So, there was this tweet that got passed around the security community pretty quickly:
BlueCoat now has a CA signed by Symantec https://t.co/8OXmtpT6eX
â€” Filippo Valsorda (@FiloSottile) May 26, 2016
Kind of confusing and scary if youâ€™re not quite sure what this all means â€“ perhaps clear and scary if you do.
BlueCoat manufactures â€śman in the middleâ€ť devices â€“ sometimes used by enterprises to scan and inspect / block outbound traffic across their network, and apparently also used by governments to scan and inspect traffic across the network.
The first use is somewhat acceptable (enterprises can prevent their users from distributing viruses or engaging in illicit behaviour from work computers, which the enterprises quite rightly believe they own and should control), but the second use is generally not acceptable, depending on how much you trust your local government.
Filippo helpfully gives instructions on blocking this from OSX, and a few people in the Twitter conversation have asked how to do this on Windows.
Don’t do this on a machine you don’t own or manage – you may very well be interfering with legitimate interference in your network traffic. If you’re at work, your employer owns your computer, and may intercept, read and modify your network traffic, subject to local laws, because it’s their network and their computer. If your government has ruled that they have the same rights to interceptÂ Internet traffic throughout your country, you may want to consider whether your government shouldn’t be busy doing other things like picking up litter and contributing to world peace.
As with most things on Windows, thereâ€™s multiple ways to do this. Hereâ€™s one, which can be followed either by regular users or administrators. Itâ€™s several steps, but itâ€™s a logical progression, and will work for everyone.
Step 1. Download the certificate. Really, literally, follow the link to the certificate and click â€śOpenâ€ť. Itâ€™ll pop up as follows:
Step 2. Install the certificate. Really, literally, click the button that says â€śInstall Certificateâ€¦â€ť. Youâ€™ll see this prompt asking you where to save it:
Step 3. If youâ€™re a non-administrator, and just want to untrust this certificate for yourself, leave the Store Location set to â€śCurrent Userâ€ť. If you want to set this for the machine as a whole, and youâ€™re an administrator, select Local Machine, like this:
Step 4: Click Next, to be asked where youâ€™re putting the certificate:
Step 5: Select â€śPlace all certificates in the following storeâ€ť:
Step 6: Click the â€śBrowseâ€¦â€ť button to be given choices of where to place this certificate:
Step 7: Donâ€™t select â€śPersonalâ€ť, because that will explicitly trust the certificate. Scroll down and youâ€™ll see â€śUntrusted Certificatesâ€ť. Select that and hit OK:
Step 8: Youâ€™re shown the store you plan to install into:
Step 9: Click â€śNextâ€ť â€“ and youâ€™ll get a final confirmation option. Read the screen and make sure you really want to do whatâ€™s being offered â€“ itâ€™s reversible, but check that you didnâ€™t accidentally install the certificate somewhere wrong. The only place this certificate should go to become untrusted is in the Untrusted Certificates store:
Step 10: Once youâ€™re sure you have it right, click â€śFinishâ€ť. Youâ€™ll be congratulated with this prompt:
Step 11: Verification. Hit OK on the â€śimport was successfulâ€ť box. If you still have the Certificate open, close it. Now reopen it, from the link or from the certificate store, or if you downloaded the certificate, from there. Itâ€™ll look like this:
The certificate hasnâ€™t actually been revoked, and you can open up the Untrusted Certificates store to remove this certificate so itâ€™s trusted again if you find any difficulties.
There are other methods to do this â€“ if youâ€™re a regular admin user on Windows, Iâ€™ll tell you the quicker way is to open MMC.EXE, add the Certificates Snap-in, select to manage either the Local Computer or Current User, navigate to the Untrusted Certificates store and Import the certificate there. For wide scale deployment, there are group policy ways to do this, too.
OK, OK, because you asked, here’s a picture of how to do it by GPO: