Symantec Will Acquire Controversial Surveillance Firm Blue Coat Systems For $4.65 Billion

Reader LichtSpektren writes: Symantec will acquire Blue Coat for approximately $4.65 billion in cash, the security firm announced on Monday. The transaction has been approved by the boards of directors of both companies and is expected to close in the third calendar quarter of 2016. Greg Clark, CEO of Blue Coat, will be appointed CEO of Symantec and join the Symantec Board upon closing of the transaction.If Blue Coat name sounds familiar to you, it is because this controversial surveillance firm was recently in the news for receiving a grant for a powerful encryption certificate by its now-parent company Symantec.

Must have also gotten naked pictures...

[xxxJonBoyxxx]

>> Blue Coat (got) a powerful encryption certificate by its now-parent company Symantec...Symantec will acquire Blue Coat for approximately $4.65 billion in cash

It sounds like Blue Coat also got naked pictures of Symantec's board of director's spouses and/or mistresses.

Re:/. EDITORS HATE GAY PEOPLE

[Luthair]

Precisely what was the technology angle? This isn't a general news site, GTFO

How To Untrust the Blue Coat CA Cert

For OS X: https://blog.filippo.io/untrusting-an-intermediate-ca-on-os-x/

For WIndows: http://blogs.msmvps.com/alunj/2016/05/26/untrusting-the-blue-coat-intermediate-ca-from-windows/

And why you should: https://motherboard.vice.com/read/a-controversial-surveillance-firm-was-granted-a-powerful-encryption-certifica

Re:How To Untrust the Blue Coat CA Cert

[fuzzyfuzzyfungus]

Symantec's PR bullshit is not reassuring: "“What the certificate does not give them the ability to do is issue public certificates to other organizations," Gideon said. "That's the big misunderstanding.” “This intermediate CA is for their private servers only,” she wrote."

That's cute and all; except that the actual certificate contains no such restrictions whatsoever, and can be used to sign basically anything if the target trusts Verisign; and it's an 'internal testing' certificate that somehow needs to be valid until 2025...

Re:How To Untrust the Blue Coat CA Cert

[The+Last+Gunslinger]

This is spot-on.

As a one-time employee of Blue Coat who holds a technical certification on their ProxySG line of products, I can confirm absolutely that these devices use these intermediate CA certs to generate on-demand certs for any destination that the device's owner allows on their network by policy.

From the viewpoint of the user's browser, the remote server (Google or CNN or BankofAmerica) appears to be sending you a trusted certificate. You would have to open the security dialog and examine the details of the certificate to even notice anything unusual.

So all the scruples reside with the device owner, not the manufacturer. As delivered, the devices can impersonate ANY server certificate. It's up to the implementer to construct policies that exclude traffic to certain servers or of certain categories from this ability.

Re:How To Untrust the Blue Coat CA Cert

[fuzzyfuzzyfungus]

In theory the legitimate users of these sorts of MiTM boxes aren't supposed to need an actual intermediate CA cert because they are only MiTMing devices that they administer, so they simply use their own internal trusted cert and configure their devices to trust it.

That's why Bluecoat being handed a fully loaded Verisign intermediate CA cert is so disturbing; and Symantec's unwillingness to do anything but bullshit about it so disturbing.

MiTM-ing SSL traffic is one thing if it is from devices you have legitimate administrative access to; but when you have legitimate administrative access it's trivial to configure the clients to trust your certificate so you don't need anything special. The only reason you'd need a Verisign intermediate CA is if you want to be able to hit the vast majority of clients as configured out-of-the-box, without your certs pushed by group policy or whatever. Nobody involved seems to have a remotely good explanation of why Bluecoat has one; or what legitimate purposes it could possibly serve that couldn't be served by a vastly less dangerous toy.

Re: How To Untrust the Blue Coat CA Cert

+1 what parent said.

It negates TLS because the cert could be real or could be Bluecoat fake. Every bank, government, financial, health, EVERY cert is worthless from that deal. Symantec have been caught faking Google certificates before, this was obviously a workaround to hide the faking.

But, here's the most disturbing thing of all.... 70% of ALL certs are from Symantec or Symantec's child companies. They cannot be removed from the cert chain because they ARE the cert chain.

So TLS certs have to been removed because the whole certification process is broken. You can be at an internet cafe, and the cafe owner can be intercepting your bank and email details, his ISP can be intercepting them too, the government your in can be intercepting, the NSA can be intercepting, there could be 100 man in the middle attacks, all running Bluecoat hardware and you wouldn't know it.

Making the TLS certificate worthless.

Re:How To Untrust the Blue Coat CA Cert

As a one-time employee of Blue Coat who holds a technical certification on their ProxySG line of products, I can confirm absolutely that these devices use these intermediate CA certs to generate on-demand certs for any destination that the device's owner allows on their network by policy.

Also a former BlueCoat employee here.

While you are correct, that this cert can be used to create valid MitM certificates, this certificate will never be pushed out to customer boxes. They would never run the risk of a customer being able to get the private key, and then use it for whatever evil uses they have.

