back to article Don't panic, says Blue Coat, we're not using CA cert to snoop on you

Blue Coat has denied it's up to any shenanigans – after the security biz was seemingly given the power to issue crypto certificates that could be used to spy on people. A kerfuffle kicked off this week when it looked as though Blue Coat had been made an intermediate certificate authority, backed by root certificate authority …

  1. Michael B.

    Internal Testing my arse

    If you were doing internal testing you can just setup your own CA, install the CA cert on test machines and then issue signed certs with impunity. There is no need for a full blown intermediate CA. This is using a nuclear weapon to crack a nut.

    1. Danny 14

      Re: Internal Testing my arse

      which is pretty much the whole point of internal CA too, Outside of your own testing environment the cert would be as untrusted as any other. Odd isn't it.

  2. Fruit and Nutcase Silver badge
    Happy

    B̶l̶u̶e̶ TurnCoat

    That's better

  3. Doctor Syntax Silver badge

    Doesn't this raise doubts about trusting Symantec as a root CA?

    1. sysconfig

      Google decided to consider Symantec no longer trusted in December (as reported here) - that time it was Symantec "testing" something.

      The current CA landscape is a farce. Somebody, somewhere decides which corporations everybody is supposed to trust. And those corporations can then go ahead and delegate that trust to other parties, like BlueCoat (and anybody else interested in stealthy MITM nasties), or they issue malicious certificates without even knowing about it (Comodo a few years ago, IIRC).

      Unfortunately there's no alternative, yet.

      1. Anonymous Coward
        Anonymous Coward

        @Unfortunately there's no alternative, yet.

        There is an alternative and that's 'time'.

        Browsers have to start recording the certificate chain for each HTTPS site, and treating changes to that chain as man-in-the-middle attacks.

        So the first time you visit a HTTPS site, it shows a warning, this is your first visit, you're relying on a certificate authorities claim.

        Over time as you trust it and the cert chain remains the same, so trust is built up. Not from the cert authority, but from all the times you've used it over the years. So a man-in-the-middle attack would have to go back in time and catch the first exchange of certificates with your browser and every subsequent access, otherwise the change would be flagged.

        Google's pinning, is that service for Google, but you and I have no reason to trust Google's pinning. It could only be used to add a second vouch for the original certificate.

        I actually would trust an EXPIRED cert that's been the same over many years, over a freshly renewed Symantec cert any-day. But I know that sites will renew. Unexpected renewals = cert attack, expected renewal = warn user of need to restart trust in this website.

    2. Ken Hagan Gold badge

      Re: trusting Symantec

      Nto really. I'm typing this in Firefox, which has around 200 trusted authorities and Symantec are one of the perhaps half a dozen who I've actually heard of. I also know that their name recognition means that *their* shenanigans are more newsworthy than those of (to pick one at random) "Chunghwa Telecom Co. Ltd.".

  4. Ken Hagan Gold badge

    Would this help?

    A suggestion for browser authors (and anyone else whose software occasionally needs to say "This source is signed by X, who is trusted"): always show the entire certificate chain.

    The option is always there, but it is always a few extra clicks and most people don't bother. However, the chain is usually just two or three entries, very often just "the person I think I'm dealing with" and "a CA that I've heard of", so this wouldn't exactly be drowning end-users with gobbledegook. It would simply be telling them who the men in the middle actually are.

    (Edit: For many outside of IT, this might be their first inkling of the fact that there is a chain and that "trust" isn't just a yes/no thing inside their browser. It could be quite educational.)

    1. Anonymous Coward
      Anonymous Coward

      Re: Would this help?

      Great idea. And it shouldn't require more than hovering over the padlock symbol.

      "This cert for this site was issued by ABC on behalf of XYZ..."

      1. Destroy All Monsters Silver badge

        Re: Would this help?

        All the developers are busy shifting crap around in the toolbars.

