Symantec and partner say HTTPS certificate-issuing powers used only for testing
Blue Coat has denied it’s up to any shenanigans – after the security biz was seemingly given the power to issue crypto certificates that could be used to spy on people.
A kerfuffle kicked off this week when it looked as though Blue Coat had been made an intermediate certificate authority, backed by root certificate authority Symantec, in September.
This would allow Blue Coat to issue security certs for almost any website it wanted – certificates that would be trusted by browsers and apps on computers, phones and gadgets.
These trusted certs can be used to disguise malicious servers as legit websites; netizens connecting to the systems would think they’re using the real deal, but really they’re talking to imposters and handing over sensitive information like passwords to strangers.
Blue Coat sells network equipment that does just this kind of espionage: the gear intercepts connections to websites and strips the encryption away so secured communications can be monitored.
This is useful for corporations that want to keep tabs on their staff at work. Unfortunately, Blue Coat’s HTTPS-snooping products have been used by repressive regimes to spy on activists online and quash dissent.
To tear away the encryption and peek inside people’s packets, Blue Coat’s man-in-the-middle gear masquerades as legit websites – and this is so much easier to pull off when the manufacturer is an intermediate certificate authority because it has the flexibility to generate trusted certificates on the fly.
It paves the way for seamless surveillance by Blue Coat-built equipment.
We asked Blue Coat how it planned to use its new powers – and we were assured that its intermediate certificate was only used for internal testing and that Blue Coat could not issue arbitrary certs.
“Symantec has reviewed the intermediate CA issued to Blue Coat and determined it was used appropriately,” the two firms said in a statement.
“Consistent with their protocols, Symantec maintained full control of the private key and Blue Coat never had access to it.
Blue Coat has confirmed it was used for internal testing and has since been discontinued.
Therefore, rumors of misuse are unfounded.”
Whether or not you believe the pair, the row highlights a problem between Blue Coat and elements of the security community – namely that the firm is treated with intense suspicion by some corners.
BlueCoat now has a CA signed by Symantec https://t.co/8OXmtpT6eXHere’s how to untrust it https://t.co/NDlbqKqqld pic.twitter.com/mBD68nrVsD
— Filippo Valsorda (@FiloSottile) May 26, 2016
BlueCoat literally uses NSA’s mass surveillance quips in their marketing for SSL decrypt.https://t.co/VgaZlCSY2d pic.twitter.com/PqmwPvUKFs
— Kenn White (@kennwhite) May 27, 2016
At times, criticism leveled against the security outfit has proved unfounded.
For instance, after Blue Coat-built systems were found being used in Syria to spy on citizens, the biz investigated and said a reseller had illegally sold its kit into the war-torn nation.
On the other hand, Blue Coat won the “Lamest Vendor Response” Pwnie award at last year’s Black Hat security conference.
The gong was given after the biz pressured a security researcher into dropping a presentation at the SyScan Conference in Singapore earlier in the year.
The coercive tactics sparked calls for a Blue Coat boycott, particularly from Facebook’s head of security Alex Stamos.
All of this may well be background fuss for the business: Blue Coat is reportedly considering an IPO shortly, during which it will be focused on its reputation among investors rather than its standing among security professionals. ®
Sponsored: Rise of the machines