A report from The Washington Post has raised doubts about a root certificate authority used by Google Chrome, Safari, Firefox, and other tech companies with ties to US intelligence. The company in question, called TrustCor, works as a root certificate authority to validate the trustworthiness of websites — and while the report found no concrete evidence of wrongdoing, it raised significant questions about the company’s trustworthiness.

Root certificate authorities protect against both website forgeries and attacks. Since root certificate authorities also have the power to give others the ability to grant certificates, it raises some concerns if the authority’s linked to surveillance or malware efforts, as it calls the entire certification system into question.

The Post lays out significant evidence that, at the very least, TrustCor is connected with more than straightforward authentication. TrustCor’s Panamanian registration records show significant overlap with an Arizona-based spyware company associated with Packet Forensics, including an “identical slate of officers, agents and partners” shared between the two companies. A well-known surveillance contractor, Packet Forensics has reportedly sold communication interception services to US government agencies for over 10 years.

Another of TrustCor’s partners is linked to Raymond Saulino, who, as it turns out, is named as a spokesperson for Packet Forensics in a Wired article from 2010. Saulino pops up again as a contact for Global Resource Systems, a company that managed over 175 million IP addresses for the US Department of Defense. It’s still unclear why the Pentagon transferred those IP addresses to the agency, but the Pentagon told The Post at the time that it was part of a “pilot effort” to “identify potential vulnerabilities” and “prevent unauthorized use of DoD IP address space.”

The result raises real concerns that TrustCor may have abused its power as a certificate authority to further US surveillance operations. Cybersecurity researchers Joel Reardon of the University of Calgary and Serge Egelman of the University of California at Berkeley told The Post they believe TrustCor might use its ability “against high-value targets within short windows of time.”

According to The Post, TrustCor’s also linked to a Panamanian company called Measurement Systems. This is the same firm that The Wall Street Journal reported earlier this year had been paying developers to include a string of its code in various apps to harvest data. The spyware — which was found in a Muslim prayer app, a speed trap detection app, a QR code reader, and others — recorded users’ phone numbers, email addresses, and locations. Google ended up removing these apps from the Play Store.

Reardon and Egelman also found that one of TrustCor’s products, an encrypted messenger called MsgSafe.io, isn’t actually encrypted and lets MsgSafe read any messages sent through the app. When The Post looked up the physical address of TrustCor, it was directed to a UPS Store in Toronto. The outlet also found that the email contact form on its website doesn't work, and its Panama-based phone number has been disconnected.

TrustCor can only keep certifying websites (and giving others the ability to certify them as well) because browsers like Chrome, Safari, and Firefox recognize the company as a root certificate authority. As noted by The Post, the cybersecurity researchers notified Google, Apple, and Mozilla of their findings but haven’t heard much back.

In a statement to The Verge, Mozilla says it finds the research “deeply concerning” but it does “not yet have evidence that certificates issued by TrustCor have been abused.” It’s giving TrustCor until November 22nd, 2022 to respond to its “request for further information” on Mozilla’s public dev-security-policy forum, which you can see here. “Depending on further investigations, relevant external developments, and TrustCor’s response, Mozilla intends to take the necessary steps to protect our users from potential harm,” the company adds.

Google also responded to the researcher's findings on Mozilla’s forum, similarly saying it “did not find signs of mis-issuance or clear violations” when looking into TrustCor’s TLS (transport layer security) certificate issuance. “Chrome maintains a variety of mechanisms to protect its users, and is prepared to use them as necessary.”

Apple didn’t immediately respond to The Verge’s request for comment.

Update, 3:45PM ET: Updated to add a statement from Mozilla.

Update November 9th, 4:58PM ET: Updated to add a response from Google.