Slashdot Mirror

← Back to Stories (view on slashdot.org)

Advertising Tool PrivDog Compromises HTTPS Security

Posted by Soulskill on from the time-to-wipe-grandma's-laptop dept.

itwbennett writes: New cases of insecure HTTPS traffic interception are coming to light as researchers probe software programs for implementations that could enable malicious attacks. The latest software to open a man-in-the-middle hole on users' PCs is a new version of PrivDog, an advertising product with ties to security vendor Comodo. PrivDog is marketed as a solution to protect users against malicious advertising without completely blocking ads. The program is designed to replace potentially bad ads with safer ones that are reviewed by a compliance team from a company called Adtrustmedia. However, according to people who recently looked at PrivDog's HTTPS interception functionality, consumers might actually lose when it comes to their system's security if they use the product.

51 of 95 comments (clear)

  1. No no! by Sir_Substance · · Score: 1, Insightful

    Don't block advertising, they deserve to earn money from their work!

    Yeah, right...

    1. Re:No no! by Anonymous Coward · · Score: 3, Funny

      Excuse me, but I am a (web) developer! I have a right to run whatever code I want on your computer if you visit my site. You don't have the right to edit my code!

    2. Re:No no! by garyisabusyguy · · Score: 3, Insightful

      No, no, NO!

      If the NSA does it, it is pure fucking evil

      If a company does it, then it is the free market and you better suck it up

      --
      Wherever You Go, There You Are
    3. Re:No no! by fuzzyfuzzyfungus · · Score: 1

      Excuse me, but I am a (web) developer! I have a right to run whatever code I want on your computer if you visit my site. You don't have the right to edit my code!

      Pernicious nonsense. If you elect to put some mixture of code, markup, and art assets on a public webserver my user agent will handle the results as much in accordance with my desires as I can make it do so.

      This is how the 'web' has always been supposed to work: support for flexible rendering and fallback to accommodate a variety of user agents with different characteristics and capabilities is built in(although often underused, unless one forces the issue). Were it designed to be all about you, the arrangement would be much more along the lines of a relatively rigid page description language(PDF style, say) and a more robust VM for you to do whatever you want in(like the late and largely unlamented Java Applet).

      Yes, unfortunately, nothing short of fire and sword will rid us of people who want the internet to be more like TV; but a web developer claiming that the user agent must take it and like it is about the same as a writer or publisher saying that highlighting sections of a book, or cutting a magazine apart, are copyright infringement. Stuff it.

    4. Re:No no! by Zontar+The+Mindless · · Score: 2

      I'm thinking the whole lot of yas just got trolled.

      --
      Il n'y a pas de Planet B.
    5. Re:No no! by gl4ss · · Score: 1

      well hat's joke about this product is that.. well.. they replace them with other ads.

      to make money for themselves?

      what's the fucking point for the consumer?

      --
      world was created 5 seconds before this post as it is.
    6. Re:No no! by fuzzyfuzzyfungus · · Score: 1

      It's quite possible; but there definitely are web types(and, even more so, their 'content provider' masters) who think exactly this, so I was willing to take the risk.

      Pretty much this exact attitude is why the "Encrypted Media Extension" 'spec' exists, to provide something that qualifies as 'HTML 5' (Don't call it a plugin! It's a 'Content Decryption Module' that just happens to be operationally identical to or worse than a plugin!); but allows the site operator full control over execution.

    7. Re:No no! by DarkOx · · Score: 1

      Yes, I am sure the OP was either be sarcastic or trolling but the reality is there are A LOT of web developers and marketing people who think that way. The most basic form of it is web pages that don't flow. Yet people build pages that force 4:3 layouts to this day, make you page through content that could easily scroll or even fit on a single page rendered on a large and hi-res display, etc.

      These people do need to be named, shamed and generally rejected.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    8. Re:No no! by Zontar+The+Mindless · · Score: 1

      My personal favourite is sites that get your screen resolution and assume your browser window has the same dimensions.

