Symantec is one of the companies that holds the keys to the Internet: they are a trusted certificate authority for authenticating major web sites. All major browsers recognize Symantec as a trustworthy source of SSL/TLS authentication certificates. Symantec (also known by its subsidiary name Verisign) is part of a chain of trust that keeps our Internet traffic safe.

Recent reports suggest that they have broken their trust with the Internet community. Symantec has apparently delegated some of its authentication authority to Blue Coat software, a company that makes and sells network snooping gear. A 2013 report by Reporters Without Borders contains 2 pages highlighting Blue Coat’s role in helping repressive regimes monitor encrypted web traffic.

Symantec has issued Blue Coat its own authority certificate. Blue Coat can use this to create and distribute bogus certificates that allow its gear to decrypt encrypted web traffic.

The Blue Coat gear uses a “man in the middle” or “bucket brigade” attack to decrypt intercepted web connections.

Legitimate certificate authorities don’t delegate their authority this way. What if Blue Coat is a front for a foreign government or criminal enterprise? It just doesn’t make sense.

Even worse, Symantec can’t unring this bell. Once the certificate is distributed, Symantec can’t call it back. The certificate can create other certificates until it expires. All Symantec can do is declare the certificate to be “revoked.” But a lot of software doesn’t check certificate revocation.