Komodia superfish and Privdog vulnerability "ssl hijacker" [merged]

[kitmub]

i just seen this

http://arstechnica.com/security/2015/02/ssl-hijacker-behind-superfish-debacle-imperils-big-number-of-users/


i also have a question about it as it say it has a ssl certificate im not sure if its is but i just removed one entry in the trusted vendors just because of the name i dont know if its that certificate

[Melih]

https://www.eff.org/deeplinks/2015/02/further-evidence-lenovo-breaking-https-security-its-laptops

[Sanya IV Litvyak]

https://www.eff.org/deeplinks/2015/02/further-evidence-lenovo-breaking-https-security-its-laptops

I wrote a longer thing in the latest privdog release topic but I'll ask the general question here since you've shown your presence here: How is PrivDog different than this? PrivDog also messes with the certificates in much the same way, what makes PrivDog any more secure?

[Melih]

I wrote a longer thing in the latest privdog release topic but I'll ask the general question here since you've shown your presence here: How is PrivDog different than this? PrivDog also messes with the certificates in much the same way, what makes PrivDog any more secure?

Please read what the problem is exactly.

There are many legitimate uses of local proxy that many antivirus and content filtering vendors use, otherwise how could you check for viruses in an HTTPS session?

The problem is not local proxy, but the way it was done. I would recommend you read the EFF article in detail to fully understand the issue.

thanks
Melih

[Sanya IV Litvyak]

The problem is not local proxy, but the way it was done. I would recommend you read the EFF article in detail to fully understand the issue.
Melih

I have read the EFF article in detail, the issue as I understand it is that SuperFish injected its own root certificate and used the same certificate for all the MITM attacks, hence if you get the private key for that certificate, then you can decrypt all traffic, now I'm asking how PrivDog is different because I don't know how to actually check it.

Is PrivDog doing something differently to make these kinds of attacks harder? In that case what does it do differently?

There are many legitimate uses of local proxy that many antivirus and content filtering vendors use, otherwise how could you check for viruses in an HTTPS session?

For browsers, which is what PrivDog filters, you can use browser extensions, which you used to do (but stopped since Chrome started blocking extensions outside of the web store)

The EFF article also says:

Using a MITM certificate to inject ads was an amateurish design choice by Superfish.3

3 A safer (but still risky) alternative would be for Superfish to implement its ad-injecting functionality using a browser extension.

Also, what viruses does PrivDog check for?

Also when using PrivDog I don't see the certificate that the site in question uses, I only see the PrivDog certificate, how can I then know that the certificate between PrivDog and the site in question is the real one and not a fake one? I can't, I'd have to rely on PrivDog picking that up, does PrivDog do that?

[Melih]

I have read the EFF article in detail, the issue as I understand it is that SuperFish injected its own root certificate and used the same certificate for all the MITM attacks, hence if you get the private key for that certificate, then you can decrypt all traffic, now I'm asking how PrivDog is different because I don't know how to actually check it.

Is PrivDog doing something differently to make these kinds of attacks harder? In that case what does it do differently?
For browsers, which is what PrivDog filters, you can use browser extensions, which you used to do (but stopped since Chrome started blocking extensions outside of the web store)

The EFF article also says:
Also, what viruses does PrivDog check for?

Also when using PrivDog I don't see the certificate that the site in question uses, I only see the PrivDog certificate, how can I then know that the certificate between PrivDog and the site in question is the real one and not a fake one? I can't, I'd have to rely on PrivDog picking that up, does PrivDog do that?

Privdog is not susceptible to vulnerabilities mentioned. Because it doesn't do what is described in the article, therefore it is not vulnerable to those vulnerabilities.

Privdog uses www.webinspector.com like infrastructure to check websites.

[Sanya IV Litvyak]

Privdog is not susceptible to vulnerabilities mentioned. Because it doesn't do what is described in the article, therefore it is not vulnerable to those vulnerabilities.

Privdog uses www.webinspector.com like infrastructure to check websites.

