Subject: General Tech | February 25, 2015 - 12:36 PM | Jeremy Hellstrom
Tagged: SSL, security, PrivDog, idiots, fud, Comodo
This has been a bad week for the secure socket layer and the news just keeps getting worse. Comodo provides around one out of every three SSL certs currently in use as they have, until now, had a stirling reputation and were a trusted provider. It turns out that this reputation may not be deserved seeing as how their Internet Security 2014 product ships with an application called Adtrustmedia PrivDog, which is enabled by default. Not only does this app install a custom root CA certificate which intercepts connections to websites to be able to insert customized ads like SuperFish does it can also turn invalid HTTPS certificates into valid ones. That means that an attacker can use PrivDog to spoof your banks SSL cert, redirect you to a fake page and grab your credentials, while all the time your browser reports a valid and secure connection to the site.
The only good news from The Register's article is that this specific vulnerability is only present in PrivDog versions 18.104.22.168 and 22.214.171.124 and so has limited distribution. The fact that this indicates the entire SSL certificate model is broken and even those who create the certs to assure your security feel that inserting a man in the middle attack into their software does not contravene their entire reason for existing is incredibly depressing.
Update: The Register's article was originally based on research from Hanno Bock who referred to PrivDog as being distributed by Comodo. Comodo does not distribute the standalone desktop version of PrivDog only the browser extension application which was never vulnerable to the TLS interception.
"The US Department of Homeland Security's cyber-cops have slapped down PrivDog, an SSL tampering tool backed by, er, SSL certificate flogger Comodo.
Comodo, a global SSL authority, boasts a third of the HTTPS cert market, and is already in hot water for shipping PrivDog."
Here is some more Tech News from around the web:
- AMD previews Carrizo APU, offers insights into power savings @ The Tech Report
- Amazon tries to patent 3D printers on trucks @ The Register
- Mozilla Firefox 36 is second major browser to bring HTTP/2 @ The Inquirer
- Samb-AAAHH! Scary remote execution vuln spotted in Windows-Linux interop code @ The Register
- JEDEC publishes eMMC 5.1 standard @ DigiTimes
- Red Hat: Traditional virtualisation isn't going anywhere @ The Inquirer
Subject: General Tech | August 8, 2011 - 01:48 PM | Jeremy Hellstrom
Tagged: SSL, black hat 2011, CA, Comodo
While the boys were having fun at an event in Texas, TechwareLabs were at a show of a completely different colour. Black Hat 2011, the yearly computer security convention was also taking place in Las Vegas, bringing to light the discoveries of the past year when it comes to vulnerabilities and how to protect yourself against them. One of the topics for discussion was how the Secure Socket Layer works, by assuming that a Trusted Authority is behind a security certificate which requires them to provide a secure connection between yourself and their servers. Over the past year we saw a hack at Comodo, who are a major Certificate Authority, which lead to nefarious people getting their hands on certificates assigned to Microsoft, Yahoo and Google, which allowed them to easily fool even a computer using SSL.
Taking that as an example of the failure of the idea of single, large CAs as the way to implement SSL. If you were to no longer trust Comodo and its certificates then about 1/4 of the secure sites on the net would never allow you to connect. Instead a programmer detailed a FireFox extension called Convergence as an alternative. This distributed way of dealing with Certificate authentication would allow you to switch between trusting and untrusting certain CAs without damaging your ability to connect to secure sites on the web.
"This interesting presentation concerns a security protocol that you probably use everyday. It is in your browser, on the server you connect to, and bought together by a “Certificate Authority”. The idea behind SSL is to provide a secure connection between you, the client browser, and the server providing the sensitive data to you. For instance a Bank website is designed to provide the client with convenient access to account details, transactions, etc. But there is a major issue with a pivotal player in this process. The Certificate Authority or CA is charged with certifying the organizations to which it provides certificates. The CA is supposed to be a trustworthy entity working on behalf of us, the end users, to ensure that any organization it issues a certificate to is credible and trustworthy. After all many users depend on the CA’s, SSL protocol, and issued certificates to enforce authentication and integrity in the online space. You have little choice but to trust the CAs and expect them to provide a high quality level of authentication services."
Here is some more Tech News from around the web:
- AMD releases an SDK for its Llano chips @ The Inquirer
- Some thoughts on Mac OS X Lion @ The Tech Report
- Beginners Guide to Installing Windows 7 @ MissingRemote
- Monitor makers poised to adopt IPS technology @ DigiTimes
- Trendnet TV-IP121WN @ Hardware Bistro
- One month with Google+: why this social network has legs @ Ars Technica
- Cyberlink YouCam 5 Webcam Software Review @ Hardware Canucks
- Top Ten Green Tips for Your PC @ TechwareLabs
- The TR Podcast 93: A trifecta of tablets
- Last chance - Weekly Giveaway #9: Dirt 3 @ eTeknix
- Summer Icy Dock Giveaway @Hi Tech Legion
- ThinkComputers & NZXT Back to School Giveaway!