While it may not sound scary right off the bat, Blue Coat Systems now has an intermediate certificate authority. If you don't know what a certificate authority (CA) is, or who Blue Coat is, who cares, right? But you should... whether you use Mac or Windows.
Blue Coat is notorious for manufacturing and providing TLS man-in-the-middle (MiTM) equipment to both enterprises and governments, to both analyze and block network traffic. And if that isn't enough to concern you, read on.
When traffic is sent across the web, it's encrypted using a certificate that makes a claim to have been issued by a specific company. As making a certificate requires no special skills, how do we know we can trust that a given certificate really came from the company it said it did?
Well, we have chosen to trust a number of certificate authorities, such as Verisign, a name you've probably heard before, who sign certificates essentially lending their own credibility to them by saying they really do come from the company they say they do.
These root certificate authorities are preinstalled on your computer so that your operating system and web browser will know if a given certificate is trustworthy or not.
An intermediate certificate is essentially handed trust from the root CA, and they can pass on their own trust to whatever certs they create. So, in essence, they have the same authority, but allow for some to block them and those they sign without blocking the entirety of the certificates signed by the root CA or their other intermediate CAs.
Think of a root CA like your super trustworthy friend who would never lie—if he or she says you can trust someone, you'd trust them.
Since they now have a trusted CA, and they're known for creating MiTM attack devices, they can use this certificate to issue fake certificates for any website you visit. To clarify, they can intercept your connection to, say, YourBank.com, open their connection to YourBank using their real certificate, but send your computer their own certificate that claims to be YourBank's, sign it with their trusted CA, and your computer won't blink an eye. It will implicitly trust it, seeing as if it checks the signing CA, it'll find that it is properly signed, and trusted on your machine.
They'll be able to see all your traffic and YourBank won't know they difference as the traffic will be re-encrypted using the real certificate before it's sent off to them. The same applies to literally any website that uses HTTPS to encrypt their connection. Facebook, Google, iCloud... all fair game.
This all means you should definitely be worried. But everything will be okay, because you can "untrust" this shady intermediate CA from Blue Coat on both Mac and Windows. At least for now, until they make a new one.
Both Symantec (the issuing root CA) and Blue Coat claim that this intermediate CA is just for testing purposes, but whether or not you believe that is up to you. Also, Symantec is set to acquire Blue Coat for about $4.65 billion by the end of the year, so expect more shady business from the two going forward.
For instructions on untrusting it:
- If you're on Mac OS X, Filippo Valsorda, who brought everyone's attention to this in the first place, has an easy-to-follow guide.
- If you're on Windows, there's a great guide on MSMVPs.
You will have to download the Blue Coat certificate in order to untrust it, but don't worry—this is completely safe. Certificates are downloaded all the time on your computer just by visiting HTTPS sites, and the download links provided in the tutorials come straight from the open-source Certificate Search project, which is maintained by Comodo, one of the major root CAs.