Blue Coat Systems Inc. (BCSI) is a U.S. American company. Blue Coat develops software and systems that are used by dictators to monitor people and censor information. This has been discovered in autocratic states like Syria and Iran for example. Unfortunately, some clueless managers of Western companies support Blue Coat by spending tons of money on security simulation devices advertised by Blue Coat.
How do you know that a Blue Coat Proxy is in your network ?
First things first. Here are some abbreviations and explanations that you need to know:
- BCSI – Blue Coat Systems Inc. – abbreviation of the company name
- bcsi-ac – authentication cookie – can sometimes be seen in a URL
- Certificate – is used by web sites and web browsers for authentication
- HTTP – HyperText Transfer Protocol – a network protocol for the web
- HTTPS – HTTP Secured – a secure network protocol with encryption based on SSL
- SIM card – Subscriber Identity Module – a card that allows mobile phone calls and mobile internet
- SGSO – Security Gateway Operating System – the software of a Blue Coat System
- SSL – Secure Sockets Layer – encrypted connection
- WebSSO – Web Single Sign-On – usually used in companies for single sign-on
Blue Coat Software can change SSL certificates and break your HTTPS connections. Some hints that you have a Blue Coat Proxy in your network:
- you see bcsi-xx-something-xxx in your URL
- your web browser tells you that the certificate of an HTTPS site is untrusted
- your web browser tells you secure connection failed
- the fingerprint of a certificate from an HTTPS site is different
- software tools outside the browser – like wget – do not work any more
What can you do when you discover that you have a Blue Coat Proxy in your network.
Here are some suggestions. The solution that causes the least trouble: Avoid using a network that contains a Blue Coat Proxy. In a free world it should not be a problem to buy a SIM card and get internet access via mobile networks (e.g. UMTS, LTE).
Solution 1: The USB stick
As illustrated in the figure above, the laptop is in a tainted network that contains the Blue Coat Proxy. The laptop cannot use HTTPS at TCP port 443 because Blue Coat delivers a fake SSL certificate. To upload and download software via HTTPS you can use a smartphone in a mobile network. Copy the software with a USB stick from the smartphone to the laptop. This is a clean separation of the two networks.
Solution 2: USB tethering
As illustrated in the figure above, the laptop is in a tainted network that contains the Blue Coat Proxy. This time the smartphone is connected to the laptop via USB – this is called USB tethering. The laptop does not have to rely on the tainted network. It can use the mobile network. Make sure that you do not have spy or monitoring software on your laptop ! The easiest way to achieve this is to bring your own device (BYOD). For the more experienced users – become the administrator of the laptop and install your own software.
Solution 3: Tunnel the Blue Coat Proxy
The solution to tunnel the Blue Coat Proxy is technically possible without problems but not recommended. Use it only if you are an experienced computer user and if you can handle the trouble when your tunnel is discovered. The solution illustrated in the figure above, uses an internal proxy that runs on the laptop and an external proxy in the Internet. Both additional proxies are shown in green. In your web browser you have to enter the internal proxy at localhost in your network settings. The internal proxy encodes your HTTPS-traffic and sends it over HTTP through the Blue Coat Proxy. The external proxy decodes the HTTP-traffic and sends the HTTPS-traffic into the Internet. With this tunnel the SSL certificates of the web server remain valid. Furthermore, web sites cannot be censored any more.
Since I do not recommend this solution, I’m not going to provide software. If you have a Blue Coat Proxy in your company network, you might need to authenticate via WebSSO. This is Web Single Sign-On and works only with a cookie in the web browser. All software outside the browser with standardized basic authentication will break. With WebSSO you have to get a cookie before you tunnel your traffic through HTTP.
The programming languages Java and Ruby have HTTP programming libraries and are suitable. To get an overview about your authentication process you can use the Firefox add ons Live HTTP Headers and HTTPFox.
As stated above, solution one or two are easy and don’t cause too much trouble. If you really prefer solution 3, here are some last tips. Don’t make too much noise using a tunnel. Change your tunnel encoding from time to time (spaces, tabs, base64, whatever). Don’t tell other people about your tunnel. Stay under the radar ! Good luck !