The company that verifies safe websites in your browser works for the US government

HTTPS in a browser address bar
(Image credit: Shutterstock)

A company that several major web browsers rely on to verify safe and secure websites has links to U.S intelligence agencies and law enforcement, new research has claimed.

An expose by the Washington Post (TWP) (paywall), which draws its conclusions from documentation, records, and interviews with security researchers.

TrustCor Systems’ Panamanian registration records reveal that it shares personnel with a spyware developer previously identified as having links to Arizona company Packet Forensics, which public records have previously unveiled to have sold “communication interception services” to US agencies “for more than a decade.”

Root certificate infrastructure

Google Chrome, Apple Safari, Mozilla’s supposedly secure browser Firefox, and several others all allow TrustCor to sign root certificates for websites it deems as safe and legitimate, directing users to them, instead of potentially convincing fakes.

TrustCor maintains that it has never cooperated with government information requests or monitored users on behalf of a third party. However, the Pentagon is refusing to comment, and Mozilla is demanding answers from TrustCor while threatening to remove its authority.

The revelations surrounding TrustCor pose a PR nightmare for browsers like Firefox who market themselves as privacy tools, but its own products can now also no longer be considered safe for its end users.

MsgSafe, an email provider from TrustCor that purports to offer end-to-end encryption, has been denounced by security experts speak to TWP, claiming that an early version of the software contained spyware developed by a company linked to Packet Forensics.

 An expert familiar with Packet Forensics’ work explicitly confirmed that it had used TrustCor’s certificate process and MsgSafe to intercept communications and “help the US government catch suspected terrorists”. 

He also claimed that TrustCor’s products and services were only being used to seek out these “high-profile targets”, and there have been  no reports of root certificates being used to vouch for impostor websites for purposes such as data collection.

However, the doubt seeded by the revelations may cause reputational damage to the web browsers involved, as there’s no way of knowing if TrustCor’s strategy will change.

Luke Hughes
Staff Writer

 Luke Hughes holds the role of Staff Writer at TechRadar Pro, producing news, features and deals content across topics ranging from computing to cloud services, cybersecurity, data privacy and business software.