back to article Man-in-the-middle biz Blue Coat bought by Symantec: Infosec bods are worried

Symantec’s deal to to buy Blue Coat, the controversial web filtering firm, for $4.65bn will bolster its enterprise security business. But some security experts are concerned about the potential for conflict of interest created by housing Symantec’s digital certificate business and Blue Coat’s man-in-the-middle SSL inspection …

  1. Philip Mather
    Mushroom

    Game Over

    The End.

  2. Anonymous Coward
    Anonymous Coward

    Is it real or is it Bluecoat?

    Symantec were caught handing out fake Google certs in the past. i.e. a site fraudulantly pretending to be Google.

    Now they have a whole company certified to issue such fraudulant certificates for devices it doesn't control. If it controlled the device, then their own certificate would be installed on that device. So this is fraud of website identity for websites they don't control and have no legal authority to sniff your traffic.

    No authority from the website, no authority from you. A man in the middle attack that should be illegal under countless hacking laws.

    At what point are we going to remove Symantec from TLS? How much more worse can they be?? You've rendered the worlds encryption and trust system useless. It's as trustworthy as a single company, Bluecoat, whose sole business requires hacking into traffic they don't have a right to hack!

    1. Anonymous Coward
      Anonymous Coward

      Re: Is it real or is it Bluecoat?

      Oh, and what about the 'Internet of things'. All those devices pulling bios updates across the net. Relying on the certificate to verify their own server is the correct one. How many devices are now compromised because the cert may be fraudulant? And thus the software update is compromised?

      How many devices can be compromised with malicious smurfs?

    2. DropBear

      Re: Is it real or is it Bluecoat?

      It's all an artefact of the (sadly very popular nowadays) line of thinking according to which horrible things are only evil when "bad guys" do them - the arbitrarily defined "good guys" are a-ok to murder kittens, "it's for the greater good"...

  3. s. pam
    Megaphone

    Prepare to get stung (again, and again) by the Yellow & Black peril

    Blue Coat has lost control of a certificate, blames Symantec but doesn't own up to their own fuck-up. How Symantec of them!

    Symantec published bad certificates, screws up lots of folks, barely admits the truth. How Blue Coat of them!

    Symantec has a long and proven track record of killing acquired technology and stuffing only a few parts into a.n.other business unit. In this case both companies' current product users/admins/owners should be VERY worried as the appliance product is likely being shoved into the most chaotic group possible to whip the acquired into submission.

    In 10++ years at Symantec until being freed in last summer's layoffs, this is the only cycle they know how to do. And they regularly will now have reorgs and infighting for who's in charge of whatever carcass of a product is left.

    Caveat Emptor -- time to find a.n.other vendor!

    1. Aodhhan

      Re: Prepare to get stung (again, and again) by the Yellow & Black peril

      Control of the certificate was never lost, it was 'supposedly' maintained by Symantec.

      They have a history of killing acquired technology?? You get this based on what?

      Did you apply to be a maintenance worker at Symantec and get turned down or what??

      I'm not Symantec fan, but seriously... you're an angry person who lets their emotions bypass the cerebral cortex.

      1. s. pam
        Flame

        Re: Prepare to get stung (again, and again) by the Yellow & Black peril

        @Aodhhan: "you're an angry person who lets their emotions bypass the cerebral cortex"

        You've so missed the point -- I watched this exact kind of Tom Fuckery go on there for years as I worked there! FYI, the Q/A labs passed certificates all over the place, so I'm not at the least bit surprised some "got out into the wild" as accidents do happen.

        The list of dead technology there is so long it won't fit in a comments box here, and others have clearly laid out a good list of /dead/technology Symantec has killed.

        You should take a powder, and go read ex-employee reviews of Symantec on glassdoor.com and you'll never have a cerebrum again.

    2. Lotaresco

      Re: Prepare to get stung (again, and again) by the Yellow & Black peril

      That is more or less exactly what I thought when I saw this. I've lost track of the products that Symantec has bought up and killed off or turned into junk. PC Tools, Norton, More and ACT were some of the items I used in the past that Symantec has either watered down or just killed off as quickly as possible. I don't understand why they continue to buy products that they don't want, don't understand or don't care enough about to maintain.

      Possibly there's some cunning plan in the background, but I can't see what it is.

      1. Mark 85

        Re: Prepare to get stung (again, and again) by the Yellow & Black peril

        Possibly there's some cunning plan in the background, but I can't see what it is.

        Two possibilities... 1) Kill off some competition or 2) get the patents for later trolling.

  4. Vimes

    Will the likes of Firefox continue including Symantec's certificates despite this?

  5. Anonymous Coward
    Anonymous Coward

    Spying is just another revenue stream

    I don't see why Symantec should not make the same money of supporting the NSA that presumably Google, Microsoft and MessageLabs do, and with this purchase they're in the best possible position to sell them an MITM-in-a-box.

    Clever move to get into the US surveillance industry. Well done.

  6. Zippy's Sausage Factory

    So Symantec bought them?

    I expect BlueCoat's business to go the same way as did QuarterDeck, Norton Ghost... oh god how many acquisitions have there been where they've destroyed perfectly good product lines?

    I fully expect that none of BlueCoat's product lines - except the one that Symantec will for some bizarre reason manage to keep profitable - will be around in a year or two...

    1. Sandtitz Silver badge

      Re: So Symantec bought them?

      "I expect BlueCoat's business to go the same way as did QuarterDeck, Norton Ghost..."

      Ghost - I agree.

      But Quarterdeck? They offered the best memory management and multitasking software for DOS, but their wares became irrelevant when Warp (1994) gained some mainstream status and especially once Windows 95 and NT4 (1996) was released. Symantec seem to have bought the company in 1998 when the company was already dying.

