Companies could use ‘intermediate’ web security certificates to spy
A certificate authority (CA) is a trusted entity that issues electronic certificates (duh) to verify identity on the Internet. They’re a key part of secure communications online — and thus super important. Then there’s intermediate CAs, signed by a root CA, making certificates for any website. However, they’re just as powerful as those root ones. Worse still, there’s no full list for the ones your system trusts because root CAs can make new ones whenever it wants, and our computers will trust ’em immediately. This is a problem when companies get their hands on them, although they could have legitimate reasons for using an intermediate CA within their own networks.
Companies (in this case Blue Coat Systems, a web security firm which has an intermediate CA signed by Symantec last year) could use its CA to view your web traffic and decrypt it anywhere — not just on specific networks. “Man in the middle” attacks (MiTM) could mean anyone with a intermediate CA could take whatever you throw into the web (as you assume a site was secure), and secretly relay and even tweak communications between you and said site.
BlueCoat now has a CA signed by Symantec https://t.co/8OXmtpT6eX
Here’s how to untrust it https://t.co/NDlbqKqqld pic.twitter.com/mBD68nrVsD
— Filippo Valsorda (@FiloSottile) May 26, 2016
Filippo Valsorda, from the CloudFlare Security Team, notes that thousands have been logged already, and picked up an intermediate CA to explain how to untrust these types of CA explicitly. There’s instructions for both Mac OS and Windows. The problem remains, that while it would stop that intermediate CA, it won’t stop the root CA from making a new intermediate to the same organization.
(24)