"UCalgary Research Raises Questions About Internet Security"

Research by Dr. Joel Reardon, a University of Calgary Internet security and privacy expert, and his colleague, Dr. Serge Egelman, at the University of California Berkeley, has led to the web browser firm Mozilla removing an offshore company as a trusted "root certificate authority." Root certificate authorities are the foundation of all Internet security, and their removal is both rare and significant. Any root certificate authority can vouch for a website's legitimacy. The major web browser companies and other technology companies rely on a root certificate authority to ensure the legitimacy of websites and to seamlessly guide users to them. If a user wants to go to a website, the only way they know they are talking to the right website is because some root certificate authority they trust says so. The Washington Post explored Reardon and Egelman's concerns about a Panamanian company, TrustCor Systems, which is a root certificate authority. The researchers informed Mozilla, Google, and Apple of their findings, and the case was discussed in an online forum attended by other Internet security experts and browser specialists. After a month of discussion, Mozilla decided on November 30 to "distrust," or essentially remove TrustCor's root certificate authority from Mozilla's Firefox browser. An improperly acting certificate authority could expose millions of Internet users to people spying on their Internet activity and gaining access to users' phone numbers, email addresses, and exact locations. Certificates are also used for "code signing," which ensures that computers receive software updates from legitimate sources. As a result, a misbehaving certificate authority could tamper with this process. Reardon's and Egelman's research revealed that TrustCor had ties to another company, Measurement Systems, a software maker that can spy on Internet users. TrustCor's products include an email service that claims to be end-to-end encrypted. Reardon, Egelman, and other experts discovered evidence that the company reads emails sent through its system. This article continues to discuss the discovery of security and privacy issues associated with the TrustCor root certificate authority.

University of Calgary reports "UCalgary Research Raises Questions About Internet Security"