Slashdot Mirror

← Back to Stories (view on slashdot.org)

Advertising Tool PrivDog Compromises HTTPS Security

Posted by Soulskill on from the time-to-wipe-grandma's-laptop dept.

itwbennett writes: New cases of insecure HTTPS traffic interception are coming to light as researchers probe software programs for implementations that could enable malicious attacks. The latest software to open a man-in-the-middle hole on users' PCs is a new version of PrivDog, an advertising product with ties to security vendor Comodo. PrivDog is marketed as a solution to protect users against malicious advertising without completely blocking ads. The program is designed to replace potentially bad ads with safer ones that are reviewed by a compliance team from a company called Adtrustmedia. However, according to people who recently looked at PrivDog's HTTPS interception functionality, consumers might actually lose when it comes to their system's security if they use the product.

15 of 95 comments (clear)

  1. Re:No no! by Anonymous Coward · · Score: 3, Funny

    Excuse me, but I am a (web) developer! I have a right to run whatever code I want on your computer if you visit my site. You don't have the right to edit my code!

  2. Comodo are the biggest Cert issuer by Anonymous Coward · · Score: 5, Interesting

    Comodo, not to be confused with the similarly named Komodia from yesterday, are the world biggest issuer of SSL certificates. TLS hands trust over to a third party, and in this case that third party is Comodo.

    People wonder how come NSA/GCHQ are able to intercept HTTPS connections so easily and in bulk. The answer is simple, the certificate authorities sign their keys as valid. Making ALL https sessions vulnerable to a man-in-the-middle attack.

    We need to remove the whole signing process and replace it with *time*. The one thing an attacker cannot do is go back in time and change a key exchanged in the past. So we need to constantly be handing out public keys, and each and every end slot needs to store and track these public keys, warning us when they change. That way an attacker needs to man-in-the-middle *EVERY* communication, *ALL* the time, via *EVERY* route, and if they tried to use different keys per user then they'd need to perfectly identify every user. Which is impossible.
    Likewise if they used one public key per site, then they'd need to identify every sysadmin for the site, who would notice their keys are intercepted. They'd need to provide uninterrupted keys for just those users.

    We need to remove the certificate authorities, because they are the weak link in secure comms.

    1. Re:Comodo are the biggest Cert issuer by BitZtream · · Score: 5, Insightful

      Comodo, not to be confused with the similarly named Komodia from yesterday, are the world biggest issuer of SSL certificates.

      Hardly. They give away a bunch of worthless email certs that aren't trusted by anyone, allow me to make wanking motions. No one that matters uses them and no browser that matters trusts their free certs by default.

      Ahh, the post of someone who's riled up but doesn't actually understand what they are talking about.

      People wonder how come NSA/GCHQ are able to intercept HTTPS connections so easily and in bulk.

      Only the ignorant wonder that, just because you do, doesn't mean everyone does.

      We need to remove the whole signing process and replace it with *time*. The one thing an attacker cannot do is go back in time and change a key exchanged in the past.

      You don't have any idea how this system works currently, do you?

      You want the websites to tell you their public key information, and for everyone else on the Internet to remember it and tell you when it changes ...

      or ...

      you could just learn what certificate pinning is.

      We need to remove the certificate authorities, because they are the weak link in secure comms.

      So you want me to ask Google what Google's public key is and then trust whatever I get sent is actually the public key, with no verification of that, other than it came from the request I sent asking Google for their public key. So ... then the NSA just returns a key that says its Google and intercepts the traffic.

      The certificate authorities purpose in life is to provide 3rd party verification of certificates in an automated way. What you want is to remove all of that, and do it ad-hoc, by everyone on the Internet. Slashdot doesn't allow posts long enough for me to explain all the ways why thats exactly the opposite of a actual solution.

      'Web of trust' doesn't work, we know this because NO ONE FUCKING USES IT BECAUSE ITS TOO MUCH FUCKING EFFORT. END USERS DON'T GIVE A FUCK about verifying every cert they see and will just click Ok/Next/Allow. THAT is WHY we use certificate authorities.

      You are proposing nothing new. Its been done, and its failed repeatedly.

