Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Worse than Superfish? Comodo-affiliated PrivDog compromises web security too

Lucian Constantin | Feb. 24, 2015
The tool replaces SSL certificates without validating them first, opening the door to man-in-the-middle attacks.

For example, an attacker on a public wireless network or with control over a compromised router could intercept a user's connection to bankofamerica.com and present a self-signed certificate that would allow him to decrypt traffic. The user's browser would normally reject such a certificate.

However, if PrivDog is installed, the program will take the attacker's self-signed certificate and will create a copy signed with its own trusted root certificate, forcing the browser to accept it. In essence, the user's traffic would be intercepted and decrypted by the local PrivDog proxy, but PrivDog's connection to the real site would also be intercepted and decrypted by a hacker.

PrivDog is bundled with some products from Comodo, like Comodo Internet Security as well as its Chromodo, Dragon and IceDragon browsers. However, it seems that these products include PrivDog version 2, which lacks the HTTPS proxy functionality, and thus does not expose users to man-in-the-middle attacks.

The PrivDog version that exposes users to man-in-the-middle attacks is version 3, which is available to download as a stand-alone application and which supports a large number of browsers including Google Chrome, Mozilla Firefox and Internet Explorer, according to security researcher Filippo Valsorda, who's online HTTPS test was updated to account for it.

Comodo and Adtrustmedia did not immediately respond to a request for comment.

"As long as people use this practice of 'breaking the chain of trust' there are bound to be some who implement it utterly wrong," said Amichai Shulman, CTO of security firm Imperva, via email. "Superfish's mistake was using the same root certificate across all deployments. PrivDog's mistake is not validating certificates at all."

Some people believe that the PrivDog vulnerability is even worse than the one introduced by Superfish.

"By comparison, the Superfish 'man-in-the-middle' process at least requires the name of the targeted website to be inserted into the certificates alternate name field," said Mark James, a security specialist at antivirus firm ESET. "Although Superfish allows the possibility of massive exploitation with this flaw it is still marginally better than what PrivDog is doing."

However, it's not just Superfish or PrivDog that open such security holes on computers. Researchers determined that the Superfish vulnerability was actually in a third-party software development kit from a company called Komodia. The same SDK is used in other products as well, including parental control applications, VPN clients and software from a security vendor called Lavasoft.

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.