In a recent Internet security kerfuffle, Symantec issued the surveillance company Blue Coat Systems, a powerful digital certificate that allows them to masquerade as any secure business or financial institution by impersonating their web server. See my original post for background, Blue Coat has Intermediate CA signed by Symantec.
In statement by Symantec the company notes, that companies often test with their own Intermediate CA. While it’s true companies test their PKI processes, it’s very uncommon that Intermediate CA certificates in the test environment anchor to trusted roots in popular web browsers. Any Intermediate CA certificate anchoring to trusted roots is by definition a – live production certificate.
Symantec goes on to note that certificates used in testing are “discarded” once tests are completed. Unfortunately, this type of public communication is difficult to understand from a technical standpoint. The standard practice to assure the public a certificate cannot be used is to revoke the certificate. In the PKI system, a certificate that has been revoked provides scary warnings when users try to browse these web sites. The assurance we desire is that the certificate is revoked. Whether Blue Coat has the private key or not is immaterial.To better understand the communication from Symantec, I checked the Blue Coat CA revocation status. The result is that the Blue Coat CA certificate has not been revoked. While there is no evidence of inappropriate use, nothing about this incident in the way it’s explained or handled is considered industry best practice or even normal practice. This is not the first time Symantec’s processes around certificate management have been called to question by security researchers, The Case of the Symantec’s Mysterious Digital Certificates.
You can test the Blue Coat CA certificate revocation status yourself with the following procedure.