Symantec Will Acquire Controversial Surveillance Firm Blue Coat Systems For $4.65 Billion (helpnetsecurity.com) 44
Reader LichtSpektren writes: Symantec will acquire Blue Coat for approximately $4.65 billion in cash, the security firm announced on Monday. The transaction has been approved by the boards of directors of both companies and is expected to close in the third calendar quarter of 2016. Greg Clark, CEO of Blue Coat, will be appointed CEO of Symantec and join the Symantec Board upon closing of the transaction.If Blue Coat name sounds familiar to you, it is because this controversial surveillance firm was recently in the news for receiving a grant for a powerful encryption certificate by its now-parent company Symantec.
Must have also gotten naked pictures... (Score:3)
It sounds like Blue Coat also got naked pictures of Symantec's board of director's spouses and/or mistresses.
Re: (Score:2, Insightful)
Re: (Score:2)
How To Untrust the Blue Coat CA Cert (Score:2, Informative)
For OS X: https://blog.filippo.io/untrusting-an-intermediate-ca-on-os-x/ [filippo.io]
For WIndows: http://blogs.msmvps.com/alunj/2016/05/26/untrusting-the-blue-coat-intermediate-ca-from-windows/ [msmvps.com]
And why you should: https://motherboard.vice.com/read/a-controversial-surveillance-firm-was-granted-a-powerful-encryption-certifica [vice.com]
Re:How To Untrust the Blue Coat CA Cert (Score:5, Informative)
That's cute and all; except that the actual certificate contains no such restrictions whatsoever, and can be used to sign basically anything if the target trusts Verisign; and it's an 'internal testing' certificate that somehow needs to be valid until 2025...
Re: (Score:2)
As a one-time employee of Blue Coat who holds a technical certification on their ProxySG line of products, I can confirm absolutely that these devices use these intermediate CA certs to generate on-demand certs for any destination that the device's owner allows on their network by policy.
From the viewpoint of the user's browser, the remote server (Google or CNN or BankofAmerica) appears to be sending you a trusted certificate. You would have to open the security dialog and examine the
Re:How To Untrust the Blue Coat CA Cert (Score:4, Insightful)
That's why Bluecoat being handed a fully loaded Verisign intermediate CA cert is so disturbing; and Symantec's unwillingness to do anything but bullshit about it so disturbing.
MiTM-ing SSL traffic is one thing if it is from devices you have legitimate administrative access to; but when you have legitimate administrative access it's trivial to configure the clients to trust your certificate so you don't need anything special. The only reason you'd need a Verisign intermediate CA is if you want to be able to hit the vast majority of clients as configured out-of-the-box, without your certs pushed by group policy or whatever. Nobody involved seems to have a remotely good explanation of why Bluecoat has one; or what legitimate purposes it could possibly serve that couldn't be served by a vastly less dangerous toy.
Re: How To Untrust the Blue Coat CA Cert (Score:1)
+1 what parent said.
It negates TLS because the cert could be real or could be Bluecoat fake. Every bank, government, financial, health, EVERY cert is worthless from that deal. Symantec have been caught faking Google certificates before, this was obviously a workaround to hide the faking.
But, here's the most disturbing thing of all.... 70% of ALL certs are from Symantec or Symantec's child companies. They cannot be removed from the cert chain because they ARE the cert chain.
So TLS certs have to been removed
Re: (Score:2)
The only reason you'd need a Verisign intermediate CA is if you want to be able to hit the vast majority of clients as configured out-of-the-box, without your certs pushed by group policy or whatever. Nobody involved seems to have a remotely good explanation of why Bluecoat has one; or what legitimate purposes it could possibly serve that couldn't be served by a vastly less dangerous toy.
The reason is simple: most customers of these devices prefer to implement them in transparent proxy mode, which requires no endpoint device (browser, etc.) configuration, no pushing of internal certs, etc. Browsers are talking on 80/443 happily unaware that their traffic is being proxied, and the SSL server certs being presented by Google or Facebook or their bank are not actually certs from those servers...they're Blue Coat's imposter certificates, generated on-demand.
Re: (Score:1)
As a one-time employee of Blue Coat who holds a technical certification on their ProxySG line of products, I can confirm absolutely that these devices use these intermediate CA certs to generate on-demand certs for any destination that the device's owner allows on their network by policy.
Also a former BlueCoat employee here.
While you are correct, that this cert can be used to create valid MitM certificates, this certificate will never be pushed out to customer boxes. They would never run the risk of a customer being able to get the private key, and then use it for whatever evil uses they have.
They could use their CA to sign other intermediate CAs that they push out onto customer boxes, but that is just as dangerous as giving them their CA.
What they are probably testing, is using t
Re: (Score:2)
If that's the case, then there is no reason not to untrust the cert, since it doesn't serve any purpose in the wild.
The only upside... (Score:2)
Just more fuel on the "trusting 'trusted' CAs just doesn't cut it" fire.
Re: (Score:2)
The only upside to all this is that Symantec has an astonishingly powerful ability to turn everything they acquire into utter shit. This doesn't make one of the world's major SSL CAs owning a sleazy SSL MiTM appliance vendor any less disturbing; but it at least means that the various malefactors using Bluecoat products to exploit us will have an incrementally more miserable time. Just more fuel on the "trusting 'trusted' CAs just doesn't cut it" fire.
Agreed. It would be nice if Google, Apple, Microsoft, and Mozilla agreed to blacklist Symantec-signed certificates from their browsers. Unfortunately they have billions of dollars to throw at legislators and judges, so it wouldn't make a difference in the long run.
Re: (Score:2)
that was my first thought too, but while it may be Symantec's money going into the deal, Symantec is getting Blue Coat's CEO as part of the deal.
Why are security companies compromising themselves (Score:2)
Racketeering (Score:2)
Symantec is buying Blue Coat Systems. Avira Anti-Virus installs the MixPanel data harvester. What's going on with security companies nowadays?
They're having the problem that they can't grow fast enough to please their shareholders/investors. The market for security products is finite, competitive and customers aren't willing to pay ever increasing amounts of cash for their products. So their management is pushed inexorably towards sources of revenue that might not be in the best interests of their customers. Of course Symantec has produced crap software for a long time now so them making bad decisions is nothing new. Removing their crapware i
inspection or surveillance? (Score:2)
Corporate use is inspection of traffic to detect security breaches, but Service Provider use is surveillance?
Use of wildcard certs is one thing, but BlueCoat technology isn't designed for surveillance any more than network analysis tools are.
Re: inspection or surveillance? (Score:2)