(no subject)
May. 30th, 2016 11:14 am![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
Hey, remember that time Google dropped an anvil on Symantec for playing stupid dangerous games with their root CA?
Symantec has now issued a CA to spyware/malware vendor Bluecoat. Meaning Bluecoat can now issue properly-signed certificates for any domain they want. Your browser will see a fake certificate for, say, Google, and will trust it without warning you that it's fake because the certitificate is trusted by Bluecoat who in turn are trusted by Symantec, and your browser trusts Symantec.
Here's how to fix that in Windows. And in OSX.
(Unfortunately, untrusting Symantec's root is not a viable option, yet. I suspect there's going to be a lot of people looking into how to make that viable, though, soon.)
Symantec has now issued a CA to spyware/malware vendor Bluecoat. Meaning Bluecoat can now issue properly-signed certificates for any domain they want. Your browser will see a fake certificate for, say, Google, and will trust it without warning you that it's fake because the certitificate is trusted by Bluecoat who in turn are trusted by Symantec, and your browser trusts Symantec.
Here's how to fix that in Windows. And in OSX.
(Unfortunately, untrusting Symantec's root is not a viable option, yet. I suspect there's going to be a lot of people looking into how to make that viable, though, soon.)
(no subject)
Date: 2016-05-30 03:48 pm (UTC)The difference is that now any old asshole can do the same meddling (and probably won't even need BlueCoats software, as the CA private key will be recoverable. I know I could do that 10 years ago, and such SW vendors usually never learn).
The whole CA concept remains fundamentally b0rken.
(Not that I'd recommend Bluecoat for a corporate AV/URL-filter, as I had the distinct displeasure of dealing with the POS that is their software.)
(no subject)
Date: 2016-05-30 03:57 pm (UTC)And in the mean time, all kinds of people who *aren't* on corporate networks on corporate hardware should know if someone is paying a notorious internet spying company to spy on them.
But yes, CAs and TLS trusting are fundamentally broken.