http://www.golem.de/news/privdog-software-hebelt-https-sicherheit-aus-1502-112534.html Published: 23/02/2015 10:59
The software Privdog levers similar to Super Fish the protection of HTTPS entirely of , Savoury it: Privdog was advertised by Comodo, one of the largest certification bodies for TLS certificates
Comodo apparently has a software advertised that breaks like Superfish a huge security hole in the HTTPS encryption.. Privdog is the software used officially for the purpose of replacing Advertising on web pages by “trusted advertising”. This should serve to protect the privacy of the user.
Like the software Superfish, which made headlines in recent days and was pre-installed on Lenovo laptops, picks Privdog in the TLS data stream of a user in order to be able to manipulate encrypted HTTPS sites. For a root certificate is installed in the operating system. However, this is implemented differently than in Superfish.
Any certification body accepts
While Superfish the same certificate and the same private key used on all equipment used is Privdog here smarter: It is created each time you install a new certificate. However, the whole is not safe, because Privdog replaced certificates that are not valid. You can be signed by an x-any certification body, also of a generated itself. Who installed Privdog, so you can surf on any websites with fake certificates and remembers nothing about it.
A very strange behavior shows Privdog when surfing on websites whose certificate is self-signed. These certificates are then replaced by equally self-signed certificates that are automatically installed in the same root certificate store of the operating system. These certificates also have an RSA key with a key length of 512 bits, which is completely uncertain. The normal certificates that delivers Privdog containing RSA key with 1024 bits, which is also considered problematic. However: The key lengths are the least of the problems of Privdog because all the technology is completely insecure anyway
Comodo sold TLS certificates and undermines their safety
. Privdog was advertised on the website of Comodo. Between Comodo and Privdog there are apparently several staff overlaps. Comodo CEO Melih-Abdulhayoglu co-founded the company Privdog. An earlier version of Privdog was delivered with various products of Comodo, but this version works differently and is not affected by the problem
The Spicy it. Comodo is one of the largest certificate authorities on the Internet. About a third of certificates for HTTPS pages comes directly or indirectly from Comodo. A company that is supposed to provide for the security of HTTPS, that advertises a product that undermines this security.
Comodo is not the first time in the negative headlines. 2011, there have been several burglaries at partners of Comodo, a number of Comodo indirectly signed fake certificates appeared. Also Comodo was installed in the past unsolicited toolbars in its software.
Discovered were the security problems of Privdog last night, this writer was involved. In an IRC chat Various people had gathered, who were employed in the analysis of Superfish and similar products. One participant pointed to a thread on Hacker News, in which a user reported that the Super Fish-test by Filippo Valsorda indicating a warning. An analysis showed quickly that Privdog not used the technology of Komodia that was the problem with Superfish, but that it was a different mounted safety problem in Privdog. An English summary can be found in the blog of the article author.
Supplement dated 25 February 2015 14:14 Clock
In the original version of this article we wrote that Privdog was delivered by Comodo. While that was true, but delivered by Comodo version of the relevant security problem is not affected. We have changed the wording accordingly, to be clear. From Privdog there is now an advisory and an update. (Hab)
Related items:
Superfish: The adware empire of Komodia
(2.22 .2015 16:30, http://www.golem.de/news/superfish-das-adware-imperium-von-komodia-1502-112521.html)
HTTPS certificates: Key pinning protects against malicious certification bodies
(10.14.2014 10:26, http://www.golem.de/news/https-zertifikate-key-pinning-schuetzt-vor-boesartigen-zertifizierungsstellen-1410-109799.html)
Mozilla Firefox 36 may HTTP / 2
(02.24.2015 16:39, http://www.golem.de/news/mozilla-firefox-36-kann-http-2-1502- 112509.html)
Adware: Superfish chief denies security risk
(02.21.2015 09:13, http://www.golem.de/news/adware-superfish-chef-bestreitet-sicherheitsrisiko-1502 -112517.html)
Update: New Fritzbox firmware determines the best LTE network
(20.02.2015 15:06, http://www.golem.de/news/update-neue-fritzbox- firmware-determined-best-lte-network-1502-112508.html)
No comments:
Post a Comment