Controversial Surveillance Firm Blue Coat Was Granted a Powerful Encryption Certificate

Joseph Cox, reporting for Motherboard (edited for clarity): A controversial surveillance company called Blue Coat Systems -- whose products have been detected in Iran and Sudan -- was recently issued a powerful encryption certificate by Symantec. The certificate, and the authority that comes with it, could allow Blue Coat Systems to more easily snoop on encrypted traffic. But Symantec downplayed concern from the security community. Blue Coat, which sells web-monitoring software, was granted the power in September last year, but it was only widely noticed this week. The company's devices are used by both government and commercial customers for keeping tabs on networks or conducting surveillance. In Syria, the technology has been used to censor web sites and monitor the communications of dissidents, activists and journalists.Blue Coat assures that it is not going to utilize the certificates to snoop on us. The Register reports: We asked Blue Coat how it planned to use its new powers -- and we were assured that its intermediate certificate was only used for internal testing and that the certificate is no longer in use. "Symantec has reviewed the intermediate CA issued to Blue Coat and determined it was used appropriately," the two firms said in a statement. "Consistent with their protocols, Symantec maintained full control of the private key and Blue Coat never had access to it. Blue Coat has confirmed it was used for internal testing and has since been discontinued. Therefore, rumors of misuse are unfounded."

Re:Simple question

[David_Hart]

If they were using it for internal use, and all the PCs they were using it with were under their control, they could have easily made their own certificates that would be limited in use to their own PCs only. So why ask for a certificate that can spoof any website and will be trusted by every PC?

Simple Answer: Because corporations want it.

Blue Coat is a company that sells network security products. Many companies use their products for proxy services, etc. Most security products have problems scanning content that is encrypted using SSL. Having the ability to act as a MIM allows the proxy services, WAN acceleration boxes, etc. access to the content for processing. Companies today are hyper-concerned about losing Intellectual Property and with ensuring that employees are not doing anything at work that is considered inappropriate.

I find the use of the terms "surveillance" and "controversial" in the article title to be deliberately used as click bait. Blue Coat is no more a "surveillance" company than Cisco, Juniper, or F5. That their products have found their way into Iran and Sudan is not that surprising. I'm willing to bet that it wouldn't be that difficult to set up multi-deep shell companies to buy products.