BlueCoat Systems, known for providing censorship and Man-in-the-Middle devices to repressive governments, now has a valid intermediate CA signed by Symantec.. https://blog.filippo.io/untrusting-an-intermediate-ca-on-os-x/ http://blogs.msmvps.com/alunj/2016/05/26/untrusting-the-blue-coat-intermediate-ca-from-windows/ https://news.ycombinator.com/item?id=11781915 https://www.reddit.com/r/netsec/comments/4l7njb/apparently_bluecoat_is_now_a_ca_thanks/
The turkey cert. is now untrusted on my PC. "Up your nose with a rubber hose" Bluecoat! Wonder if Bluecoat will install this cert. automatically for the AppGuard users ........................
Aren't Bluecoat Systems responsible for the K9 Web Protection software? Does this impact those users?
K9 Web Protection is content-control software created by Blue Coat Systems. https://en.wikipedia.org/wiki/K9_Web_Protection
This is disgusting from a public CA. If you (a business or anyone else), want to subvert a user's trust, then at least have the decency to put in a specific DIY root that's obvious. Is there a more general way of detecting and excluding such certificates (e.g. at a firewall level?)
I can't say for sure, but it is a possibility. They do utilize some type of local proxy filtering of your network traffic. K9 users should have a deeper look into it and see what is happening to be certain whether or not they are intercepting SSL as well and how the filtration is occurring.
Supposedly, the cert. is only going to be used for test purposes: http://www.theregister.co.uk/2016/05/27/blue_coat_ca_certs/ Bluecoat yea's: At times, criticism leveled against the security outfit has proved unfounded. For instance, after Blue Coat-built systems were found being used in Syria to spy on citizens, the biz investigated and said a reseller had illegally sold its kit into the war-torn nation. Bluecoat nay's On the other hand, Blue Coat won the "Lamest Vendor Response" Pwnie award at last year's Black Hat security conference. The gong was given after the biz pressured a security researcher into dropping a presentation at the SyScan Conference in Singapore earlier in the year. The coercive tactics sparked calls for a Blue Coat boycott, particularly from Facebook's head of security Alex Stamos.
Syria is not the only case they have been accused of: https://en.wikipedia.org/wiki/Blue_Coat_Systems#Controversy
They sell MitM and censorship devices, so with a legit certificate they can censor and spy on people even if HTTPS/SSL/TLS is used, without the browser giving any warning. Given their track record on repressive regimes, that's not a good development.
As posted in the Cylance thread: https://www.wilderssecurity.com/threads/ever-heard-of-cylance.382682/page-5#post-2590126 I'd avoid anything with even a casual link to any of the intelligence firms. Unit8200, NSA, CIA, DISA, etc. Bluecoat, Checkpoint, Palo Alto are also Unit8200 firms. Lookout Mobile Security, Fireye, Cylance, etc are CIA affiliated (in some way, small or large) firms.
Yes, if the have installed the certificate in the Windows root CA store and they have installed software to perform MITM activities using the installed certificate. -EDIT- Actually what I posted above is N/A for this certificate since it is an intermediate root CA cert.. Those are downloaded on demand to your web browser by the web site's server. So in this case, all you have to do is land on a HTTPS web site that is using this Bluecoat certificate.
Perhaps we should also concentrate on Intermediate root CA certificates that are currently being abused by malware such as the free ones issued by Let's Encrypt: http://thehackernews.com/2016/01/fr...urce=THNLS&utm_medium=BelowLS&utm_campaign=LS http://blog.trendmicro.com/trendlab...ets-encrypt-now-being-abused-by-malvertisers/ Been researching this Let's Encrypt Intermediate CA issue. Appears they are countersigned with a DST root CA cert. which is included in the Windows root CA certificate store: Mozilla •Firefox >= 2.0 and Thunderbird work on all systems ("DST Root CA X3" seems to be included since 2008, see https://bugzilla.mozilla.org/show_bug.cgi?id=359069139) •Firefox OS 2.2 works (see https://groups.google.com/a/letsencrypt.org/d/msg/client-dev/I-iFKihZ4Vo/kyw2EuaNlB0J1.3k) Windows •Internet Explorer (and other software which uses the Windows CryptoAPI) works ("DST Root CA X3" is included in Windows trust store; will be automatically downloaded if locally missing with Windows >= Vista; XP SP3 see below) •Google Chrome works ("DST Root CA X3" is included in Windows trust store; not on Windows XP, see below) Ref.: https://community.letsencrypt.org/t/which-browsers-and-operating-systems-support-lets-encrypt/4394 Given that malware is abusing these Let's Encrypt free Intermediate root CA certs.: Let's Encrypt Authority X3 Let's Encrypt Authority X4 Let's Encrypt Authority X1 Let's Encrypt Authority X2 Ref: https://letsencrypt.org/certificates/ Best approach might be just to manually revoke all four certificates?
Thanks for the info, but just to be clear: The way I understood it, is that they can only spy on you when you land on a site that is using the BlueCoat certificate. Is this correct or not?
No. If you do a MitM attack on a HTTPS/SSL connection you need a certificate that is valid for that site and trusted by the browser. Any CA can create a certificate for any site. And BlueCoat is now signed by Symantec so the browser will trust it.
Makes sense since Symantec is no stranger when it comes to cooperation with U.S. government when it comes to privacy issues.
I wonder if anything is changed since the first post was created here. Any more progress to worry about?