I don't know how the webinspector you linked actually works, but for example lets say there is a website https://secure.bank.com which has the certificate for secure.bank.com signed by Comodo, if I install PrivDog on my PC then it won't show me the secure.bank.com certificate signed by Comodo but rather a *.bank.com certificate signed by PrivDog, is this not the same thing? How is it different? (Also, sites like Comodo with EV certificates will now only show basic certificates (can't remember what they're called))

Edit: To avoid any misunderstandings, can you point out exactly what the vulnerability was for SuperFish that isn't in PrivDog? Want to make sure I understand the right thing to be the vulnerability.

[Melih]

I don't know how the webinspector you linked actually works, but for example lets say there is a website https://secure.bank.com which has the certificate for secure.bank.com signed by Comodo, if I install PrivDog on my PC then it won't show me the secure.bank.com certificate signed by Comodo but rather a *.bank.com certificate signed by PrivDog, is this not the same thing? How is it different? (Also, sites like Comodo with EV certificates will now only show basic certificates (can't remember what they're called))

webinspector.com is about sites that are infected or carry an infection...for example go to  https://app.webinspector.com/recent_detections

and click on reports to see how we categorize the threats.

[Sanya IV Litvyak]

webinspector.com is about sites that are infected or carry an infection...for example go to  https://app.webinspector.com/recent_detections

and click on reports to see how we categorize the threats.

Okay, but I don't understand how that is relevant to the ways PrivDog intercepts HTTPS traffic?

[Melih]

Also, what viruses does PrivDog check for?

You asked me!

[Sanya IV Litvyak]

You asked me!

Sorry, I misunderstood what we were talking about, I thought we were talking about the way PrivDog intercepts the https traffic which I haven't really learned anything more about than before the discussion..

I still don't understand how PrivDog intercepts the traffic any differently than SuperFish and so far you've seemed to be reluctant of explaining that part and seem to focus on the issues around it instead as if to distract from that one issue, or perhaps you feel you've already explained it and I simply don't understand it, who knows.

If you want me to I can drop the issue, but I won't change my mind about PrivDog being potentially risky to use until I see an actual explanation of why it isn't, and I won't use it personally as I want to see the actual certificate the site is using.

[Melih]

Sorry, I misunderstood what we were talking about, I thought we were talking about the way PrivDog intercepts the https traffic which I haven't really learned anything more about than before the discussion..

I still don't understand how PrivDog intercepts the traffic any differently than SuperFish and so far you've seemed to be reluctant of explaining that part and seem to focus on the issues around it instead as if to distract from that one issue, or perhaps you feel you've already explained it and I simply don't understand it, who knows.

If you want me to I can drop the issue, but I won't change my mind about PrivDog being potentially risky to use until I see an actual explanation of why it isn't, and I won't use it personally as I want to see the actual certificate the site is using.

it work in the same way as likes of Kaspersky intercepting or other AV products. Its no different.

short of giving you a flowchart etc which are all propriety IP, I don't understand what you are asking. I just googled and found this  http://forum.kaspersky.com/lofiversion/index.php/t317070.html   hope this explains it bit better for you... You can always use google to search these kind of stuff too.

[Sanya IV Litvyak]

it work in the same way as likes of Kaspersky intercepting or other AV products. Its no different.

short of giving you a flowchart etc which are all propriety IP, I don't understand what you are asking. I just googled and found this  http://forum.kaspersky.com/lofiversion/index.php/t317070.html   hope this explains it bit better for you... You can always use google to search these kind of stuff too.

So the big difference is that PrivDog uses unique certificates rather than a single one for all installations (?) as well as not keeping a copy of the private key right there for anyone to see (?)

Have I understood that correctly now?

[Melih]

So the big difference is that PrivDog uses unique certificates rather than a single one for all installations (?) as well as not keeping a copy of the private key right there for anyone to see (?)

Have I understood that correctly now?

that is why superfish was problematic. Yes you are understanding this right. Of course there are many other security features built in but this is the biggest problem that caused superfish to be removed.

[shriganesh]

Why does privdog behaves like the way it does? Why does it have to reduce our security and privacy all while advertising that it's claiming to do the opposite?

https://blog.hboeck.de/archives/865-Comodo-ships-Adware-Privdog-worse-than-Superfish.html

I am becoming more and more weary of the trusted Comodo name.

Privdog intercepts all HTTPS connections & certificate and replace it with it's own signed certificate signed by its root key.