      My second favourite is sites that try to force every link to open in a new window. (Yes, 90+% of Chinese websites, I'm looking at you. WTF is with that, anyway?)

      --
      Il n'y a pas de Planet B.
    9. Re:No no! by sumdumass · · Score: 2

      it is the free market and you better suck it up

      You do not have to suck it up or even like it. The idea behind a free market is that you can stay away from what you do not like and go to what you do like.

      Of course if it's the only choice, it isn't a free market is it?

    10. Re:No no! by Opportunist · · Score: 1

      Nobody deserves to earn money. Here I am, punching you in the face, so why don't you pay me?

      Provide something I want then you may ask me to pay for it so I may use it. You may earn my money provided you give me something that I deem of equal or higher value.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    11. Re:No no! by Opportunist · · Score: 1

      No, you do not. It's even debatable whether you may try. You may refuse to deliver the content I request if I do not comply with your requirements to do so, but that's pretty much all you may.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    12. Re:No no! by Opportunist · · Score: 2

      It's exactly this attitude that made ad blockers and script killers popular.

      You know, if companies asked whether they may display ads and if those ads were not intrusive, in-your-face, with speakers blaring, I know a lot of people would accept it and even welcome it, as a way to award those that deserve it. You know, as in what the customer's job is in the free market, to award those that provide a service they want.

      Instead you abused us long enough that we simply assumed the same position as the industry: I do and take what I want and screw you!

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    13. Re:No no! by Opportunist · · Score: 1

      Such a system would have died pretty fucking quickly. Whether something like the web would have developed instead depends on how many patents could be abused to prevent it.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  2. Comodo are the biggest Cert issuer by Anonymous Coward · · Score: 5, Interesting

    Comodo, not to be confused with the similarly named Komodia from yesterday, are the world biggest issuer of SSL certificates. TLS hands trust over to a third party, and in this case that third party is Comodo.

    People wonder how come NSA/GCHQ are able to intercept HTTPS connections so easily and in bulk. The answer is simple, the certificate authorities sign their keys as valid. Making ALL https sessions vulnerable to a man-in-the-middle attack.

    We need to remove the whole signing process and replace it with *time*. The one thing an attacker cannot do is go back in time and change a key exchanged in the past. So we need to constantly be handing out public keys, and each and every end slot needs to store and track these public keys, warning us when they change. That way an attacker needs to man-in-the-middle *EVERY* communication, *ALL* the time, via *EVERY* route, and if they tried to use different keys per user then they'd need to perfectly identify every user. Which is impossible.
    Likewise if they used one public key per site, then they'd need to identify every sysadmin for the site, who would notice their keys are intercepted. They'd need to provide uninterrupted keys for just those users.

    We need to remove the certificate authorities, because they are the weak link in secure comms.

    1. Re:Comodo are the biggest Cert issuer by BitZtream · · Score: 5, Insightful

      Comodo, not to be confused with the similarly named Komodia from yesterday, are the world biggest issuer of SSL certificates.

      Hardly. They give away a bunch of worthless email certs that aren't trusted by anyone, allow me to make wanking motions. No one that matters uses them and no browser that matters trusts their free certs by default.

      Ahh, the post of someone who's riled up but doesn't actually understand what they are talking about.

      People wonder how come NSA/GCHQ are able to intercept HTTPS connections so easily and in bulk.

      Only the ignorant wonder that, just because you do, doesn't mean everyone does.

      We need to remove the whole signing process and replace it with *time*. The one thing an attacker cannot do is go back in time and change a key exchanged in the past.

      You don't have any idea how this system works currently, do you?

      You want the websites to tell you their public key information, and for everyone else on the Internet to remember it and tell you when it changes ...

      or ...

      you could just learn what certificate pinning is.

      We need to remove the certificate authorities, because they are the weak link in secure comms.

      So you want me to ask Google what Google's public key is and then trust whatever I get sent is actually the public key, with no verification of that, other than it came from the request I sent asking Google for their public key. So ... then the NSA just returns a key that says its Google and intercepts the traffic.

