Man-in-the-middle biz Blue Coat bought by Symantec: Infosec bods are worried
HTTPS-buster and root cert bods joining up? Hmm
Analysis Symantec’s deal to to buy Blue Coat, the controversial web filtering firm, for $4.65bn will bolster its enterprise security business.
But some security experts are concerned about the potential for conflict of interest created by housing Symantec’s digital certificate business and Blue Coat’s man-in-the-middle SSL inspection technologies under the same roof. Business dealings between the two firms have already prompted cause for concern.
Blue Coat sells a range of web and network security appliances and technologies such as ProxySG, a technology that offers content filtering, authentication and caching functionality. One of its products is an SSL Visibility Appliance, which sits in the middle of encrypted traffic flows in order to identify threats (such as botnet communications, data exfiltration by hackers and so on).
Blue Coat technology masquerades as legit websites while Symantec, who bought VeriSign's certification business six years ago, is the biggest provider of SSL certificates.
Last month Blue Coat was accused of misusing an intermediate certificate authority, backed by root certificate authority Symantec. This facility created a means for Blue Coat to issue security certs for almost any website it wanted – certificates that would be implicitly trusted by browsers and apps on PCs, phones and gadgets.
Blue Coat said the facility was used for internal testing and that “rumours of misuse are unfounded”. It also added that “Symantec maintained full control of the private key”, an assurance weakened by the imminent acquisition of Blue Coat by Symantec.
“The conflict between being simultaneously a certificate authority and certificate exploiter is huge,” said Rob Graham of Errata Security, the developer of BlackICE intrusion prevention software. “The real authorities (Microsoft, Google, Firefox, Apple) have been lax, letting CAs slide, but this time they might do something. On the other hand, Blue Coat is a natural fit for AV [anti-virus], letting customers AV scan things otherwise encrypted with SSL.”
We like the management so much, we bought the company
Blue Coat’s web gateway appliances will be added to Symantec’s existing corporate-focused email and endpoint security as well as its consumer-focused Norton anti-virus software.
Traditionally Symantec’s security sales were split more or less evenly between corporate and consumers sales through its Norton line.
Consumer sales have become a legacy business for Symantec because Microsoft has improved its security defences, freemium anti-virus software firms such as AVG and Avast are gaining big market share, and competitors and new entrants have outflanked the company in the mobile security software market.
Acquiring Blue Coat will mean that 62 per cent of Symantec's revenues will come from enterprise security and this will position it better to compete with other enterprise security heavyweights such as FireEye, Check Point Software and Palo Alto Networks.
Although the shift towards the enterprise strategy is clear, Symantec has no immediate plans to sell its consumer unit, which remains profitable, Reuters reports.
Symantec sold its Veritas enterprise software storage business for $7.4bn to a group led by Carlyle Group back in January as part of the same strategy of focusing on the enterprise security software market. ®
Sponsored: Customer Identity and Access Management