I sent a pm to one of Comodo’s network admins.
I have been in contact with the network admin and Comodo is now aware of and working on it.
Thank you EricJH for keeping us all informed of this situation, lets hope and pray they fix this issue soon, once again thanks for your help and support :-TU
Thank you,
I believe for now these issues are solved so it is possible to update PrivDog to the latest version
My colleagues will contact you to get more details
It’s solved when downloading from the Netherlands.
It now works from the UK as well ;D
Can anybody from the USA other parts of America confirm?
seems to be working
To Mods: This is a post primarily on PrivDog and not SuperFish however it relies heavily on information about SuperFish and what’s going on with that, please do not move this to “General Security Questions and Comments” as it’s more relevant to PrivDog, if you feel that it needs a thread of its own then you can move it to one under any of the PrivDog sub-forums. (Of course you can do whatever you please with it, I’m just pointing out what I’m okay with)
So Lenovo has been bundling a software called SuperFish with some of their computers, SuperFish seems to have a different goal than PrivDog but it still uses a similar or the same method of reaching that goal, messing with the certificates. It was at that point theorized that people could abuse this to create a man-in-the-middle attack and then read and modify encrypted webpages as seen fit, and it has now been confirmed.
Now I realize that you may read that and go “Why are you posting this here and not in the part for other security related stuffs?” Well it’s because I’m not interested in talking about the SuperFish issue exclusively, but rather how it’s similar to PrivDog, what makes PrivDog different? What stops PrivDog from being abused in the same way? What chance can PrivDog honestly have when people seriously don’t trust software that messes with the certificates in the same way that PrivDog and SuperFish does? I’m afraid that, if PrivDog would get wider coverage and would be a “well-known” software, then it would probably be seen as adware/riskware and users would be recommended to stay away from it and it would reflect badly on Comodo.
Besides that, PrivDog moved from extension to stand-alone application because Chrome closed the doors to extensions not from its web store, but what when they stop these man-in-the-middle attacks on the browsers from working? What then? An even more invasive method?
When I first realized that PrivDog messes with the certificates, I claimed it’s a potential security risk, I wasn’t able to back that up but now when the similar program SuperFish has been successfully abused to create a MITM attack, I must ask how PrivDog is any more secure? What stops similar attacks on PrivDog? Also, how do you see the future of PrivDog when the method it currently uses to read and modify the encrypted sites is closed?
I apologize if this posts seems too negative, but in my personal opinion the way PrivDog deals with encrypted traffic is just plain wrong and at the least Comodo should explain why PrivDog wouldn’t be vulnerable to the same attacks as SuperFish was because currently I can only see PrivDog as a real Riskware.
I also want to point out one huge difference between PrivDog and SuperFish, SuperFish was pre-loaded on some Lenovo computers where PrivDog is not, from what I can tell the stand-alone PrivDog can only be downloaded by itself so far and is not bundled with other software, so there’s no risk that users accidentally install it, but if this stand-alone version of PrivDog makes it into CIS then… well… I mean, personally I wouldn’t think that to be a good idea.
Perhaps I’m just overly-concerned about this, and overly-obsessed with certificates not being messed with, perhaps it’s a non-issue, but in the light of SuperFish I believe that Comodo should at least look at what they are doing and consider if it’s a good idea, they should also look into if their method is vulnerable to the same abuse as the method SuperFish used was, and then communicate the results to users here.
I want to see PrivDog be successful, but this doesn’t seem like the right way to do it in my opinion, but at the same time I don’t know what else they can do to get a working product without it being an extension.
… I probably repeated myself many times there, I apologize for that.
The approach PD has is taken is according to Shane the same as other AV vendors do
We use the same approach many AVs have taken. On install we generate a root certificate with random keys and install it into the local certificate store. We then generate a certificate on-the-fly for each web site visited and pass our certificate back to the browser. We then have a man-in-the-middle allowing the software to decrypt and re-encrypt..
This technology can be abused like any technology can be abused. For me the problem boils down to two questions. Do I trust the Vendor? The second question is did I get an untouched copy (signature check)?