Slashdot Mirror

← Back to Stories (view on slashdot.org)

Controversial Surveillance Firm Blue Coat Was Granted a Powerful Encryption Certificate (vice.com)

Posted by msmash on from the talk-of-the-town dept.

Joseph Cox, reporting for Motherboard (edited for clarity): A controversial surveillance company called Blue Coat Systems -- whose products have been detected in Iran and Sudan -- was recently issued a powerful encryption certificate by Symantec. The certificate, and the authority that comes with it, could allow Blue Coat Systems to more easily snoop on encrypted traffic. But Symantec downplayed concern from the security community. Blue Coat, which sells web-monitoring software, was granted the power in September last year, but it was only widely noticed this week. The company's devices are used by both government and commercial customers for keeping tabs on networks or conducting surveillance. In Syria, the technology has been used to censor web sites and monitor the communications of dissidents, activists and journalists.Blue Coat assures that it is not going to utilize the certificates to snoop on us. The Register reports: We asked Blue Coat how it planned to use its new powers -- and we were assured that its intermediate certificate was only used for internal testing and that the certificate is no longer in use. "Symantec has reviewed the intermediate CA issued to Blue Coat and determined it was used appropriately," the two firms said in a statement. "Consistent with their protocols, Symantec maintained full control of the private key and Blue Coat never had access to it. Blue Coat has confirmed it was used for internal testing and has since been discontinued. Therefore, rumors of misuse are unfounded."

5 of 114 comments (clear)

  1. LOL! Sure, whatever you say! by JustAnotherOldGuy · · Score: 4, Insightful

    "Blue Coat assures that it is not going to utilize the certificates to snoop on us."

    Oh, heaven forbid, I'm sure any concern about this is just due to paranoia.

    No way anyone would ever misuse power like this, and certainly not a company that sells web-monitoring software. Why, the very thought is just too silly to contemplate!

    *cough*

    --
    Just cruising through this digital world at 33 1/3 rpm...
  2. Re:Simple question by The+MAZZTer · · Score: 4, Insightful

    If they were using it for internal use, and all the PCs they were using it with were under their control, they could have easily made their own certificates that would be limited in use to their own PCs only. So why ask for a certificate that can spoof any website and will be trusted by every PC?

  3. Remove the Symatic Root CA by Anonymous Coward · · Score: 5, Insightful

    I'd say the Symantec root CA should be removed from browsers. Only substantial action will teach them to take their great responsibility as a CA seriously.

  4. Re:inflamatory headline is inflamatory by KiloByte · · Score: 5, Insightful

    if your NSM can't see SSL then you don't have NSM.

    It's the other way around: if your SSL doesn't protect you from some crap MITM box, then you don't have SSL.

    If you say that a company should be able to snoop on all connections of their employees, that's trivial to do. Just install the company's CA root on every employee's machine. But you want to do this to innocent third parties, don't you? Tough cookies then. I see no legitimate reason for SSL interception without the owner's consent. Ever.

    --
    The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
  5. Re:Understanding PKI by jaseuk · · Score: 4, Informative

    You will get a warning if you visit using Chrome or any other browser that supports key pinning / Strict Transport Security (HSTS). There are enough people using Chrome/Firefox for this to be an early warning system.

    Jason