Google announces it will drop TrustCor Systems as its Root Certificate Authority (CA) browser.
In a statement, the tech giant said it had “lost confidence in its ability to uphold these fundamental principles and protect and protect Chrome users.” group discussion (opens in a new tab).
Joel Reardon, a University of Calgary professor and privacy researcher in the mobile space, said his team “discovered and disclosed a spyware SDK embedded in an app that invasively tracks users.”
TrustCor Root Certificate Authority
with wall street journal Investigative journalists found that TrustCor was registered only a month apart from Measurement Systems, the company behind SKD, both in Panama.
Reardon stated in his notice: “To be clear, I see no evidence that TrustCor issued the wrong certificates or otherwise abused their power in code signing, SMIME, and domain verification…perhaps the same ownership of TrustCor and Measurement Systems is coincide.”
Beyond that, there are a number of unfortunate related coincidences that have led companies like Microsoft and Mozilla to drop TrustCor as a root CA as well.
The change will go into effect with the rollout of Chrome 111, which will land on March 7, 2023 after a beta release about a month ago. Older versions of Chrome capable of receiving component updates will also be included in the changes.
We’re not yet sure how long it will take for the changes to be rolled out to Android devices. Unlike desktop Chrome, which can tweak itself, Android’s root certificates are updated as part of the overall operating system, which is likely to cause delays.
While some applications, such as Firefox for Android, can configure their own set of CAs on top of the operating system’s root store, this is not the case for Chrome.
While tech giant Apple has yet to announce any decisions it will make, TrustCor has issued a public statement on it website (opens in a new tab).
