Man-in-the-middle biz Blue Coat bought by Symantec: Infosec bods are worried Symantec’s deal to to buy Blue Coat, the controversial web filtering firm, for $4.65bn will bolster its enterprise security business. But some security experts are concerned about the potential for conflict of interest created by housing Symantec’s digital certificate business and Blue Coat’s man-in-the-middle SSL inspection …
Symantec were caught handing out fake Google certs in the past. i.e. a site fraudulantly pretending to be Google.
Now they have a whole company certified to issue such fraudulant certificates for devices it doesn't control. If it controlled the device, then their own certificate would be installed on that device. So this is fraud of website identity for websites they don't control and have no legal authority to sniff your traffic.
No authority from the website, no authority from you. A man in the middle attack that should be illegal under countless hacking laws.
At what point are we going to remove Symantec from TLS? How much more worse can they be?? You've rendered the worlds encryption and trust system useless. It's as trustworthy as a single company, Bluecoat, whose sole business requires hacking into traffic they don't have a right to hack!
Oh, and what about the 'Internet of things'. All those devices pulling bios updates across the net. Relying on the certificate to verify their own server is the correct one. How many devices are now compromised because the cert may be fraudulant? And thus the software update is compromised?
How many devices can be compromised with malicious smurfs?
Blue Coat has lost control of a certificate, blames Symantec but doesn't own up to their own fuck-up. How Symantec of them!
Symantec published bad certificates, screws up lots of folks, barely admits the truth. How Blue Coat of them!
Symantec has a long and proven track record of killing acquired technology and stuffing only a few parts into a.n.other business unit. In this case both companies' current product users/admins/owners should be VERY worried as the appliance product is likely being shoved into the most chaotic group possible to whip the acquired into submission.
In 10++ years at Symantec until being freed in last summer's layoffs, this is the only cycle they know how to do. And they regularly will now have reorgs and infighting for who's in charge of whatever carcass of a product is left.
Caveat Emptor -- time to find a.n.other vendor!
Control of the certificate was never lost, it was 'supposedly' maintained by Symantec.
They have a history of killing acquired technology?? You get this based on what?
Did you apply to be a maintenance worker at Symantec and get turned down or what??
I'm not Symantec fan, but seriously... you're an angry person who lets their emotions bypass the cerebral cortex.
@Aodhhan: "you're an angry person who lets their emotions bypass the cerebral cortex"
You've so missed the point -- I watched this exact kind of Tom Fuckery go on there for years as I worked there! FYI, the Q/A labs passed certificates all over the place, so I'm not at the least bit surprised some "got out into the wild" as accidents do happen.
The list of dead technology there is so long it won't fit in a comments box here, and others have clearly laid out a good list of /dead/technology Symantec has killed.
You should take a powder, and go read ex-employee reviews of Symantec on glassdoor.com and you'll never have a cerebrum again.
That is more or less exactly what I thought when I saw this. I've lost track of the products that Symantec has bought up and killed off or turned into junk. PC Tools, Norton, More and ACT were some of the items I used in the past that Symantec has either watered down or just killed off as quickly as possible. I don't understand why they continue to buy products that they don't want, don't understand or don't care enough about to maintain.
Possibly there's some cunning plan in the background, but I can't see what it is.
I don't see why Symantec should not make the same money of supporting the NSA that presumably Google, Microsoft and MessageLabs do, and with this purchase they're in the best possible position to sell them an MITM-in-a-box.
Clever move to get into the US surveillance industry. Well done.
I expect BlueCoat's business to go the same way as did QuarterDeck, Norton Ghost... oh god how many acquisitions have there been where they've destroyed perfectly good product lines?
I fully expect that none of BlueCoat's product lines - except the one that Symantec will for some bizarre reason manage to keep profitable - will be around in a year or two...
"I expect BlueCoat's business to go the same way as did QuarterDeck, Norton Ghost..."
Ghost - I agree.
But Quarterdeck? They offered the best memory management and multitasking software for DOS, but their wares became irrelevant when Warp (1994) gained some mainstream status and especially once Windows 95 and NT4 (1996) was released. Symantec seem to have bought the company in 1998 when the company was already dying.
Quarterdeck had a bit more than that, especially since I don't even remember the DOS stuff you're talking about. I was actually thinking of CleanSweep (rock solid reliable until Symantec made it as buggy as the Okefenokee swamp), PartitionIt!, Internet Suite (which was actually a very useful bit of kit, if I remember right)...