They could use their CA to sign other intermediate CAs that they push out onto customer boxes, but that is just as dangerous as giving them their CA.

What they are probably testing, is using this on their cloud-based secure gateway product. In that case, all of the customer traffic is routed via VPN to the BlueCoat cloud, and then run through BlueCoat owned proxies before going out to the Internet. This way, they have total control of the CA, and their customers do not need to install any private root CA onto their users' computers in order to do SSL interception.

Re:How To Untrust the Blue Coat CA Cert

[Phreakiture]

If that's the case, then there is no reason not to untrust the cert, since it doesn't serve any purpose in the wild.

Re:How To Untrust the Blue Coat CA Cert

[The+Last+Gunslinger]

The only reason you'd need a Verisign intermediate CA is if you want to be able to hit the vast majority of clients as configured out-of-the-box, without your certs pushed by group policy or whatever. Nobody involved seems to have a remotely good explanation of why Bluecoat has one; or what legitimate purposes it could possibly serve that couldn't be served by a vastly less dangerous toy.

The reason is simple: most customers of these devices prefer to implement them in transparent proxy mode, which requires no endpoint device (browser, etc.) configuration, no pushing of internal certs, etc. Browsers are talking on 80/443 happily unaware that their traffic is being proxied, and the SSL server certs being presented by Google or Facebook or their bank are not actually certs from those servers...they're Blue Coat's imposter certificates, generated on-demand.

The only upside...

[fuzzyfuzzyfungus]

The only upside to all this is that Symantec has an astonishingly powerful ability to turn everything they acquire into utter shit. This doesn't make one of the world's major SSL CAs owning a sleazy SSL MiTM appliance vendor any less disturbing; but it at least means that the various malefactors using Bluecoat products to exploit us will have an incrementally more miserable time.

Just more fuel on the "trusting 'trusted' CAs just doesn't cut it" fire.

Re:The only upside...

[LichtSpektren]

The only upside to all this is that Symantec has an astonishingly powerful ability to turn everything they acquire into utter shit. This doesn't make one of the world's major SSL CAs owning a sleazy SSL MiTM appliance vendor any less disturbing; but it at least means that the various malefactors using Bluecoat products to exploit us will have an incrementally more miserable time. Just more fuel on the "trusting 'trusted' CAs just doesn't cut it" fire.

Agreed. It would be nice if Google, Apple, Microsoft, and Mozilla agreed to blacklist Symantec-signed certificates from their browsers. Unfortunately they have billions of dollars to throw at legislators and judges, so it wouldn't make a difference in the long run.

Re:The only upside...

[retchdog]

that was my first thought too, but while it may be Symantec's money going into the deal, Symantec is getting Blue Coat's CEO as part of the deal.

Why are security companies compromising themselves

[QuietLagoon]

Symantec is buying Blue Coat Systems. Avira Anti-Virus installs the MixPanel data harvester. What's going on with security companies nowadays?

Re: /. EDITORS HATE GAY PEOPLE

[wardrich86]

The line is "news for nerds, stuff that matters" as in "the news for nerds is the stuff that matters." I think you mistook it for "News for nerds; stuff that matters" which would imply it covered nerdy news as well as other important topics. The difference some punctuation can make...

inspection or surveillance?

[omgwtfroflbbqwasd]

Corporate use is inspection of traffic to detect security breaches, but Service Provider use is surveillance?

Use of wildcard certs is one thing, but BlueCoat technology isn't designed for surveillance any more than network analysis tools are.

Re: inspection or surveillance?

[fuzzyfuzzyfungus]

Yes, applying network surveillance tools to systems you own and administer and applying them to every hapless bastard who relies on your ISP are different things. It's not news that 'admin tools' and 'malice' have broad technical overlap; both are designed for easy and powerful control over a whole bunch of systems; but whether or not you are th legitimate admin is an obvious distinction between surveillance and security and 'remoteadministration' vs. remote access Trojan. Bluecoat's products certainly can be used for internal security applications; but it's a matter of record that they can and have been used for widespread surveillance by deeply unsavory state actors with nothing but the thinnest excuses from the vendor.

Racketeering

[sjbe]

Symantec is buying Blue Coat Systems. Avira Anti-Virus installs the MixPanel data harvester. What's going on with security companies nowadays?

They're having the problem that they can't grow fast enough to please their shareholders/investors. The market for security products is finite, competitive and customers aren't willing to pay ever increasing amounts of cash for their products. So their management is pushed inexorably towards sources of revenue that might not be in the best interests of their customers. Of course Symantec has produced crap software for a long time now so them making bad decisions is nothing new. Removing their crapware is usually among the first things I do with any new PC that is burdened with it.

Of course there is also the old problem that security companies make money by "protecting" against malware but if malware ceased to exist so would their business. So they have a built in conflict of interest in that they want to protect but not actually get rid of malware completely. In theory they could even be the ones creating the malware to ensure there is a threat to protect against. A form of racketeering really.