  5. Chris Miller

    "This is useful for corporations that want to keep tabs on their staff at work."

    This is useful for corporations that prefer not to allow any old malware filled crap from the Internet to be downloaded onto their network or sensitive information to be uploaded to Dropbox. FTFY

    If you want to do something at work that you don't want your employer to see (which could be something as innocuous as using online banking to pay a bill), don't use your work network. This type of interception is normally handled by tech staff inserting their own root cert into the 'trusted' list of any computers under their control, which can then be used by a proxy server. This is a different issue from granting vendors of such products their own universally trusted certificate, which I agree sounds dodgy.

  6. Anonymous Coward
    Anonymous Coward

    Symantec

    Recall: "Symantec was forced to fire 3 employees after Google's engineers found rogue SSL certificates issued in its name used in the wild."

    Was anyone prosecuted for that? No? So it was a government backdoor, you don't fake an identity document like that and it doesn't even get investigated. Snowden docs reveal Google HTTPS traffic was man-in-the-middled, that means a trusted cert authority needed to issue the fake certificate, and I know which company I think did that.

    Look the system is flawed, it lets anyone under the trusted tree issue certs for any website and that's clearly wrong.

    Browsers need to start tracking the certs for each website and if the certs change, then its untrusted even if Symantec say its trusted. Because the chain-of-trust itself cannot be trusted, if it reports a new certification, the trust is broken, you have to build up confidence in this new certificate over time.

    Googles certificate pinning, is Googles log, I have no reason to trust Googles logs either.

    I thought we'd agreed backdoors were a bad thing, yet TLS is so backdoored, that a private company can issue certs for Syrian government to fake US websites, the system is so badly flawed.

    1. Doctor Syntax Silver badge

      Re: Symantec

      'Recall: "Symantec was forced to fire 3 employees after Google's engineers found rogue SSL certificates issued in its name used in the wild."

      Was anyone prosecuted for that? No? So it was a government backdoor, you don't fake an identity document like that and it doesn't even get investigated.'

      Prosecuted for what? Could you name a statute or a piece of common law which this violated?

      1. Fan of Mr. Obvious

        Re: Symantec

        Copyright infringement, not to mention the terms for requesting a cert require you prove that you are the entity requesting it.

    2. Ben Tasker

      Re: Symantec

      Browsers need to start tracking the certs for each website and if the certs change, then its untrusted even if Symantec say its trusted.

      That's already possible with HPKP and/or DANE.

      Googles certificate pinning, is Googles log, I have no reason to trust Googles logs either.

      If you don't trust the operator of the site (in this case, Google), why are you exposing your system to their services?

  7. Steve Medway
    Joke

    Hi Ho, Hi Ho, it's off on holiday we go.

    I was almost 99% sure it would an article about a Pontin's Holiday Camp security breech.

    Shame on you reg. for getting my hopes up, sigh :(

  8. Anonymous Coward
    Anonymous Coward

    simple don't trust anyone else's CA

    All my servers have just one CA cert installed, mine. Not really practical for many, but run a local repo and just step gingerly round the cluster-fuck.

    1. Danny 14

      Re: simple don't trust anyone else's CA

      im assuming you MITM everything, doesn't that just shift the issue onto your edge proxy? Or do you have that (gulp) set to ignore cert errors?

      I too have very few CA on our domain PCs and we do MITM everything through our filtering proxy (school, signed agreements with staff and students - don't like it then don't use it, be aware that this is happening sort of thing) but that just means the proxy does the cert checking.

  9. Anonymous Coward
    Anonymous Coward

    Take our word for it

    Tp paraphrase Bluecoat: "We're not spying on you, though we could" - as could anyone else with a root CA.

    This is the reason HTTPS must die.

  10. Anonymous Coward
    Anonymous Coward

    Why is this shocking or even surprising?