Although to be fair, reading the Wikipedia article I'm not sure whether they acquired those. Either way, I was annoyed that some stuff I paid good money for and used and found very useful I couldn't get any more. (Eventually I might tell you the story of how I used CleanSweep to save people a small fortune in council tax, but not right now...)
I have unhappy memories of Bluecoat. Back in the day I was writing a mobile app that relied on a 1-time URL being sent to a punter's mobile phone and this could then be used to get the data that had been requested. All was well during local testing, then I deployed it, and the 1-time link started self-destructing before the punter could access it. It transpired that my Telco, Three, was using Bluecoat to intercept all Internet browser requests before they actually went to the real web site.
A fairly significant Bluecoat acquisition was Netronome, which gave the company an ASIC that could break SSL at wire speeds well north of 10 gbps (circa 2010, so I would expect the performance has gotten much better since.)
Now we add ISPs and governments throwing these systems in and running transparently, along with the dishonesty of Symantec around certificate management and its important to trust to begin with... Awesome.
Governments, ICANN und other governing bodies have understood a long time ago that some critical infrastructure - like root DNS servers and such - are way too important to let a bunch of companies (many of them with a questionable rap sheet) take control over them.
Maybe it's time to expand the concept to include the certificate authorities. Or, we could continue to let "the market" regulate who does what with their certs and let anybody sell, leak, lose their certs who has enough money to do so. And then let the big browser makes fix this by blocking some root certs; until they find out that you can make some extra money by whitelisting some certs for cash.
"Can't access this or that website with your browser? Try Internet Exploder 16, it accepts more root certs than any other browser!"
During penetration testing, I can conduct a MiTM attack on users quite easily because more than 80% of normal users and 25% of privileged users will click through a warning window. I get everyone's skepticism and love to push out anger like a bunch of grounded teenagers, but considering the seemingly love-fest with clicking through warnings, what Bluecoat -- Symantec did with certificates is pretty much nothing in comparison to the real problem.
.
You'd be shocked by the amount of businesses which don't implement proper PKI within their own environments, which only makes the problem worse. This trains people to click through warnings!
Remember you can untrust a certificate and a CA, it's a lot harder to get people to not click warning messages.
do 99% of users even know the slightest about what this means? i doubt it.
that was supposed to be the how point of 'trusted issuers', that you did not need to worry as they were supposed to be 'trusted' to a) do the background checks to make sure the person who asked for a cert was really the person who 'owned' the site (failed that years ago) and b) would not (be able to) use that certificate on their own to compromise a users or businesses communications (now failed)
talk ab out the fox guarding the hen house, and in this case it is two foxes already proven to be perilously close to the ethical and legal line
time to start removing their certs from the trusted issuers on my personal systems
That assumes the only data is dumb people reading internet websites. A lot is data flowing between apps and businesses, software updates etc. Think of all the apps being updated by HTTPS, all the banking apps connection in the backend across HTTPS. Voice mail, video conferencing, messaging,.... all using certs to verify their target server, all compromised because the cert is compromised.
"considering the seemingly love-fest with clicking through warnings"
Why, what else do you expect when even reputable websites regularly throw up security errors and warning simply because they use a certificate to host something on some other domain than their main one for which the cert was originally issued? Not to mention ephemeral "minisites" with their own "domain" etc...? Do not forget - there are places where security is the most important thing, but in most cases the absolute, absolute most important thing is simply Getting That Shit Done.
"Consumer sales have become a legacy business for Symantec because Microsoft has improved its security defences, freemium anti-virus software firms such as AVG and Avast are gaining big market share, and competitors and new entrants have outflanked the company in the mobile security software market."
And Norton has always been utter shite anyway.
So now what's left of Packeteer will become fodder in the Symantec corral. Sad. So sad. Packeteer's PacketShaper was one of those things that did EXACTLY what they said it could do, no ifs, ands, or buts. And the classic "tree" GUI made them so very, very easy to work with. Bluecoat at least had sense enough not to fuck that up, I doubt Symantec will be that smart. I've looked at other traffic shaping devices and none of them have a GUI that can hold a candle to the Packetshaper (and most of them don't seem to shape traffic as well either).
Not that it matters much now that Google, YouTube, et al, have frog-marched everyone to SSL. Makes it very, very hard for the Shaper to classify the traffic as well as it could 10 years ago.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
