BlueCoat(known for SSL MitM) now has a CA signed by Symantec

Discussion in 'privacy general' started by BoerenkoolMetWorst, May 27, 2016.

  1. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,867
    Location:
    Outer space
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    The turkey cert. is now untrusted on my PC. "Up your nose with a rubber hose" Bluecoat!

    Wonder if Bluecoat will install this cert. automatically for the AppGuard users ........................
     
  3. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,867
    Location:
    Outer space
    AppGuard is from Blue Ridge Networks, not BlueCoat Systems.
     
  4. SouthPark

    SouthPark Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    735
    Location:
    South Park, CO
    Thank you for the info, installed and untrusted it here too.
     
  5. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,741
    Location:
    UK
    Aren't Bluecoat Systems responsible for the K9 Web Protection software? Does this impact those users?
     
  6. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
  7. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    This is disgusting from a public CA. If you (a business or anyone else), want to subvert a user's trust, then at least have the decency to put in a specific DIY root that's obvious.

    Is there a more general way of detecting and excluding such certificates (e.g. at a firewall level?)
     
  8. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    I can't say for sure, but it is a possibility. They do utilize some type of local proxy filtering of your network traffic. K9 users should have a deeper look into it and see what is happening to be certain whether or not they are intercepting SSL as well and how the filtration is occurring.
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Supposedly, the cert. is only going to be used for test purposes:cautious:: http://www.theregister.co.uk/2016/05/27/blue_coat_ca_certs/

    Bluecoat yea's:

    At times, criticism leveled against the security outfit has proved unfounded. For instance, after Blue Coat-built systems were found being used in Syria to spy on citizens, the biz investigated and said a reseller had illegally sold its kit into the war-torn nation.
    Bluecoat nay's

    On the other hand, Blue Coat won the "Lamest Vendor Response" Pwnie award at last year's Black Hat security conference. The gong was given after the biz pressured a security researcher into dropping a presentation at the SyScan Conference in Singapore earlier in the year. The coercive tactics sparked calls for a Blue Coat boycott, particularly from Facebook's head of security Alex Stamos.
     
  10. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,867
    Location:
    Outer space
    Syria is not the only case they have been accused of:
    https://en.wikipedia.org/wiki/Blue_Coat_Systems#Controversy
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Can anyone explain in layman terms why this is so a big issue?
     
  12. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,867
    Location:
    Outer space
    They sell MitM and censorship devices, so with a legit certificate they can censor and spy on people even if HTTPS/SSL/TLS is used, without the browser giving any warning. Given their track record on repressive regimes, that's not a good development.
     
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    But can they do this on any site? Let's say you login to Gmail, can they spy on transfered data?
     
  15. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Yes, if the have installed the certificate in the Windows root CA store and they have installed software to perform MITM activities using the installed certificate.

    -EDIT-

    Actually what I posted above is N/A for this certificate since it is an intermediate root CA cert.. Those are downloaded on demand to your web browser by the web site's server. So in this case, all you have to do is land on a HTTPS web site that is using this Bluecoat certificate.
     
    Last edited: May 28, 2016
  16. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Perhaps we should also concentrate on Intermediate root CA certificates that are currently being abused by malware such as the free ones issued by Let's Encrypt: http://thehackernews.com/2016/01/fr...urce=THNLS&utm_medium=BelowLS&utm_campaign=LS
    http://blog.trendmicro.com/trendlab...ets-encrypt-now-being-abused-by-malvertisers/

    Been researching this Let's Encrypt Intermediate CA issue. Appears they are countersigned with a DST root CA cert. which is included in the Windows root CA certificate store:

    Mozilla

    •Firefox >= 2.0 and Thunderbird work on all systems ("DST Root CA X3" seems to be included since 2008, see https://bugzilla.mozilla.org/show_bug.cgi?id=359069139)
    •Firefox OS 2.2 works (see https://groups.google.com/a/letsencrypt.org/d/msg/client-dev/I-iFKihZ4Vo/kyw2EuaNlB0J1.3k)

    Windows

    •Internet Explorer (and other software which uses the Windows CryptoAPI) works ("DST Root CA X3" is included in Windows trust store; will be automatically downloaded if locally missing with Windows >= Vista; XP SP3 see below)
    •Google Chrome works ("DST Root CA X3" is included in Windows trust store; not on Windows XP, see below)


    Ref.: https://community.letsencrypt.org/t/which-browsers-and-operating-systems-support-lets-encrypt/4394

    Given that malware is abusing these Let's Encrypt free Intermediate root CA certs.:

    Let's Encrypt Authority X3
    Let's Encrypt Authority X4
    Let's Encrypt Authority X1
    Let's Encrypt Authority X2


    Ref: https://letsencrypt.org/certificates/

    Best approach might be just to manually revoke all four certificates?
     
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Thanks for the info, but just to be clear: The way I understood it, is that they can only spy on you when you land on a site that is using the BlueCoat certificate. Is this correct or not?
     
  18. This is disgusting. What are Symantec thinking? Blue Coat has been abusing human rights for years.
     
  19. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,867
    Location:
    Outer space
    No. If you do a MitM attack on a HTTPS/SSL connection you need a certificate that is valid for that site and trusted by the browser. Any CA can create a certificate for any site. And BlueCoat is now signed by Symantec so the browser will trust it.
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    OK I see, so it's all about MitM attacks.
     
  21. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,741
    Location:
    UK
  22. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Makes sense since Symantec is no stranger when it comes to cooperation with U.S. government when it comes to privacy issues.
     
  23. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,867
    Location:
    Outer space
  24. bopbop

    bopbop Registered Member

    Joined:
    Sep 27, 2016
    Posts:
    22
    Location:
    italy
    I wonder if anything is changed since the first post was created here. Any more progress to worry about?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.