Vostrom Holdings.
The two companies have the same corporate executives.
TrustCor manages the MsgSafe email encryption product. A beta version of MsgSafe contained the “spyware SDK version” from Measurement Systems.
Ultimately, it was clear that there were ties between Measurement Systems and TrustCor, at least until 2021, and that a developer hired by TrustCor had access to the source code of Measurement Systems' spyware SDK. However, no clear evidence of malicious certificate issuance was presented.
However, Mozilla has decided not to trust TrustCor certificates as of November 30, 2022, and they will be removed from the root store when they expire. Certificates can be removed immediately if "evidence is found that the CE has used malicious certificates".
Microsoft didn't say anything, but it set the certificate detrust date as November 1, 2022.
Read the full debate, with evidence and commentary from here.
Firefox users can delete TrustCor certificates directly from the browser.
Open the internal address about:preferences#privacy
Scroll down until you find the Certificates section.
Click on “view certificates”
Find TrustCor. The list is in alphabetical order.
Select the TrustCor certificates one by one, press Delete or Distrust and confirm your selection.