SSL-busting adware: US cyber-plod open fire on Comodo's PrivDog

Status
Not open for further replies.

Tony Cole

Level 27
Thread author
Verified
May 11, 2014
1,639
SSL-busting adware: US cyber-plod open fire on Comodo's PrivDog:

Updated The US Department of Homeland Security's cyber-cops have slapped down PrivDog, an SSL tampering tool backed by, er, SSL certificate flogger Comodo.

Comodo, a global SSL authority, boasts a third of the HTTPS cert market, and is already in hot water for shipping PrivDog.

What is PrivDog? Let's allow the US Computer Emergency Readiness Team (US-CERT) to describe it in this security advisory:

Adtrustmedia PrivDog is a Windows application that advertises "... safer, faster and more private web browsing." Privdog installs a Man-in-the-Middle (MITM) proxy as well as a new trusted root CA certificate. The MITM capabilities are provided by NetFilterSDK.com. Although the root CA certificate is generated at install time, resulting in a different certificate for each installation, Privdog does not use the SSL certificate validation capabilities that the NetFilter SDK provides. This means that web browsers will not display any warnings when a spoofed or MITM-proxied HTTPS website is visited. We have confirmed that PrivDog version 3.0.96.0 is affected.

Adtrustmedia PrivDog is promoted by the Comodo Group, which is an organization that offers SSL certificates and authentication solutions.

Essentially, Comodo's firewall and antivirus package Internet Security 2014, installs a tool called PrivDog by default. Some versions of this tool intercept encrypted HTTPS traffic to force ads into webpages.

PrivDog, like the Lenovo-embarrassing Superfish, does this using a man-in-the-middle attack: it installs a custom root CA certificate on the Windows PC, and then intercepts connections to websites. Web browsers are fooled into thinking they are talking to legit websites, such as online banks and secure webmail, when in fact they are being tampered with by PrivDog so it can inject adverts.

If that's not bad enough, PrivDog turns invalid HTTPS certificates on the web into valid ones: an attacker on your network can point your computer at an evil password-stealing website dressed up as your online bank, and you'd be none the wiser thanks to PrivDog.

The US CERT adds:

An attacker can spoof HTTPS sites and intercept HTTPS traffic without triggering browser certificate warnings in affected systems.

Your best bet is to uninstall PrivDog.

PrivDog published a security advisory, characterizing the whole issue as low in severity and promising an update on Monday afternoon. Comodo downplayed the issue as "minor" in a statement to El Reg, and claimed it never shipped the SSL-meddling build of the code:

The PrivDog version being questioned has never been distributed by Comodo. This potential issue is only present in PrivDog versions 3.0.96.0 and 3.0.97.0. This potential issue is not present in the PrivDog plug-in that is distributed with Comodo Browsers. There are potentially a maximum of 6,294 users in the USA and 57,568 users globally that this could potentially impact. The PrivDog team has released an advisory with more information, available here.

Comodo itself is a certificate authority whose job ought to be to protect HTTPS, something critics argue PrivDog undermines. It’s all a bit of a puzzler.

Wag the dog

PrivDog stopped being a browser extension back in December with the release of version 3 of the technology. Several antivirus firms have flagged it as malicious since then. That’s in sharp contrast with Comodo chief exec Melih Abdulhayoglu's praise for the technology as a superior advert blocker and boon for privacy.

The software is designed to guard against malicious adverting. Third-party security firms remain unimpressed.

Amichai Shulman, CTO at Imperva, commented: “As long as people use this practice of 'breaking the chain of trust' there are bound to be some who implement it utterly wrong. PrivDog’s mistake is not validating certificates at all. This practice is going to face practical implementation challenges going forward because of certificate pinning.”

Mark James, a security specialist at ESET, added: “The standalone version of PrivDog, when installed, creates [a root SSL] certificate, and it will intercept every certificate it finds and then replace it with one signed by its root key. This enables it to replace adverts in web pages with its own ads from ‘trusted sources’.”

“The implications are massive. One of the biggest problems here is the fact that it will replace certificates with a valid certificate even if the original cert was not valid for any reason. This means it essentially makes your browser accept every HTTPS certificate regardless if it’s been signed by a certificate authority or not,” he added. ®
 

Tony Cole

Level 27
Thread author
Verified
May 11, 2014
1,639
It's truly amazing, if the US Government praised the product for it's excellent protection (yeah right) Melih would take full credit for his excellent work, bringing security to everyone, and for free! Yet, Comodo states only 57,568 people globally affected, would he refund them if their bank account was wiped out, no!
 

Tony Cole

Level 27
Thread author
Verified
May 11, 2014
1,639
Well, when you get the US Government informs the entire nation how a product that is suppose to protect you, opens up the ability for a hacker to direct you to a fake bank website, then they could hack your account, who is going to trust that? I would not! But, you will have the Comodo fan boys declaring their allegiance the the all-mighty Melih.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top