BlueCoat has Intermediate CA signed by Symantec

Updated June 12, 2016

A digital certificate was created by Symantec for Blue Coat Systems Inc.  The digital certificate is a special type of certificate that allows Blue Coat to operate as a trusted Certificate Authority(CA).  The certificate allows Blue Coat to create new digital certificates for use on highly trusted web sites like those used in banking and health care.

Most people and businesses operating servers on the Internet make every effort to provide the public with the safest and most secure online experience.  But the Internet is a big place and not everyone plays by the rules.  Providing a trusted Internet environment is essential for commerce and collaboration.  The system that manages Internet trust is Public Key Infrastructure(PKI).  PKI is the the security technology and processes that web browsers and web servers use for all highly trusted activities like online banking and health.  Certificate Authorities(CA) play a special role in PKI as the gatekeepers of secure servers on the Internet.  CA duties include managing applications for secure web servers.  To fulfill this special and important role, CA’s must submit to stringent audits of their business practices and operations.  During normal day-to-day operations CA’s must preserve public trust in online security by denying criminals access to masquerade as legitimate businesses or trusted partners.  Most often everything goes as planned but what about the case when CA’s don’t follow the rules.  Abuses may include issuing certificates without knowledge or consent of rightful domain owners, servicing unlawful or warrantless government requests, and much more.

Why is this incident important to me?
In May 2016 a security researcher, Filippo Valsorda, discovered an Intermediary CA X.509 digital certificate was issued to Blue Coat Systems by Symantec.  This is a concern for two reasons, 1) Blue Coat Systems manufactures hardware designed for surveillance, 2) the Intermediary CA certificate facilitates the issuance of highly trusted certificates in any Internet domain name.  For example, a Blue Coat device armed with their new CA certificate can surveil HTTPS web sites in a way that’s difficult for web browser users to detect.

Why is the Blue Coat Systems CA a problem?
Trust is essential to the continued operation of the Internet.  Without trust, the full potential of the Internet will never be realized.  Few would want to purchase products, view medical laboratory results, exchange ideas with business partners, or email friends and family if our information can be surveilled, intercepted, and manipulated at any point without our full knowledge and consent.  The key displayed in your web browser in a secure HTTPS connection is an icon of trust.  If it’s visible, we must have confidence the site we are communicating to is authentic and our communications confidential.

What does Bluecoat and Symantec have to say? 
Symantec has said that it’s determined the CA certificate issued to Blue Coat was done so appropriately and that Blue Coat never had access to it.  This statement is designed to assuage public concern since it would prevent impropriety on Blue Coast behalf.  Unfortunately there is no easy way for the public to verify this statement.

mb-symantec
Issuing a CA certificate to a surveillance company is by no means normal and concern by the security research community and anyone using a web browser is warranted.  Trust and confidence when issuing CA’s is the single most important duty entrusted to Symantec in responsibility as an issuing authority.What is the appropriate course of action for you?
It depends upon you.  If you trust that Symantec and Blue Coat are operating in your best interest then do nothing.  If on the other hand you consider Blue Coat’s CA a potential vector for abuse then you can untrust the Blue Coat CA certificate.

To mark the BlueCoat CA certificate untrusted
1) Download BC CA Cert
2) Mark untrusted, OSX users | Windows users
* Mobile users: iPhone, I don’t believe Apple exposes any trust management features to the public.  Android, unsure.
bluecoat-untrusted
Original security researcher comments

BlueCoat now has a CA signed by Symantec https://t.co/8OXmtpT6eX

Here’s how to untrust it https://t.co/NDlbqKqqld pic.twitter.com/mBD68nrVsD

More information
The Register, Blue Coat, Skype and QQ named despots’ best friends
Blue Coat Systems, Blue Coat Intermediate CA
Symantec,  Symantec Protocol Keeps Private Keys In Its Control

Funniest Security/Privacy Tweet of 2016


Soghoian is referring to a piece of tape FBI Director Comey places over his laptop camera.  The subtle message for the public is that electronic privacy is for the privileged elite.

Application Security and Privacy One Year Ago

Some security gems from around April 2015.


Last Week Tonight with John Oliver: Government Surveillance (HBO)


Application Security Meme