      The certificate authorities purpose in life is to provide 3rd party verification of certificates in an automated way. What you want is to remove all of that, and do it ad-hoc, by everyone on the Internet. Slashdot doesn't allow posts long enough for me to explain all the ways why thats exactly the opposite of a actual solution.

      'Web of trust' doesn't work, we know this because NO ONE FUCKING USES IT BECAUSE ITS TOO MUCH FUCKING EFFORT. END USERS DON'T GIVE A FUCK about verifying every cert they see and will just click Ok/Next/Allow. THAT is WHY we use certificate authorities.

      You are proposing nothing new. Its been done, and its failed repeatedly.

      Certificate authorities ARE the solution you want, the problem is, no one actually cares enough about security to black ball the certificate authorities that aren't trust worthy (i.e. all of them), which means they certainly don't care enough to deal with the method you propose.

      --
      Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
    2. Re:Comodo are the biggest Cert issuer by BronsCon · · Score: 1

      the key you received in 2005 is the key you use in 2015

      Unless the other endpoint was compromised at some point and legitimately changed their key as a mitigation measure. Solve that problem and we'll be in agreement.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    3. Re:Comodo are the biggest Cert issuer by thegarbz · · Score: 1

      I disagree. The web of trust only didn't work in the past because it wasn't automated. While I agree the abolition of certificate authorities is the wrong idea, blindly trusting them is equally wrong.

      I like the solution that looks to see if a particular connection is suffering from a MITM. The Perspectives plugin for browser does something like this. It is interested in not only if the certificate you received is valid, but also if the certificate you receive is the same certificate that several other people around the world receive. At that point you have a degree of trust that no one is listening with the only thing left for a CA to do is to say yes Google paid us money to send you this.

    4. Re:Comodo are the biggest Cert issuer by heypete · · Score: 1

      Comodo, not to be confused with the similarly named Komodia from yesterday, are the world biggest issuer of SSL certificates.

      Hardly. They give away a bunch of worthless email certs that aren't trusted by anyone, allow me to make wanking motions. No one that matters uses them and no browser that matters trusts their free certs by default.

      Ahh, the post of someone who's riled up but doesn't actually understand what they are talking about.

      Email certs != SSL server certs. Are you sure you aren't thinking about CAcert instead, which does offer free email and server certs, but which isn't included in browsers? Obviously, CAcert's lack of inclusion in browsers makes it less useful for mose uses. Comodo, however, is a major certificate authority.

      Various surveys, including this one (daily updates available here), scan HTTPS-enabled and report on the share of CAs.

      Comodo recently overtook Symantec, which was probably helped by CloudFlare enabling TLS for all their customers (including free ones) using Comodo-issued certs -- that single action essentially doubled the number of HTTPS sites on the internet.

    5. Re:Comodo are the biggest Cert issuer by DarkOx · · Score: 1

      Certificate pinning (though downright irritating if you are doing local development) really is the right solution.

      Outside your bank where you probably could get a self signed key given to you when you open an account, most of us don't have a way to initially verify the authenticity of a site. We need the 3rd party CAs. No web of trust does not really work because I for one don't known enough people I trust to competently handle key signing, and transitive authorization decisions better than the CAs do.

      Pinning though would help a great deal. A loud warning that the certificate changed more than say a couple weeks prior to its original expiry date is a good control. Unfortunately there are still a number of perfectly legitimate reasons for that to occur and I don't have a good solution for how the end user is supposed to resolve that. One approach might be for browser software to 'require' the old CERT to either be expired or appear on the CRL before the new one is treated as valid. Now obviously that won't protect you if the CA itself is compromised, in all cases but it would close lots of holes.

      NSA/other spy/criminal agency gets the original CA to issue a new cert - So mister spy now has to be able to sign for the CA as well as Google, and redirect traffic to both CA's revocation lists AND Gmail. This will be more difficult - though by no means impossible. If you manage to compromise the CA and get their private key you can do this.

