Controversial Surveillance Firm Blue Coat Was Granted a Powerful Encryption Certificate

Joseph Cox, reporting for Motherboard (edited for clarity): A controversial surveillance company called Blue Coat Systems -- whose products have been detected in Iran and Sudan -- was recently issued a powerful encryption certificate by Symantec. The certificate, and the authority that comes with it, could allow Blue Coat Systems to more easily snoop on encrypted traffic. But Symantec downplayed concern from the security community. Blue Coat, which sells web-monitoring software, was granted the power in September last year, but it was only widely noticed this week. The company's devices are used by both government and commercial customers for keeping tabs on networks or conducting surveillance. In Syria, the technology has been used to censor web sites and monitor the communications of dissidents, activists and journalists.Blue Coat assures that it is not going to utilize the certificates to snoop on us. The Register reports: We asked Blue Coat how it planned to use its new powers -- and we were assured that its intermediate certificate was only used for internal testing and that the certificate is no longer in use. "Symantec has reviewed the intermediate CA issued to Blue Coat and determined it was used appropriately," the two firms said in a statement. "Consistent with their protocols, Symantec maintained full control of the private key and Blue Coat never had access to it. Blue Coat has confirmed it was used for internal testing and has since been discontinued. Therefore, rumors of misuse are unfounded."

Remove the Symatic Root CA

I'd say the Symantec root CA should be removed from browsers. Only substantial action will teach them to take their great responsibility as a CA seriously.

Re:inflamatory headline is inflamatory

[KiloByte]

if your NSM can't see SSL then you don't have NSM.

It's the other way around: if your SSL doesn't protect you from some crap MITM box, then you don't have SSL.

If you say that a company should be able to snoop on all connections of their employees, that's trivial to do. Just install the company's CA root on every employee's machine. But you want to do this to innocent third parties, don't you? Tough cookies then. I see no legitimate reason for SSL interception without the owner's consent. Ever.