@Scunner - Re: Certificate Authority buys enterprise grade SSL decryption biz? What could go wrong?
How about this then? http://www.theregister.co.uk/2016/05/27/blue_coat_ca_certs/
Their gear is already being used in non-consentual ways. Just not by our own governments yet (to our knowledge).
Also, there's a new ElReg article highlighting the same issue, quoting concern in the security community about the acquisition: http://www.theregister.co.uk/2016/06/14/symantec_blue_coat_analysis/
The thing is that for enterprise-level security, backed by clear consent (via employment contract, code of conduct etc), there's no need to have a proper cert on the Blue Coat appliances. The Blue Coat cert will just be added to trusted lists on all clients and you're good to go.
Having an already widely trusted cert just enables much easier misuse of decryption, without any added security benefit for the normal enterprise customer.
Wasn't too long ago that Symantec was threatened to be "untrusted" by Google as well, because of other blunders:
Five years ago I would have agreed with your analogy to cars. However, nowadays every citizen is presumed guilty and subjected to extreme surveillance, further extended by IPB & Co, which is a hard to grasp concept already. To add insult to injury we see privacy not only infringed by government agencies, but also by lots of big enterprises; and Symantec/Blue Coat would make it so much easier for everybody, that I find it difficult to give them the benefit of a doubt and assume all the best intentions. Complacency and ignorance is what got us into this state of surveillance, and we're only at the beginning of it. Forgive me if I cannot just look at Symantec/Blue Coat and assume best intentions. For the protection of a local network with Blue Coat, a proper CA signed cert isn't needed; for transparent decryption in other places on the other hand, it is.
My original argument was that Symantec can no longer be trusted as a CA because their cert on Blue Coat appliances used by others will enable transparent decryption.
I stand by that. Trust, for me, is not only defined as to whether I think an entity is doing the right thing and has good intentions, but also if whatever they provide can be misused by others. An analogy to that would be a trusted network vs a DMZ. You control servers in the DMZ, and should be able to trust them, but they can potentially cause harm due to the fact that others may compromise (gain access, misuse) them, hence you keep them away from the crown jewels.