Symantec Will Acquire Controversial Surveillance Firm Blue Coat Systems For $4.65 Billion

Reader LichtSpektren writes: Symantec will acquire Blue Coat for approximately $4.65 billion in cash, the security firm announced on Monday. The transaction has been approved by the boards of directors of both companies and is expected to close in the third calendar quarter of 2016. Greg Clark, CEO of Blue Coat, will be appointed CEO of Symantec and join the Symantec Board upon closing of the transaction.If Blue Coat name sounds familiar to you, it is because this controversial surveillance firm was recently in the news for receiving a grant for a powerful encryption certificate by its now-parent company Symantec.

Must have also gotten naked pictures...

[xxxJonBoyxxx]

>> Blue Coat (got) a powerful encryption certificate by its now-parent company Symantec...Symantec will acquire Blue Coat for approximately $4.65 billion in cash

It sounds like Blue Coat also got naked pictures of Symantec's board of director's spouses and/or mistresses.

How To Untrust the Blue Coat CA Cert

For OS X: https://blog.filippo.io/untrusting-an-intermediate-ca-on-os-x/

For WIndows: http://blogs.msmvps.com/alunj/2016/05/26/untrusting-the-blue-coat-intermediate-ca-from-windows/

And why you should: https://motherboard.vice.com/read/a-controversial-surveillance-firm-was-granted-a-powerful-encryption-certifica

Re:How To Untrust the Blue Coat CA Cert

[fuzzyfuzzyfungus]

Symantec's PR bullshit is not reassuring: "“What the certificate does not give them the ability to do is issue public certificates to other organizations," Gideon said. "That's the big misunderstanding.” “This intermediate CA is for their private servers only,” she wrote."

That's cute and all; except that the actual certificate contains no such restrictions whatsoever, and can be used to sign basically anything if the target trusts Verisign; and it's an 'internal testing' certificate that somehow needs to be valid until 2025...

Re:How To Untrust the Blue Coat CA Cert

[The+Last+Gunslinger]

This is spot-on.

As a one-time employee of Blue Coat who holds a technical certification on their ProxySG line of products, I can confirm absolutely that these devices use these intermediate CA certs to generate on-demand certs for any destination that the device's owner allows on their network by policy.

From the viewpoint of the user's browser, the remote server (Google or CNN or BankofAmerica) appears to be sending you a trusted certificate. You would have to open the security dialog and examine the details of the certificate to even notice anything unusual.

So all the scruples reside with the device owner, not the manufacturer. As delivered, the devices can impersonate ANY server certificate. It's up to the implementer to construct policies that exclude traffic to certain servers or of certain categories from this ability.

Re:How To Untrust the Blue Coat CA Cert

[fuzzyfuzzyfungus]

In theory the legitimate users of these sorts of MiTM boxes aren't supposed to need an actual intermediate CA cert because they are only MiTMing devices that they administer, so they simply use their own internal trusted cert and configure their devices to trust it.

That's why Bluecoat being handed a fully loaded Verisign intermediate CA cert is so disturbing; and Symantec's unwillingness to do anything but bullshit about it so disturbing.

MiTM-ing SSL traffic is one thing if it is from devices you have legitimate administrative access to; but when you have legitimate administrative access it's trivial to configure the clients to trust your certificate so you don't need anything special. The only reason you'd need a Verisign intermediate CA is if you want to be able to hit the vast majority of clients as configured out-of-the-box, without your certs pushed by group policy or whatever. Nobody involved seems to have a remotely good explanation of why Bluecoat has one; or what legitimate purposes it could possibly serve that couldn't be served by a vastly less dangerous toy.