To the Root Certificate Program, the CA/B Forum community and the public at large,
TrustCor entered the CA business over 7 years ago and like many of our fellow root certificate program members, at first we struggled through the considerable work and exorbitant costs to do things correctly. Since certification we have run an exemplary, fully-audited Root Certificate Authority program as a growing business focused on privacy and low cost-of-entry certificate services. We participate in the CA/B Forum and do our most to contribute to the community. For example we once lead the Network Security Working Group (NSWG) to promote standards for enhancing technical security in the CA community and made many friends and good working relationships at the CABF gatherings over the years.
Apart from our CA work, we also bought an aging email service with a few customers, and invested substantially in developing it into a flagship email security product line compatible with global email security standards including both S/MIME and GPG. Then, over the last few years we added unique features our customers demanded. Today it stands alone as a valuable email service enjoyed by millions around the world as an alternative to other popular web based secure email providers.
All the while, we've struggled with our business while our founder struggled through cancer treatment. It saddens me to say our friend and leader Ian Abramowitz lost his struggle with cancer and was laid to rest in Canada recently, and out of respect for his family we have been quiet with the media and have never discussed his personal story or why he identified so strongly with the need for privacy. We tirelessly strive to continue his work and vision in his absence.
I’m writing this note in response to a false narrative being published about us recently by a biased group of security researchers and the Washington Post. It is filled with ridiculous, false claims and out-of-context statements twisted to fulfill a baseless prophecy imagined by a group of researchers who are more concerned with enriching themselves and their company than they are with Internet security. Their statements are not only lacking truth, but they go against the founding principles and culture of our company. They dishonor our entire staff who work hard every day to provide security to the community, even when much of that work is delivered through low-cost or even free products and services we develop and operate for the good of the community and for the greater social good—for which we have an unmatched and unblemished track record. Our software and services protect on-line transactions and people millions of times every day, and we are one of the few (only?) on-line email services to protect our customers above all, unlike so many others. It’s the core of what we do and who we are.
To put it plainly and directly, TrustCor has never cooperated with information requests from the US Government or any government for that matter. Likewise we have not assisted or enabled any company or 3rd party to surveil, monitor or in any way gather information on our customers for the purposes of providing it to anyone else in any form.
TrustCor has never allowed a certificate and/or key material to be generated outside of our audited and published standard processes, common amongst the entire industry. We live in a world with:
- certificate transparency logs,
- face to face audits once or more per year with 3rd party auditors having direct access to internal records, offices and equipment,
- network security audits by separate, recognized industry experts,
- a fixed set of options for auditors controlled by WebTrust/AICPA,
- the CCADB,
- and hyper-social accountability.
To assume any violation of these safety measures would be silly or at least completely impractical and would render the standards a waste of everyone’s time and money—which would set a new precedent. What’s more we’ve never even been accused of any false issuance or mishandling of material, etc.
TrustCor has never released a non-beta, public version of any mobile phone software/version and in fact the only mobile-friendly configuration we support is direct-from-browser mobile access that leverages the popular industry-standard framework for delivering near-app-quality mobile experiences using web browsing on mobile devices. You don’t need any downloaded software to use it whatsoever.
What is true? TrustCor has sustained numerous attacks against its infrastructure over the years and to our knowledge and based on 3rd party incident responders has never lost any customer data or allowed the access of any key material. These attacks have been significant and have increased in sophistication and they are not just cyber. The most recent attacks against us involved the creation of companies in the United States very similarly named to those of our shareholders (which have since been dissolved). We believe those may have been used in an effort to do something cyber-physical however our only evidence of that has been an attempt to gather more information about our company through insurance inquiries by these companies (which were caught and stopped). The last potential attack was the ownership of a "lookalike" domain name that we also caught and through legal means (by enforcing our trademarks) forced an affiliate of one of the companies mentioned in that article to sell to us, which they did. We have no evidence of whether or not it had been used in phishing or any other attacks.
It’s clear we’ve been the target of attacks, presumably by a US defense contractor, but that is being denied by that company. We only know what we know, which is that the researchers appear to be completely off base in their interpretation of the facts of these lookalike companies and lookalike domain names which indicate an attack against us, not cooperation with us. Perhaps they are working with the US defense community, we have no idea. We believe the "cyber researchers" referenced by the article have made a lot false claims simply because they don’t understand the world of certificate authorities, nor do they understand non-cyber security or national security matters. They found a domain name while working on another project involving a US defense company, and then apparently declared themselves experts unilaterally across all fields. We had already found the domain by that time and had already used our legal trademarks to recover it from the company that had bought it (which by the way was not a company they mention).
To our partners and peers in the industry: we are an open book to you. We all know we’re in one of the most audited and security-cognizant fields in our industry and we are available to you to satisfy any concerns you have and we’re committed to the process of keeping your trust amidst these baseless ideas and cyber-commentary.
To our customers and stakeholders: we are an open book to you. We offer features similar to others in our industry and if you have specific questions about technical operations or standards or how our service is better or different from other services, please get in touch with us through customer service and we’ll be happy to engage with you about it.
To publishers including the Washington Post: How can you publish baseless, unsubstantiated claims made against anyone without fact checking them? When you contacted us, we responded. If you didn’t like the response, why did you write that we didn’t respond? That’s dishonest and unreasonable. We are investigating claims of libel against you, but at the very least you should inform your readership that in fact your claims were based solely on rumor and are denied by our company. The damage done to our reputation is sure to be significant and was avoidable with honest dealings and truth if you’d only spoken with us openly.
Respectfully and Resiliently,