      However what you can no longer do is, get a cert from some other CA. IE the NSA can't use one of the DOD CA's that many browsers trust to issue a certificate for GMail, $DICTATOR in $COUNTRY can't use his national CA either. They have to actually get GEOTRUST or whoever the original issuer was to do it, or compromise them, not just any CA like today. This would be much better.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    6. Re:Comodo are the biggest Cert issuer by Billly+Gates · · Score: 1

      Still I trusted them and privdog on an older system I used to run based on good ratings. That and I used commodo dragon for a little while so I wouldn't be spied upon.

      Turns out I had been had.

      Yes Comodo had a good name to it until today. Shame on you!

      --
      http://saveie6.com/
    7. Re:Comodo are the biggest Cert issuer by JohnFen · · Score: 1

      based on good ratings

      There's your problem. People rating apps generally haven't performed security audits.

    8. Re:Comodo are the biggest Cert issuer by Billly+Gates · · Score: 1

      I used av-totals. They are a professional certification group

      --
      http://saveie6.com/
    9. Re:Comodo are the biggest Cert issuer by JohnFen · · Score: 1

      As near as I can tell, av-totals is just measuring how effective things are in terms of antivirus. They don't appear to be analyzing the AV software itself for security problems such as the bogus cert. That's not a fault with them -- that's expecting them to be doing something they aren't claiming to do.

  3. Comodo, shame on you! by QuietLagoon · · Score: 1

    ...insecure HTTPS traffic interception ... an advertising product with ties to security vendor Comodo...

    Comodo is a vendor that I [currently] rely upon for my PC firewall and my SSL certificates.

    .
    So, on one hand, I'm looking to Comodo to help me secure my computers and usage of my computers.

    And on the other hand, Comodo is looking to install HTTPS traffic interceptors on my computers that increase the security vulnerability of my computers?

    What frigging kind of security company is Comodo? Is Comodo a security company at all?

    1. Re:Comodo, shame on you! by lucm · · Score: 1

      What frigging kind of security company is Comodo? Is Comodo a security company at all?

      Google for "cheap ssl" or "discount ssl", you will see them a lot. This is the Walmart of ssl.

      It does not mean their certificates are not good, but buy a certificate from them and see the crappy online account management (a friggin popup that gets blocked by most browsers) and a flood of "special offers" in your inbox. Low-rent.

      --
      lucm, indeed.
    2. Re:Comodo, shame on you! by WD · · Score: 1

      I'll give you a multiple-choice question.
      Security companies want to:
      a) Keep you secure.
      b) Make more money.

      Just put your pencil down when you're done.

    3. Re:Comodo, shame on you! by heypete · · Score: 1

      What frigging kind of security company is Comodo? Is Comodo a security company at all?

      Google for "cheap ssl" or "discount ssl", you will see them a lot. This is the Walmart of ssl.

      It does not mean their certificates are not good, but buy a certificate from them and see the crappy online account management (a friggin popup that gets blocked by most browsers) and a flood of "special offers" in your inbox. Low-rent.

      Who buys certs direct from Comodo? I always get them via a reseller like NameCheap. The NameCheap user interface is halfway decent: no need to deal with Comodo online management, popups, etc. I've never gotten any "special offers" or unwanted mail as a result of buying their certs. Your mileage may vary, of course.

      But yeah, they're cheap, widely trusted by browsers, and generally work well. They're also the only CA I know that issues ECDSA certs from an all-ECDSA root/intermediate chain at a reasonable price (same price as RSA certs, typically less than $10/year), which is nice if you're interested in moving away from RSA for whatever reason.

  4. Re:all ads are malware by invictusvoyd · · Score: 3, Funny

    Does this run on linux / FreeBSD ? i'd like to try it

  5. Re:all ads are malware by thegarbz · · Score: 1

    also anything which allows ads are too.

    Please don't dilute serious concerns with this hyperbole.

  6. Let me get this straight by 93+Escort+Wagon · · Score: 2

    Their product is designed to replace ads... with OTHER ads, provided by themselves. And it's not hard to imagine that cash considerations are involved with making those choices.

    Even if you set aside the security implications - that is pretty much exactly the sort of sleazy behavior that has gotten quite a few companies into trouble in the past.

