Once again we are here speaking about surveillance, security experts have discovered that the controversial firm Blue Coat Systems was granted powerful encryption digital certificates.
Blue Coat sells web-monitoring software, its surveillance appliances were detected in Iran and Sudan, and Syria where the Government used the technology to persecute dissidents and activists.
It seems that the company was granted the power to issue certificates that could be used to spy on people and easily snoop on the encrypted traffic.
The certificates were issued by Symantec, but the security firm downplayed the issue explaining that the HTTPS certificate-issuing powers were assigned only for testing purposes.
The power was granted in September 2015, but the anomaly was spotted only last week, the Italian Filippo Valsorda detailed the issue in an interesting blog post.
As explained by the expert the company, which acted as intermediate Certification Authority, used digital certificates signed by a very Powerful CA, Symantec, that granted the surveillance firm the controversial power.
Basically, Symantec acted as guarantor for all certificates issued by Blue Coat, this means that when a user’s browser visited a site exposing one of such certificate it trusted it, thanks to the trust relationship between the root CA (Symantec) and the intermediate CA (Blue Coat).
“Intermediate CAs are certificates signed by a root CA that can sign arbitrary certificates for any websites. They are just as powerful as root CAs, but there’s no full list of the ones your system trusts, because root CAs can make new ones at will, and your system will trust them at first sight. There are THOUSANDS logged in CT.” explained Valsorda.
“This month an interesting one popped up, generated apparently in September 2015: “Blue Coat Public Services Intermediate CA”, signed by Symantec. (No certificates signed by this CA have reached the CT logs or Censys so far.)”
BlueCoat now has a CA signed by Symantec https://t.co/8OXmtpT6eX
— Filippo Valsorda (@FiloSottile) 26 maggio 2016
Now the problem is that a Root Ca has granted this kind of powers to a well-known surveillance firm, and we can imagine how these certificates have been used.
— Kenn White (@kennwhite) 27 maggio 2016
Filippo Valsorda provided detailed instruction on how to distrust the Blue Coat certificated on OS X system and Windows.
As said, Symantec and Blue Coat promptly declared that the certificate was only used for testing purpose.
“We provided it because companies that want to secure private servers without the risks that come with working in the public domain is a common customer request,” Symantec spokesperson Jane Gideon told Motherboard in an email.
“Symantec has reviewed the intermediate CA issued to Blue Coat and determined it was used appropriately. Consistent with our protocols, Symantec maintained full control of the private key and Blue Coat never had access to it. Blue Coat has confirmed it was used for internal testing and has since been discontinued. Therefore, rumors of misuse are unfounded,” she wrote.
“What the certificate does not give them the ability to do is issue public certificates to other organizations,” Gideon said. “That’s the big misunderstanding.”
“This intermediate CA is for their private servers only,” she wrote.
Just for information, the certificate is still valid.
If you appreciate my effort in spreading cyber security awareness, please vote for Security Affairs as best European Security Blog. Vote SecurityAffairs in every section it is reported. I’m one of the finalists and I want to demonstrate that the Security Affairs community a great reality.
(Security Affairs – Blue Coat digital certificates, surveillance)