A controversial surveillance company whose products have been detected in Iran and Sudan was recently issued a powerful encryption certificate by a US cybersecurity company. The certificate, and the authority that comes with it, could allow Blue Coat Systems to more easily snoop on encrypted traffic. But Symantec, the company that provided it, downplayed concern from the security community.
Blue Coat, which sells web-monitoring software, was granted the power in September last year, but it was only widely noticed this week.
The company's devices are used by both government and commercial customers for keeping tabs on networks or conducting surveillance. In Syria, the technology has been used to censor web sites and monitor the communications of dissidents, activists and journalists, The Washington Post reports.
Certificates are used to encrypt web pages, including bank or email login screens. Certificate authorities (CA), such as cybersecurity company Symantec, act as the trust holders in the encrypted web—they sign certificates which are then used to secure websites. If a web browser comes across an untrusted certificate, then a warning may pop up, alerting the user.
CAs can award ostensibly trusted organisations with the power to sign certificates too. That is what happened here: in short, Symantec has vouched for Blue Coat's legitimacy.
"Think of a root CA like your super trustworthy friend who would never lie—if he or she says you can trust someone, you'd trust them," Bryan Crow wrote on WonderHowTo on Friday.
But having a company known for selling surveillance equipment to authoritarian regimes getting this extra power has made people pretty damn worried. So much so that security researcher Filippo Valsorda explained how to manually set an OSX system to distrust any certificate issued by Blue Coat. Others followed with instructions for Windows.
"Since they now have a trusted CA, and they're known for creating [man-in-the-middle] attack devices, they can use this certificate to issue fake certificates for any website you visit," Crow said.
"To clarify, they can intercept your connection to, say, YourBank.com, open their connection to YourBank using their real certificate, but send your computer their own certificate that claims to be YourBank's, sign it with their trusted CA, and your computer won't blink an eye. It will implicitly trust it, seeing as if it checks the signing CA, it'll find that it is properly signed, and trusted on your machine," Crow added.
"What the certificate does not give them the ability to do is issue public certificates to other organizations. That's the big misunderstanding."
But Symantec and Blue Coat said that the certificate was only used for internal testing.
"We provided it because companies that want to secure private servers without the risks that come with working in the public domain is a common customer request," Symantec spokesperson Jane Gideon told Motherboard in an email.
"Symantec has reviewed the intermediate CA issued to Blue Coat and determined it was used appropriately. Consistent with our protocols, Symantec maintained full control of the private key and Blue Coat never had access to it. Blue Coat has confirmed it was used for internal testing and has since been discontinued. Therefore, rumors of misuse are unfounded," she wrote.
When asked for comment, Blue Coat pointed to Symantec's statement.
The certificate is "still valid, and they could use it for further internal testing in the future as long as the CA is valid, which is a completely legitimate use," Gideon clarified.
"What the certificate does not give them the ability to do is issue public certificates to other organizations," Gideon said. "That's the big misunderstanding."
"This intermediate CA is for their private servers only," she wrote.
Correction: Due to a formatting issue, a quote from Symantec looked like it was attributed to Bryan Crow. This article has since been updated to correct the error.