    --
    #DeleteChrome
  7. Why? by Jack+Griffin · · Score: 1

    "The program is designed to replace potentially bad ads with safer ones" Why would anyone choose this? I mean is this an opt-in thing, or do they just force it on you? I can't imagine anyone cognitively choosing a product that replaces ads with other ads, when there are other products already on the market that replace ads with no ads instead.

    1. Re:Why? by AchilleTalon · · Score: 1

      Why people are actually buying penis enlargement pumps? You will always find enough idiots in this world to make anyone rich, it is just a matter of reach enough of them which the web excels at.

      --
      Achille Talon
      Hop!
  8. HTTPS by fustakrakich · · Score: 1

    Not very secure, is it? Better make that a small s

    This stuff is a placebo, at best.

    --
    “He’s not deformed, he’s just drunk!”
    1. Re:HTTPS by fustakrakich · · Score: 1

      Enough 'metadata' leaks out for all your surveillance needs. HTTPS only works if you personally know who/what is at the other end. The certs are wishful thinking. And I will maintain until the end days that publicly available crypto is a fraud. The state is way ahead in every way. The absolute worst must be assumed, and just roll with it. Not a hell of a lot can be done right now.

      --
      “He’s not deformed, he’s just drunk!”
    2. Re:HTTPS by Zontar+The+Mindless · · Score: 1

      We'll always have postcards.

      --
      Il n'y a pas de Planet B.
  9. Circle of weeds by WaffleMonster · · Score: 2

    Anyone smart enough to write an HTTPS proxy able to dynamically create and sign certs surely must have known enough about underlying technology to recognize and comprehend importance of validating trust chain. How does someone innocently "overlook" this in either design or test? Simply MUST have occurred to someone.

    1. Re:Circle of weeds by nyet · · Score: 4, Insightful

      It all started with corporate "enterprise" firewall vendors who saw a demand for MiTM-in-a-box from "enterprise" IT.

      Corporations are notoriously uninterested in the repercussions of their actions.

    2. Re:Circle of weeds by WD · · Score: 1

      http://en.wikipedia.org/wiki/H...

    3. Re:Circle of weeds by BVis · · Score: 1

      "Do this HTTwhatever thingy."
      "It's a bad idea for *reasons*"
      "Blah blah blah do it."
      "I'm not comfortable doing that, it's unethical"
      "I don't give a fuck about your ethics, we pay you to code, not have ethics. Do what you've been assigned or get fired."

      Sooner or later you will find a coder that wants to keep feeding his/her family and will do what's requested.

      --
      Never underestimate the power of stupid people in large groups.
  10. Re:all ads are malware by WD · · Score: 3, Insightful

    "Adware is malware with better lawyers"
    said @axeexcess on the Twitter

  11. war by Tom · · Score: 2

    It's clear advertisement companies have declared war on us, and think any and all means are permissable. No other mindset can explain these actions. If these people would not consider us enemies, they could not possibly look at themselves in a mirror.

    So when will Firefox ship with ABE (or some other fork, don't use the original AdBlock, it has been sold to an advertisement company) and default to having it enabled?

    I mean, aside from the hacking and privacy issues, every time I see the Internet on a browser without ad blocker, I can't believe people endure this crap.

    --
    Assorted stuff I do sometimes: Lemuria.org
    1. Re:war by Billly+Gates · · Score: 2

      What worries me is corporations too now bust SSL as well to spy on employees.

      Now since the cat is out of the bag this maybe common. This will kill all commerce on the web as payment processing companies insurance plans won't insure online transactions without proof of a true encrypted connection.

      This in term will de-value the online advertisement market if people stop buying shit online.

      We need to stand up and do something and real advertisers need to step in before their business models get destroyed. This is just insanity! I would not be surprised if Google certificates do just this but Google seems too smart to be a snake which swallows its own tail.

      --
      http://saveie6.com/
    2. Re:war by Tom · · Score: 1

      You don't have to wait for another major Firefox release

      I agree in principle, but this is ludicrous. Firefox releases seem to be twice a week now, and we'll probably all live to see the version number overflow.

