Slashdot Mirror
Advertising Tool PrivDog Compromises HTTPS Security
itwbennett writes: New cases of insecure HTTPS traffic interception are coming to light as researchers probe software programs for implementations that could enable malicious attacks. The latest software to open a man-in-the-middle hole on users' PCs is a new version of PrivDog, an advertising product with ties to security vendor Comodo. PrivDog is marketed as a solution to protect users against malicious advertising without completely blocking ads. The program is designed to replace potentially bad ads with safer ones that are reviewed by a compliance team from a company called Adtrustmedia. However, according to people who recently looked at PrivDog's HTTPS interception functionality, consumers might actually lose when it comes to their system's security if they use the product.
Don't block advertising, they deserve to earn money from their work!
Yeah, right...
Comodo, not to be confused with the similarly named Komodia from yesterday, are the world biggest issuer of SSL certificates.
Hardly. They give away a bunch of worthless email certs that aren't trusted by anyone, allow me to make wanking motions. No one that matters uses them and no browser that matters trusts their free certs by default.
Ahh, the post of someone who's riled up but doesn't actually understand what they are talking about.
People wonder how come NSA/GCHQ are able to intercept HTTPS connections so easily and in bulk.
Only the ignorant wonder that, just because you do, doesn't mean everyone does.
We need to remove the whole signing process and replace it with *time*. The one thing an attacker cannot do is go back in time and change a key exchanged in the past.
You don't have any idea how this system works currently, do you?
You want the websites to tell you their public key information, and for everyone else on the Internet to remember it and tell you when it changes ...
or ...
you could just learn what certificate pinning is.
We need to remove the certificate authorities, because they are the weak link in secure comms.
So you want me to ask Google what Google's public key is and then trust whatever I get sent is actually the public key, with no verification of that, other than it came from the request I sent asking Google for their public key. So ... then the NSA just returns a key that says its Google and intercepts the traffic.
The certificate authorities purpose in life is to provide 3rd party verification of certificates in an automated way. What you want is to remove all of that, and do it ad-hoc, by everyone on the Internet. Slashdot doesn't allow posts long enough for me to explain all the ways why thats exactly the opposite of a actual solution.
'Web of trust' doesn't work, we know this because NO ONE FUCKING USES IT BECAUSE ITS TOO MUCH FUCKING EFFORT. END USERS DON'T GIVE A FUCK about verifying every cert they see and will just click Ok/Next/Allow. THAT is WHY we use certificate authorities.
You are proposing nothing new. Its been done, and its failed repeatedly.
Certificate authorities ARE the solution you want, the problem is, no one actually cares enough about security to black ball the certificate authorities that aren't trust worthy (i.e. all of them), which means they certainly don't care enough to deal with the method you propose.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
"Adware is malware with better lawyers"
said @axeexcess on the Twitter
It all started with corporate "enterprise" firewall vendors who saw a demand for MiTM-in-a-box from "enterprise" IT.
Corporations are notoriously uninterested in the repercussions of their actions.