      Certificate authorities ARE the solution you want, the problem is, no one actually cares enough about security to black ball the certificate authorities that aren't trust worthy (i.e. all of them), which means they certainly don't care enough to deal with the method you propose.

      --
      Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
  3. Re:all ads are malware by invictusvoyd · · Score: 3, Funny

    Does this run on linux / FreeBSD ? i'd like to try it

  4. Let me get this straight by 93+Escort+Wagon · · Score: 2

    Their product is designed to replace ads... with OTHER ads, provided by themselves. And it's not hard to imagine that cash considerations are involved with making those choices.

    Even if you set aside the security implications - that is pretty much exactly the sort of sleazy behavior that has gotten quite a few companies into trouble in the past.

    --
    #DeleteChrome
  5. Circle of weeds by WaffleMonster · · Score: 2

    Anyone smart enough to write an HTTPS proxy able to dynamically create and sign certs surely must have known enough about underlying technology to recognize and comprehend importance of validating trust chain. How does someone innocently "overlook" this in either design or test? Simply MUST have occurred to someone.

    1. Re:Circle of weeds by nyet · · Score: 4, Insightful

      It all started with corporate "enterprise" firewall vendors who saw a demand for MiTM-in-a-box from "enterprise" IT.

      Corporations are notoriously uninterested in the repercussions of their actions.

  6. Re:all ads are malware by WD · · Score: 3, Insightful

    "Adware is malware with better lawyers"
    said @axeexcess on the Twitter

  7. Re:No no! by garyisabusyguy · · Score: 3, Insightful

    No, no, NO!

    If the NSA does it, it is pure fucking evil

    If a company does it, then it is the free market and you better suck it up

    --
    Wherever You Go, There You Are
  8. war by Tom · · Score: 2

    It's clear advertisement companies have declared war on us, and think any and all means are permissable. No other mindset can explain these actions. If these people would not consider us enemies, they could not possibly look at themselves in a mirror.

    So when will Firefox ship with ABE (or some other fork, don't use the original AdBlock, it has been sold to an advertisement company) and default to having it enabled?

    I mean, aside from the hacking and privacy issues, every time I see the Internet on a browser without ad blocker, I can't believe people endure this crap.

    --
    Assorted stuff I do sometimes: Lemuria.org
    1. Re:war by Billly+Gates · · Score: 2

      What worries me is corporations too now bust SSL as well to spy on employees.

      Now since the cat is out of the bag this maybe common. This will kill all commerce on the web as payment processing companies insurance plans won't insure online transactions without proof of a true encrypted connection.

      This in term will de-value the online advertisement market if people stop buying shit online.

      We need to stand up and do something and real advertisers need to step in before their business models get destroyed. This is just insanity! I would not be surprised if Google certificates do just this but Google seems too smart to be a snake which swallows its own tail.

      --
      http://saveie6.com/
  9. Re:No no! by Zontar+The+Mindless · · Score: 2

    I'm thinking the whole lot of yas just got trolled.

    --
    Il n'y a pas de Planet B.
  10. Commodo AV and Icedragon too! by Billly+Gates · · Score: 2

    Shoot Hairyfeet is a big proponent of them and I used to use both too.

    Wow.

    I hope MS decertifies all Comodo certificates. I expect a big lawsuit from this and perhaps Commodo disabling Microsofts root certificates in return. Fun times.

    Another lawsuit coming up.

    --
    http://saveie6.com/
  11. Re:No no! by sumdumass · · Score: 2

    it is the free market and you better suck it up

    You do not have to suck it up or even like it. The idea behind a free market is that you can stay away from what you do not like and go to what you do like.

    Of course if it's the only choice, it isn't a free market is it?

  12. Re:No no! by Opportunist · · Score: 2

    It's exactly this attitude that made ad blockers and script killers popular.

    You know, if companies asked whether they may display ads and if those ads were not intrusive, in-your-face, with speakers blaring, I know a lot of people would accept it and even welcome it, as a way to award those that deserve it. You know, as in what the customer's job is in the free market, to award those that provide a service they want.

    Instead you abused us long enough that we simply assumed the same position as the industry: I do and take what I want and screw you!

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.