Komodia superfish and Privdog vulnerability "ssl hijacker" [merged]

When I tested PrivDog CD would alert me about ALL sites because they weren’t using the real certificate but rather the PrivDog cert…

Haven’t tested with self-signed sites.

Edit: Did you do test on a single browser or different ones? During my time with PrivDog it acted differently for different browsers.

I have merged two topics.

When reading carefully read the title of the posts to see what topic is read. The first part is highly informative about the underlying technology.

here is the advisory from the privdog team

http://privdog.com/advisory.html

Hanno has been kind enough to edit his original post as more details were revealed. below is the latest one including removing the name of Comodo from the URL etc.
https://blog.hboeck.de/archives/865-Adware-Privdog-worse-than-Superfish.html

Why are moderators constantly changing the name of this “hijack-mitm-security flaw” thread making it hard to find for someone new ?
If your ashamed to me caught with “your fingers in the jar” you shouldn’t have done it in first place !!
This just shows me (us) that you have bad intentions on mind to your users and that privacy is a joke to you…
Just like these https://gigaom.com/2015/02/23/beyond-superfish-turns-out-ssl-trashing-spyware-is-widespread/

Hi Melih,

Just installed PrivDog 3.0.105.0 on Windows 7 32bit Pro.

Tried the sites that you have listed and it is IceDragon that is giving the ‘Untrusted’ warning and not PrivDog! Is this right ?

Screenshots attached

[attachment deleted by admin]

On Monday, PrivDog issued a statement reiterating what Ars already reported, that the vulnerability resides in the stand-alone version only. Fewer than 58,000 users are affected. Remarkably, PrivDog rated the threat as “low.” That seems to be a massive understatement, given the harm that can be done, no matter how many users are affected. Readers with either Lavasoft Ad-aware Web Companion or the stand-alone version of PrivDog should err on the side of caution and uninstall both the app and the underlying root certificate as soon as possible.

The one issue they noted for Privdog:

Valsorda told Ars that the stand-alone version of PrivDog will cause most browsers to trust any self-signed certificate, a breath-taking vulnerability that leaves users wide open to easily executed man-in-the-middle attacks that completely bypass HTTPS protections.

Has since been fixed in PrivDog 3.0.105.0

yep this is working…bug is fixed.

I agree with you [at]SiberLynx :-TU
CIS uses ADS, I do not know is this feature or bug.
PrivDog with the issue, they released a quick fix immediately after the these media posts, and then they said it is a bug.
I fully lost my trust to Comodo! Even techie guys, spread these words “Do not take certificate from Comodo”… I am really sorry about the situation of Comodo.

So software companies should not have vulnerabilities then?
this is an intermittent bug in a 3rd party library, that we fixed within ours and updated.
What would you differently? how would you have identified this random bug when you bought this library?
I am open to learning and improving.

But I get the same ‘untrusted’ page in IceDragon even without PrivDog installed !!

Confused now…

guys, I am sure you have been sarcastic, but some would not understand it like that, p.s. in digital life there are always vulnerabilities and bugs, and always there are fixes and updates

Comodo you are the best, keep going on

that certificate on that site is untrusted. so you should see that certificate on that site as untrusted no matter which browser you look with.

Thank you!

On Threat Post today

I have changed the topic title to be more informative. It now includes Privdog.

noone is saying exactly how an attack could have happened and what the effect would be. Cos they will realise that at the end both scenerios will have “encryption”…

Just curious, would it be able to exploit the PrivDog executable/service? For example read its memory or something to see the contents of the site?

No.

Why don`t you ask people who broke the story as to what the threat is and how it can be mounted. Let them explain to you step by step how to do it…you will then see the truth…