(no subject)

[theweaselking]

Hey, remember that time Google dropped an anvil on Symantec for playing stupid dangerous games with their root CA?

Symantec has now issued a CA to spyware/malware vendor Bluecoat. Meaning Bluecoat can now issue properly-signed certificates for any domain they want. Your browser will see a fake certificate for, say, Google, and will trust it without warning you that it's fake because the certitificate is trusted by Bluecoat who in turn are trusted by Symantec, and your browser trusts Symantec.

Here's how to fix that in Windows. And in OSX.

(Unfortunately, untrusting Symantec's root is not a viable option, yet. I suspect there's going to be a lot of people looking into how to make that viable, though, soon.)

Comments

[rbarclay.livejournal.com]

Note that there are perfectly legitimate reasons for using a MITM proxy like BlueCoat, especially in a corporate-network settiing. But there one usually generates a private CA, and sets that to trusted on the corp. PCs only. And one makes all the employees aware that their communications via corp. devices will (or may) be monitored.
The difference is that now any old asshole can do the same meddling (and probably won't even need BlueCoats software, as the CA private key will be recoverable. I know I could do that 10 years ago, and such SW vendors usually never learn).

The whole CA concept remains fundamentally b0rken.

(Not that I'd recommend Bluecoat for a corporate AV/URL-filter, as I had the distinct displeasure of dealing with the POS that is their software.)

[theweaselking.livejournal.com]

In a corporate environment, if I can manipulate which certs are trusted and untrusted then I deserve to know if you're using Bluecoat. Even if I have to un-blacklist it again to make the web work.

And in the mean time, all kinds of people who *aren't* on corporate networks on corporate hardware should know if someone is paying a notorious internet spying company to spy on them.

But yes, CAs and TLS trusting are fundamentally broken.