    There are a number of vendors who offer "SSL Inspection" as part of the pitch. They all work in the same way: the boss puts a trusted root on all the browsers, and the box acts a MITM and "inspects" all the traffic.

    For most corporates, things like bank sites are excluded, as are most other legitimate sites. However, for evil stuff - such as file sharing services - these are inspected for obvious reasons.

    1. Havin_it

      Re: Why is this shocking or even surprising?

      This is a step further than that, because they don't need to install the certificate on your machine: it's signed by a root CA that all browsers already trust by default.

  11. Havin_it

    Time for a bit of democracy?

    The flaw in the existing "tree of trust" model is underlined once again. The root CAs prove once again to be unworthy of that trust.

    What's needed is a way of democratising the level of trust in a CA or lower-level cert holder. Look at BitTorrent and how its model all but eradicated malicious payloads which had become the bane of earlier p2p networks: admittedly there had to be an initial "sacrificial lamb" to download the malicious payload and identify it as such, but from that point onwards the torrent would never gain traction.

    I'd like to see CRLs being used to spank CAs for malfeasance based on user reporting. You signed a cert that got misused? Poof, there goes your own cert. Now enjoy explaining to all your legit customers why their websites are throwing a dirty big warning sign instead of that nice padlock they paid for.

    Who would (everyone trust to) manage this process, and how would they guard against malicious false reporting, are the tricky bits. Maybe there's a decentralised, p2p method of going about this part too?

  12. hayzoos

    For nation-state clients

    The product wasn't plug and play for the nation-state market wishing to spy on any and all HTTPS traffic crossing the borders.

    By obtaining the trusted intermediate cert. the product has become plug and play for the likes of Syria, China, USA, Russia, UK, N.Korea, Australia, Denmark, or just about any country you can think of to spy on their citizens' and each others' citizens' HTTPS traffic.

    It also makes it easier for the existing clients by not having to install an extra cert. in all the browsers for the appliance to work.

    Democratized trust certificate model, sounds like how PGP was setup.

  13. Anonymous Coward
    Anonymous Coward

    They aren't the only ones ...

    A few years back, in the earliest days of the Syrian revolt (before it devolved into a free for all), I was having a drink with a friend who worked for a firm that I won't name* for obvious reasons.

    (*Save to say it was very shortly after acquired by a bigger household name for a huge sum, a decision which everyone came to regret when it was revealed after the fact that the value of the company had been enormously (and perhaps fraudulently) inflated resulting in much press and bitter recriminations, not to mention lawsuits and law enforcement investigations.)

    He was remarking how they were currently in discussions with the Assad regime to provide a 'solution' to detect twitter postings unfavourable to the regime and trace them back to the individuals responsible.

    I must have failed to conceal my surprise and disgust at the revelation that my friend would work for such a business, let alone that he would discuss such sordid dealings as though they were routine, since he quickly changed the subject and never again mentioned it. I too, for my shame, kept quiet on the subject as I had no wish to land him in trouble and I had no evidence except for his candid words.

    My friend, along with all of his colleagues were treated very badly following the acquisition and though he hung on for a few months as everyone around him parted company, he ultimately quit and went in search of greener pastures.

    1. Ken Hagan Gold badge

      Re: They aren't the only ones ...

      Perhaps your friend was having second thoughts and wanted to see your unguarded reaction. If so, it sounds like he got the information he needed and didn't pursue the matter further.

      Obviously I don't know your friend and he may be a thoroughly evil schmuck, but neither I nor you have to jump to that conclusion on the basis of the evidence presented. Working inside such a company, there's always the risk of peer pressure normalising things that you might otherwise question. Smart folks are aware of that and might try to find ways of getting an independent opinion.

  14. Anonymous Coward
    Anonymous Coward

    Doesn't Extended Validation enable you to detect this?

    https://www.grc.com/fingerprints.htm

  15. ortunk

    Assume all your communication intercepted and recorded

    That way deal with life in much easier fashion...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like