Updated June 12, 2016
A digital certificate was created by Symantec for Blue Coat Systems Inc. The digital certificate is a special type of certificate that allows Blue Coat to operate as a trusted Certificate Authority(CA). The certificate allows Blue Coat to create new digital certificates for use on highly trusted web sites like those used in banking and health care.
Most people and businesses operating servers on the Internet make every effort to provide the public with the safest and most secure online experience. But the Internet is a big place and not everyone plays by the rules. Providing a trusted Internet environment is essential for commerce and collaboration. The system that manages Internet trust is Public Key Infrastructure(PKI). PKI is the the security technology and processes that web browsers and web servers use for all highly trusted activities like online banking and health. Certificate Authorities(CA) play a special role in PKI as the gatekeepers of secure servers on the Internet. CA duties include managing applications for secure web servers. To fulfill this special and important role, CA’s must submit to stringent audits of their business practices and operations. During normal day-to-day operations CA’s must preserve public trust in online security by denying criminals access to masquerade as legitimate businesses or trusted partners. Most often everything goes as planned but what about the case when CA’s don’t follow the rules. Abuses may include issuing certificates without knowledge or consent of rightful domain owners, servicing unlawful or warrantless government requests, and much more.
Why is this incident important to me?
In May 2016 a security researcher, Filippo Valsorda, discovered an Intermediary CA X.509 digital certificate was issued to Blue Coat Systems by Symantec. This is a concern for two reasons, 1) Blue Coat Systems manufactures hardware designed for surveillance, 2) the Intermediary CA certificate facilitates the issuance of highly trusted certificates in any Internet domain name. For example, a Blue Coat device armed with their new CA certificate can surveil HTTPS web sites in a way that’s difficult for web browser users to detect.
Why is the Blue Coat Systems CA a problem?
Trust is essential to the continued operation of the Internet. Without trust, the full potential of the Internet will never be realized. Few would want to purchase products, view medical laboratory results, exchange ideas with business partners, or email friends and family if our information can be surveilled, intercepted, and manipulated at any point without our full knowledge and consent. The key displayed in your web browser in a secure HTTPS connection is an icon of trust. If it’s visible, we must have confidence the site we are communicating to is authentic and our communications confidential.
What does Bluecoat and Symantec have to say?
Symantec has said that it’s determined the CA certificate issued to Blue Coat was done so appropriately and that Blue Coat never had access to it. This statement is designed to assuage public concern since it would prevent impropriety on Blue Coast behalf. Unfortunately there is no easy way for the public to verify this statement.
It depends upon you. If you trust that Symantec and Blue Coat are operating in your best interest then do nothing. If on the other hand you consider Blue Coat’s CA a potential vector for abuse then you can untrust the Blue Coat CA certificate.
To mark the BlueCoat CA certificate untrusted
1) Download BC CA Cert
2) Mark untrusted, OSX users | Windows users
* Mobile users: iPhone, I don’t believe Apple exposes any trust management features to the public. Android, unsure.
BlueCoat now has a CA signed by Symantec https://t.co/8OXmtpT6eX
— Filippo Valsorda (@FiloSottile) May 26, 2016To be clear: BlueCoat, the company making TLS MitM equipment allegedly used by govs to violate human rights, now has a REAL UNRESTRICTED CA.
— Filippo Valsorda (@FiloSottile) May 26, 2016Symantec “maintained full control of the private key and Blue Coat never had access to it”. (A common practice.) https://t.co/Km9liGpCTE
— Filippo Valsorda (@FiloSottile) May 27, 2016
The Register, Blue Coat, Skype and QQ named despots’ best friends
Blue Coat Systems, Blue Coat Intermediate CA
Symantec, Symantec Protocol Keeps Private Keys In Its Control
FBI Director Comey has created a “warrant-proof webcam” that will thwart lawful surveillance should he ever be investigated. Shame on him.
— Christopher Soghoian (@csoghoian) April 7, 2016
Soghoian is referring to a piece of tape FBI Director Comey places over his laptop camera. The subtle message for the public is that electronic privacy is for the privileged elite.
Some security gems from around April 2015.
@jeremiahg Believe it, simple Rasp PI proj to receive ADS-B aircraft transponders – no encryption whatsoever. http://t.co/44bbWzdeZl
— Milton Smith (@spoofzu) April 15, 2015
Wired: Feds Say That Banned Researcher Commandeered a Plan, “default IDs and passwords to gain access” http://t.co/oyiq8nmn4r
— Milton Smith (@spoofzu) May 16, 2015
OWASP Top Ten Proactive Controls by @Manicode from @OWASP AppSec California 2015 https://t.co/2ADLTtIfym
— OWASP AppSec Cali (@AppSecCali) April 30, 2015
SecurityWeek: Airbus Says Will File Criminal Complaint Over US Spy Claims #security http://t.co/LcF3l0fXjd
— Milton Smith (@spoofzu) April 30, 2015