Worse than Superfish? Comodo-affiliated PrivDog compromises web security too.
This is similar to the problem in Avast with its new HTTPS scanning feature. Avast installs a cert in your local cert store (on Windows, run certmgr.msc) use in the MITM (man-in-the-middle) interception. It was shown that this setup in Avast made users susceptible to FREAK attacks. If the users had connected directly using their web browsers then they were safe.
So which cert does Comodo add into the user’s local cert store to use with PrivDog? I fully intend to get rid of PrivDog but want to make sure its cert is also deleted. As soon as I saw how PrivDog works (in conjunction with Adtrustmedia validating which ads are “good” - much like how Adblock Plus decided to default to enabling their “good ads” option), that was when I decided it wasn’t anything I wanted. Comodo makes it sound good but it’s something of a middling solution to the massive proliferation of ad content into web pages to the point where there are more ads than content.
According to the article, users that got version 2 of PrivDog are safe but not if they got version 3. Well, eventually users would probably end up “upgrading” to a later version. What, um, blocking this does is not what I want so I’m going to remove it which also eliminates the possibility of getting stuck later with version 3. I’m not interesting in having a pro-ad company decide which ads are good for me even if there is a v3 update that is considered safe. Eliminating one problem doesn’t solve the other. PrivDog is NOT the type of adblocking that I want.
After disabling PrivDog and deleting it as an extension on Chromodo, what else do I have to remove? That is, what’s the remnant registry and file cleanup that I need to do? Plus which cert did they stick into my local cert store that I need to delete?
Hi VanguardLH,
If you didn’t install PrivDog separately and only had the browser extension that came with the browser, this version was not affected by the mentioned issue.
Thanks for the heads up that the plug-in didn’t have the vulnerability.
I’ll still be uninstalling the plug-in since how it functions to decide what ads to deliver is still flawed per my policy of what ads I allow. If a site proffers their own ads then that is okay. Visiting a university site that wants to show ads about their curriculum, special events hosted there, fund raisers, student activities, and such is okay. They’re advertising their stuff. A site that funnels ads into their domain so the source of the ads originates from their domain are okay, too. In those cases, they have to provide the bandwidth. However, most ads are off-domain. I prefer how Internet Explorer uses TPLs (tracking protection lists): 3rd party content matching the blocking string are blocked but not content from the same domain. I have IE subscribe to the EasyList, EasyPrivacy list, Fanboy list, and Google blocking list. Blocks using TPLs only affect other-sourced content than the site that I choose to visit. I’m also not interested in seeing so-called “good” ads that some pro-advertising group wants me to see after their review of which are good and bad ads. This is very similar to folks that use Adblocker Plus and then subscribe to the PrivacyChoice list (or is it the TrustE list or maybe both) which is not a block list but an unblock list: adding those subscriptions will result in unblocking sites that the other lists will block. PrivacyChoice/TrustE and PrivDog (using AdTrust) look to do the same: filter in the ads they say are good (but PrivDog also filters out the ads they say are bad). Filtering out BOTH eliminates the rude behaviors at many sites. I choose to visit a site and only THEIR ads are acceptable to me. Yes, it’s their site so they can do what they want. Yes, it’s my computer so I decide what I see. When I get a book, there’s nothing to compel me to read the inside book cover’s blurb, the Table of Contents, Forward, Preamble or Preface, Acknowledgments, Prologue, Index, References, Glossary, Bibliography, or Afterword. It’s their book but it’s still my choice what I read. I get magazines but that doesn’t mean I have to read those damn loose insert ads that don’t fall out during mailing until you open the magazine. I shake them out over the recycle bin. Same for any off-domain ads in a web page: I use TPLs to shake them out before reading.
Wouldn’t PrivDog still need a certificate put into my local certificate store to perform its HTTPS inspection (i.e., the MITM interception)? If so, how do I identify that cert when I look at my local cert store (certmgr.msc)? Nothing is obvious me as to which cert is for PrivDog. There are some Comodo certs (some of which are expired but still in my local cert store) but those don’t have attributes with text identifying they are for use by PrivDog.
The extension version of PD, v2, does not use the MITM technique. It works in the browser. The browser decrypts the connection and then PD filters the traffic handled by the browser; hence why the man in the middle is not necessary,
PD v3 is network filter that works at driver level, that’s why the man in the middle is needed. There is no browser to decrypt the traffic.
Ah, I forgot that extensions can get the traffic that is already decrypted by the web browser. They work inside, not outside. Thanks for the reminder, and thanks for the info that no cert is required.