In case you are wondering what the connection between Comodo and PrivDog is: the CEO and founder of Comodo seems to be behind Privdog as well.
So why is this Superfish all over again? Both products add a root certificate to the user’s computer and both make the user’s computer insecure in the process and are used to earn revenue for the parent company. While they don’t work the same, Privdog is arguably worse in terms of security than Superfish, they have been designed for the same purpose.
The PrivDog that is included with Comodo Dragon and CIS is the Browser Extension that isn’t effected by this at all, it’s only the stand-alone application that is affected, and in order to get the stand-alone PrivDog application on your computer you need to manually install it.
All in this regard means valid and invalid certificates which in turn means that the browser you are using accepts any certificate regardless of whether it is valid or not.
This was fixed in PrivDog 3.0.105.0, released on the same day the article was posted. Huh, so the article became outdated that same day… PrivDog updated their application pretty darn quickly, did the authors update their article to reflect that fact? I think not.
how about just 1 person tell us exactly how the attack can happen?
everyone talking about its bad, its the end of the world…but noone told us exactly how they can comprimise a user’s computer and tell us how easy (or difficult) that is…
The reason why they haven’t is because, to mount that kind of attack is very dificult and there are much easier ways. This attack requires you to take over user’s router locally (yes you have to find their local router)…then poision their DNS… create a fake site…then convince the user to go to that fake site…even when you do that, you will still have encryption…
So whats all this fuss about? The fuss is about, if the hacker was able to find your home…take over your router…identified where you bank…create a fake bank…wait for you to need to go to bank…instead of a self signed certificate showing an alert (which majority ignores according to google, Why do people ignore security warnings when browsing the web? | Data and computer security | The Guardian), you might not see an alert and hence go to this site that shows a “privdog” certificate for this bank.
I have lots of neighbours Wi-fi access points around me and breaking into one of those router is not that hard, nearly everybody is using their ISP default settings. Once inside the router you can poison their DNS changing the settings, creating a fake website is not hard either, you only need basic HTML code, and convincing them to go to the site, it just takes an email, easy to find out sniffing router traffic or looking them up on Facebook, encryption doesn’t matter, the fake site I create will capture the credentials that is the point of creating it.
Basically, Melih, I expected the CEO of a security company to always play the security paranoid card and not try to minimize what is a serious security risk.
Sanya on the other hand made a good post pointing out that the vulnerability had been fixed within hours but the article on that website is not mentioning it.
I also want to point out many home consumer routers aren’t very security minded, or perhaps it’s the ISPs behind them, I don’t know but what I do know is that some Zyxel (I think) modems (modem + router) that was sent out to customers here in Sweden by Bredbandsbolaget had a master password called “kungen” (or similar) which coupled with a web script would allow the attacker access to change settings on the router, if I remember correctly this also let the attackers change the DNS servers.
I believe a similar attack was dug up about the Netgear routers that ComHem sent out, and some Asus routers also had a pretty bad vulnerability that I can’t remember exactly what it did but if I remember correctly these were all holes that could only be exploited from the local network, which is where the web script comes in…
Seriously, consumer routers seem to be like Swiss cheese, personally I’ve blocked the whole local network from connecting to the router on the specific ports, except one isolated computer which only has access to the router and no internet access and no access to other local computers… May be excessive but when you don’t even know if the device in question has a hidden master password, then is it really excessive!?
exactly, i minimize the risk by building products and reacting very quickly and giving it for free. But i do not do scaremongering…there is a big difference…
btw: if you can easily take them to any site, why do you need an ssl? Just do a drive by download and install whatever you want like you said, encryption doesn’t matter…so the problem with ssl won’t matter either…
If you have already have access to their local router and poisioned their dns and you can get the user to go any site by emailing them etc, then victim is in trouble…you don’t need an ssl on top to convince them, like you said, encryption doesn’t matter.
It never was a secret that Melih also owned and founded Adtrust Media the provider of Privdog. A little search by the writer of that blog could have found that. Sloppy journalism and innuendo.
So why is this Superfish all over again? Both products add a root certificate to the user's computer and both make the user's computer insecure in the process and are used to earn revenue for the parent company. While they don't work the same, Privdog is arguably worse in terms of security than Superfish, they have been designed for the same purpose.
exactly…especially knowing that out of 7 billion people in the world only 57000 of them had that particular privdog version and it was fixed within hours and there is no practical attack we know of and theoritical one is simply to onourus to implement and no criminal will do all that unnecessary extra work since there are many other easier ways of infecting the user… Scaremongering as a result of ignorance…
like you said, encryption doesn’t matter…so the problem with ssl won’t matter either…