Slashdot Mirror

← Back to Stories (view on slashdot.org)

Advertising Tool PrivDog Compromises HTTPS Security

Posted by Soulskill on from the time-to-wipe-grandma's-laptop dept.

itwbennett writes: New cases of insecure HTTPS traffic interception are coming to light as researchers probe software programs for implementations that could enable malicious attacks. The latest software to open a man-in-the-middle hole on users' PCs is a new version of PrivDog, an advertising product with ties to security vendor Comodo. PrivDog is marketed as a solution to protect users against malicious advertising without completely blocking ads. The program is designed to replace potentially bad ads with safer ones that are reviewed by a compliance team from a company called Adtrustmedia. However, according to people who recently looked at PrivDog's HTTPS interception functionality, consumers might actually lose when it comes to their system's security if they use the product.

3 of 95 comments (clear)

  1. Comodo are the biggest Cert issuer by Anonymous Coward · · Score: 5, Interesting

    Comodo, not to be confused with the similarly named Komodia from yesterday, are the world biggest issuer of SSL certificates. TLS hands trust over to a third party, and in this case that third party is Comodo.

    People wonder how come NSA/GCHQ are able to intercept HTTPS connections so easily and in bulk. The answer is simple, the certificate authorities sign their keys as valid. Making ALL https sessions vulnerable to a man-in-the-middle attack.

    We need to remove the whole signing process and replace it with *time*. The one thing an attacker cannot do is go back in time and change a key exchanged in the past. So we need to constantly be handing out public keys, and each and every end slot needs to store and track these public keys, warning us when they change. That way an attacker needs to man-in-the-middle *EVERY* communication, *ALL* the time, via *EVERY* route, and if they tried to use different keys per user then they'd need to perfectly identify every user. Which is impossible.
    Likewise if they used one public key per site, then they'd need to identify every sysadmin for the site, who would notice their keys are intercepted. They'd need to provide uninterrupted keys for just those users.

    We need to remove the certificate authorities, because they are the weak link in secure comms.

    1. Re:Comodo are the biggest Cert issuer by BitZtream · · Score: 5, Insightful

      Comodo, not to be confused with the similarly named Komodia from yesterday, are the world biggest issuer of SSL certificates.

      Hardly. They give away a bunch of worthless email certs that aren't trusted by anyone, allow me to make wanking motions. No one that matters uses them and no browser that matters trusts their free certs by default.

      Ahh, the post of someone who's riled up but doesn't actually understand what they are talking about.

      People wonder how come NSA/GCHQ are able to intercept HTTPS connections so easily and in bulk.

      Only the ignorant wonder that, just because you do, doesn't mean everyone does.

      We need to remove the whole signing process and replace it with *time*. The one thing an attacker cannot do is go back in time and change a key exchanged in the past.

      You don't have any idea how this system works currently, do you?

      You want the websites to tell you their public key information, and for everyone else on the Internet to remember it and tell you when it changes ...

      or ...

      you could just learn what certificate pinning is.

      We need to remove the certificate authorities, because they are the weak link in secure comms.

      So you want me to ask Google what Google's public key is and then trust whatever I get sent is actually the public key, with no verification of that, other than it came from the request I sent asking Google for their public key. So ... then the NSA just returns a key that says its Google and intercepts the traffic.

      The certificate authorities purpose in life is to provide 3rd party verification of certificates in an automated way. What you want is to remove all of that, and do it ad-hoc, by everyone on the Internet. Slashdot doesn't allow posts long enough for me to explain all the ways why thats exactly the opposite of a actual solution.

      'Web of trust' doesn't work, we know this because NO ONE FUCKING USES IT BECAUSE ITS TOO MUCH FUCKING EFFORT. END USERS DON'T GIVE A FUCK about verifying every cert they see and will just click Ok/Next/Allow. THAT is WHY we use certificate authorities.

      You are proposing nothing new. Its been done, and its failed repeatedly.

      Certificate authorities ARE the solution you want, the problem is, no one actually cares enough about security to black ball the certificate authorities that aren't trust worthy (i.e. all of them), which means they certainly don't care enough to deal with the method you propose.

      --
      Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
  2. Re:Circle of weeds by nyet · · Score: 4, Insightful

    It all started with corporate "enterprise" firewall vendors who saw a demand for MiTM-in-a-box from "enterprise" IT.

    Corporations are notoriously uninterested in the repercussions of their actions.