[18:40] <JanC> https://www.washingtonpost.com/technology/2022/11/30/trustcor-internet-authority-mozilla/ → are you working on removing TrustCor CAs from browsers, ca-certificates, ...?
[19:13] <mdeslaur> JanC: we can't really for ca-certificates...mozilla isn't removing the CA, they are rejecting certs issues after a certain date...something that ca-certificates, openssl, gnutls don't support
[19:13] <mdeslaur> JanC: for firefox and thunderbird, they use their own embedded nss, so it will get updated with the next browser updates
[19:13] <JanC> that seems problematic, as they can easily antidate their own spyware certificates
[19:14] <mdeslaur> hrm, yeah, that's true...I wonder why mozilla chose to go that route instead of just removing it
[19:14] <mdeslaur> and I wonder if anything legitimate was signed by them
[19:14] <mdeslaur> if not...
[19:15] <mdeslaur> I'll have to see if there's been any updates in the mozilla bugs
[19:16] <JanC> it's possible TrustCor did some legit stuff to cover for the spyware, but IMO better to block those than allow the spyware (the faster their customers are aware the better!)
[19:17] <JanC> I mean, legit customers would be even more vulnerable
[19:19] <JanC> I wish the peopel who distribute these CA collections would do more due diligence on CAs  :-(
[19:20] <JanC> any company that uses anonymous tax haven addresses & PO Boxes as their only company addresses should never be allowed to be a CA
[19:22] <mdeslaur> this is mozilla's commit https://hg.mozilla.org/projects/nss/rev/a871902c05907db3150ac8b7f6a80dd01b5d38c9
[19:22] <mdeslaur> perhaps I'm misinterpreting CKA_NSS_SERVER_DISTRUST_AFTER
[19:22] <mdeslaur> I thought it meant certs they signed after that date, but now I think I'm wrong
[19:23] <JanC> you might be right about what they do, but I think that is wrong
[19:24] <JanC> that only makes sense when a CA can be trusted and only the certificate is compromised
[19:24] <JanC> or something like that
[19:27] <mdeslaur> so this was their decision: https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/yLohoVqtCgAJ
[19:27] <mdeslaur> "There is no evidence of TrustCor mis-issuing TLS or SMIME certificates."..."If evidence is found that the CA has mis-used certificates or the CA backdates certificates to bypass the distrust-after settings, then we will remove the root certificates from Mozilla’s root store in an expedited timeline, without waiting for the end-entity TLS certificates to expire."
[19:29] <mdeslaur> I'm curious if any legitimate services will be blocked if we remove the cert completely
[19:29] <mdeslaur> we did something similar in the past with a cert that mozilla had just dated and we got burned, so I'm hesitant to remove something mozilla hasn't
[19:32] <JanC> supposedly they've worked with a company that makes secure traffic inspection boxes in the past...
[19:32] <mdeslaur> lol, that doesn't sound good :)
[19:36] <JanC> stuff like """TrustCor operates the mail encryption product MsgSafe and a beta version of MsgSafe contained the only known unobfuscated version of the spyware SDK.""" are even less assuring
[19:36] <JanC> selling "secure mail" products that contain spyware?
[19:36] <JanC> https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/WJXUELicBQAJ?
[19:38] <JanC> """TrustCor uses Princeton Audit Group (PAG) as its auditor.
[19:38] <JanC> According to CCADB records, PAG does not audit any other publicly-trusted CAs. """
[19:40] <JanC> they have been sued for registering domains that almost looked like company domains too (intended for phishing?)
[19:40] <mdeslaur> ok, I think you've convinced me...let me think about it and I'll probably prepare ca-certificates updates on monday once I've gotten an agreement from the rest of the team
[19:40] <JanC> maybe discuss it with others (other distros, upstream?)
[19:41] <JanC> https://www.wipo.int/amc/en/domains/search/text.jsp?case=D2018-1096#:~:text=Investigations%20conducted%20by,clients%20or%20employees
[19:42] <JanC> I can't see any legitimate reason for a legitimate CA to buy any "bfgoodrich" domains
[19:43] <JanC> that "safe mail" tool is supposedly often used by scams & phishing & such also
[19:44] <JanC> (but that's probably true about some legit safe mail providers)
[19:44] <mdeslaur> I've asked the other in the team if they are in agreement and I'll remove them
[19:44] <mdeslaur> *others
[19:47] <JanC> I suggest reading that WP article (& their previous one) + everything they link to  :)
[19:48] <JanC> personally I have blocked them, but it's unlikely I will encounter any of their legit uses  :)
[19:53] <JanC> """I have listed a few of the public audits I have found here [1], and Mozilla
[19:53] <JanC> also has them listed here [2]. What I've found is that in the standard and BR
[19:53] <JanC> audits for 2018, 2019, 2020, and 2021, as well as the code signing audits for
[19:53] <JanC> 2020 and 2021, their auditor consistently describe the CA's "Certification
[19:53] <JanC> Authority (CA) operations at Toronto, Ontario, Canada". According to what I've
[19:53] <JanC> learned from this thread (please correct me if I am wrong) TrustCor was not a
[19:53] <JanC> Canadian company during this time and did not have an office in Canada. This is ten different audits over four years."""
[20:02] <JanC> https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/Equ9-qk5BQAJ
[20:02] <JanC> """Despite advertising "end-to-end encrypted email" (see above screenshot, taken today), MsgSafe does not actually provide end-to-end encryption (E2EE), as the term is commonly understood"""
[20:07] <JanC> mdeslaur: seems like mostly No-IP customers would be impacted?
[20:08] <JanC> that might be significant number of people...
[20:22] <JanC> although maybe it's only the free tier
[23:24] <mdeslaur> JanC: I will be preparing ca-certificates updates first thing monday morning.
[23:25] <JanC> okay  :)
[23:26] <JanC> I hope the fall-out isn't too big
[23:27] <JanC> most people only would encounter those certificates in their browser anyway
[23:28] <JanC> especially those who wouldn't understand what's happening