I didn’t want to pick on VeriSign/Symantec specifically, but there was a story that broke earlier this week that got me thinking what would happen if an SSL Certificate Authority was compromised.
VeriSign is a trusted CA, and was bought out by Symantec back in 2010. Blue Coat is an interception hardware vendor that by its own admission sells to regimes with questionable human rights histories. The problem is that Symantec appears to have granted Blue Coat intermediate CA status, with the ability to verify SSL connections as secure on behalf of Symantec.
Take a look at the crt.sh entry and judge for yourself. The commonName is ‘Blue Coat Public Services Intermediate CA’, and the cert doesn’t expire until September 2025.
On a corporate network, the admins might install their own root certificates on the client machines, which enables them to decrypt SSL traffic for the purpose of detecting malicious activity. This is entirely legitimate if it’s done by whoever owns the network and all the client machines. I’m a little skeptical about the claim Blue Coat was limited to being an intermediate CA for testing purposes within a corporate network only.
The ‘trusted’ CA model would be fundamentally broken if this became common practice, since it would allow anyone operating Blue Coat’s MITM kit to tamper with HTTPS sessions undetected. The browser wouldn’t flag that connection as compromised, and we’d be none the wiser without a deliberate inspection of the certificate.
Looking at one certificate where Symantec is the CA, it transpired that the root CA is actually ‘VeriSign Class 3 Public Primary Certification Authority – G5’.
Symantec bought out VeriSign a while ago, so life could get pretty awkward for anyone who revokes or removes Symantec from their certificate lists without making a backup.
Scrapping the Intermediate CA
Ideally you’d do the following procedure for a cert where the subject or common name is ‘Blue Coat’, but since I haven’t encountered that yet, I’ve done this with a cert signed by Symantec. If you’re going through with this, make sure you keep a backup of the file.
If we try to open that file in Windows Explorer, Windows will recognise it as a certificate, and we get the option to install it using the Certificate Import Wizard. However, we get the option of importing it into the Untrusted Certificates store.
How to Remove SSL Certificate in Windows
In Windows 8.1, search in the start screen for ‘Manage computer certifications‘. The entries you’d want for this are under the Third-Party Root Certification Authorities and Trusted Root Certification Authorities, and they can be deleted or the permissions modified in their Properties.
In Windows 7, run certmgr.msc and do the same as above.
Certificates can also be revoked or deleted in the Advanced options in Firefox.
How to Remove SSL Certificate in Linux
In the Advanced settings of Firefox, certificates can be deleted/revoked certificates and their trust settings modified.
Alternatively, download the certificate from cert.sh and try to import it into Firefox’s Certificate Manager – note that the trust settings are blank by default. You’ll then see it listed under VeriSign as ‘Blue Coat Public Services Intermediate CA’. Click the ‘Delete or Disrust’ button in the Certificate Manager – the certificate would still be installed, but marked as untrusted.
In Linux Mint, there are also certificates in /etc/ssl/certs/ca-certificates.cert, and CA lists are in /etc/ca-certificates.conf. Entries in the ca-certificates.conf file can be invalidated by prefixing their entries with ‘!’. Plus you’ll find public keys for the CAs in /usr/share/ca-certificates/mozilla.