      Yeah, there should be several competing plugins. But maybe FF can ask you which one you want after install, assuming that anyone with three working brain cells wants an adblocker.

      --
      Assorted stuff I do sometimes: Lemuria.org
  12. Re:Snowden uses PGP/web of trust by heypete · · Score: 1

    Snowden of course used PGP which uses the web of trust system, it works enough to protect Greenwald and Snowden from NSA snooping.

    To be fair, Snowden and Greenwald met in person and verified their key fingerprints. While useful in many situations, the WoT was not really a factor there.

  13. Yeah, right ... by gstoddart · · Score: 1

    The program is designed to replace potentially bad ads with safer ones that are reviewed by a compliance team from a company called Adtrustmedia

    Now there's a big frickin' lie ... Adtrustmedia is like "MRE" (meal ready to eat) ... it's three lies in one.

    There simply is no entity involved in advertising who you should be trusting.

    Assume they're all greedy sociopaths, and just save yourself the time.

    This is precisely why I feel no guilt about blocking ads ... because I think the players are shady, and are sure as hell not entitled to all of the tracking information they shove into a web page.

    Your average web page is like walking into WalMart and having the greeter put a dozen tags on your ear like a cow. It's just riddled with crap, cookies, tracking beacons, junk scripts, Flash, and who knows what the hell else.

    A 'compliance team' is marketing speak, for marketing assholes maximizing their cut.

    --
    Lost at C:>. Found at C.
  14. Commodo AV and Icedragon too! by Billly+Gates · · Score: 2

    Shoot Hairyfeet is a big proponent of them and I used to use both too.

    Wow.

    I hope MS decertifies all Comodo certificates. I expect a big lawsuit from this and perhaps Commodo disabling Microsofts root certificates in return. Fun times.

    Another lawsuit coming up.

    --
    http://saveie6.com/
    1. Re:Commodo AV and Icedragon too! by toddestan · · Score: 1

      It's a bit of a shame since Comodo Dragon was my favorite Chrome-but-not-actually-Chrome browser. However this and them dragging their feet on updates means I'll be switching to something else.

  15. WAHHH, stop looking at my stuff that I put online! by Thud457 · · Score: 1

    So much for websites crying about AdBlock stealing food from their children's mouths.
    Now AdBlock prevents shitbirds like this from benefiting from attempting to steal food from webmaster's children. Which makes it more better, right?


    I would welcome AdBlock having some sort of micropayment sponsor system baked in where I could choose to support sites whose content I value. Twenty years of the web, and still nobody's figured how to make that shit work. Is Ted Nelson even still alive?

    --

    the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff

  16. Re:what social purpose do they serve? by Opportunist · · Score: 1

    How about a three strikes law? They're really popular these days.

    If your page causes three waves of infections, you're no longer allowed to be on the internet. Forever.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  17. Re:No, you abandon keys by BronsCon · · Score: 1

    You can change your key, but everyone is made AWARE the key has changed and you have to INFORM them why it changed and for what reason and they have to accept it or not.

    Or, someone else changes the key, MITM's the site, injects a brief explanation of why the key was changed into a banner on the page (oh, but you have to accept the new key in order to see that, assuming the site uses SSL everywhere as it should) or spoofs an email with the explanation, or spoofs a social media campaign with the explanation, whatever.

    Maybe they target an individual user, that user gets the spoofed email and sees the spoofed tweets, and accepts the new key. Company would never be the wiser, since no fake notices would go out publicly, and the user, well...

    This would work for you, this would work for me, hell it'd work for a handful of people here, because we know to spend longer than the time it takes to click "OK" to investigate these things. The real problem with your solution is that 99.999% of users either don't know to do that, or simply don't think it's a big enough deal to warrant actually doing it. You think it'd be a better situation based on your experience with a few competent and security-minded people, but the reality is we're the minority and the situation would end up much worse as a result.

    --
    APK quotes people (including myself) without context and should not be trusted. Just thought you should know.