      1. Zippy's Sausage Factory

        Re: So Symantec bought them?

        Quarterdeck had a bit more than that, especially since I don't even remember the DOS stuff you're talking about. I was actually thinking of CleanSweep (rock solid reliable until Symantec made it as buggy as the Okefenokee swamp), PartitionIt!, Internet Suite (which was actually a very useful bit of kit, if I remember right)...

        Although to be fair, reading the Wikipedia article I'm not sure whether they acquired those. Either way, I was annoyed that some stuff I paid good money for and used and found very useful I couldn't get any more. (Eventually I might tell you the story of how I used CleanSweep to save people a small fortune in council tax, but not right now...)

  7. Flywheel

    Unhappy memories

    I have unhappy memories of Bluecoat. Back in the day I was writing a mobile app that relied on a 1-time URL being sent to a punter's mobile phone and this could then be used to get the data that had been requested. All was well during local testing, then I deployed it, and the 1-time link started self-destructing before the punter could access it. It transpired that my Telco, Three, was using Bluecoat to intercept all Internet browser requests before they actually went to the real web site.

    1. noodle heimer

      Re: Unhappy memories

      A fairly significant Bluecoat acquisition was Netronome, which gave the company an ASIC that could break SSL at wire speeds well north of 10 gbps (circa 2010, so I would expect the performance has gotten much better since.)

      Now we add ISPs and governments throwing these systems in and running transparently, along with the dishonesty of Symantec around certificate management and its important to trust to begin with... Awesome.

  8. Frank Bitterlich
    Terminator

    CA = Critical Infrastructure

    Governments, ICANN und other governing bodies have understood a long time ago that some critical infrastructure - like root DNS servers and such - are way too important to let a bunch of companies (many of them with a questionable rap sheet) take control over them.

    Maybe it's time to expand the concept to include the certificate authorities. Or, we could continue to let "the market" regulate who does what with their certs and let anybody sell, leak, lose their certs who has enough money to do so. And then let the big browser makes fix this by blocking some root certs; until they find out that you can make some extra money by whitelisting some certs for cash.

    "Can't access this or that website with your browser? Try Internet Exploder 16, it accepts more root certs than any other browser!"

  9. Aodhhan

    Yeah, this is crazy but....

    During penetration testing, I can conduct a MiTM attack on users quite easily because more than 80% of normal users and 25% of privileged users will click through a warning window. I get everyone's skepticism and love to push out anger like a bunch of grounded teenagers, but considering the seemingly love-fest with clicking through warnings, what Bluecoat -- Symantec did with certificates is pretty much nothing in comparison to the real problem.

    .

    You'd be shocked by the amount of businesses which don't implement proper PKI within their own environments, which only makes the problem worse. This trains people to click through warnings!

    Remember you can untrust a certificate and a CA, it's a lot harder to get people to not click warning messages.

    1. SoloSK71

      Re: Yeah, this is crazy but....

      do 99% of users even know the slightest about what this means? i doubt it.

      that was supposed to be the how point of 'trusted issuers', that you did not need to worry as they were supposed to be 'trusted' to a) do the background checks to make sure the person who asked for a cert was really the person who 'owned' the site (failed that years ago) and b) would not (be able to) use that certificate on their own to compromise a users or businesses communications (now failed)

      talk ab out the fox guarding the hen house, and in this case it is two foxes already proven to be perilously close to the ethical and legal line

      time to start removing their certs from the trusted issuers on my personal systems

      1. Anonymous Coward
        Anonymous Coward

        Re: Yeah, this is crazy but....

        time to start removing their certs from the trusted issuers on my personal systems

        That should prove to be an interesting experiment. Time to break out the sacrificial victim error laptop.

    2. Anonymous Coward
      Anonymous Coward

      Re: Yeah, this is crazy but....

      That assumes the only data is dumb people reading internet websites. A lot is data flowing between apps and businesses, software updates etc. Think of all the apps being updated by HTTPS, all the banking apps connection in the backend across HTTPS. Voice mail, video conferencing, messaging,.... all using certs to verify their target server, all compromised because the cert is compromised.

    3. DropBear

      Re: Yeah, this is crazy but....

      "considering the seemingly love-fest with clicking through warnings"

      Why, what else do you expect when even reputable websites regularly throw up security errors and warning simply because they use a certificate to host something on some other domain than their main one for which the cert was originally issued? Not to mention ephemeral "minisites" with their own "domain" etc...? Do not forget - there are places where security is the most important thing, but in most cases the absolute, absolute most important thing is simply Getting That Shit Done.

  10. Anonymous Coward
    Anonymous Coward

    Norton, geez

    "Consumer sales have become a legacy business for Symantec because Microsoft has improved its security defences, freemium anti-virus software firms such as AVG and Avast are gaining big market share, and competitors and new entrants have outflanked the company in the mobile security software market."

    And Norton has always been utter shite anyway.

  11. Pirate Dave Silver badge
    Pirate

    Great

    So now what's left of Packeteer will become fodder in the Symantec corral. Sad. So sad. Packeteer's PacketShaper was one of those things that did EXACTLY what they said it could do, no ifs, ands, or buts. And the classic "tree" GUI made them so very, very easy to work with. Bluecoat at least had sense enough not to fuck that up, I doubt Symantec will be that smart. I've looked at other traffic shaping devices and none of them have a GUI that can hold a candle to the Packetshaper (and most of them don't seem to shape traffic as well either).

    Not that it matters much now that Google, YouTube, et al, have frog-marched everyone to SSL. Makes it very, very hard for the Shaper to classify the traffic as well as it could 10 years ago.

  12. energystar
    Angel

    Well...

    If they're not welcomed at the Bottom...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like