Chromodo Browser Disables Key Web Security (thestack.com)

← Back to Stories (view on slashdot.org)

Chromodo Browser Disables Key Web Security (thestack.com)

Posted by timothy on Wednesday February 3, 2016 @03:52AM from the it's-only-a-browser dept.

An anonymous reader writes: A Google Security Research update has claimed that Comodo's internet browser Chromodo, based on the open-source project Chromium, contains significant security failings and puts its users at risk. This week's Google alert suggested that the Chromodo browser – available as a standalone download, as well as part of the company's Security package – is less secure than it promises. According to analysis, the browser is disabling the Same Origin policy, hijacking DNS settings, and replacing shortcuts with Chromodo links, among other security violations.

54 comments

Min score:

Reason:

Sort:

Never heard of it by Anonymous Coward · 2016-02-03 04:00 · Score: 0

And couldn't care less, now that I know it is insecure and available for Windows alone.
1. Re: Never heard of it by Anonymous Coward · 2016-02-03 14:06 · Score: 0
  
  Comodo anything is garbage. Incl. their certs. Fuck comodo.
Same Origin already broken in Chrome by Anonymous Coward · 2016-02-03 04:10 · Score: 0

Chrome already disables the Same-Origin policy when it stores third-party cookies without double-keying the first-party origin.
1. Re:Same Origin already broken in Chrome by oztiks · 2016-02-03 18:31 · Score: 1
  
  Cors in general is broken in general and for numerous reasons but on the client side more than server side.
  Cors should be good. Cors could be good. But its primitive, difficult to write with when dealing with things such as Hybrid mobile development. If Web Services need a header acceptance policy solution then drop the same origin policy anyway and make it a totally separate thing. Make it so same origin resource sharing on the local side is blocked by default with an established white-listing system in place the also records management of how the resources are used would be even better!
  You can get some of that that with the inspection tools on Chromium now but it would be far better if it was more definitive. E.G LocalStorage we could know when requests are made rather than just seeing the variables change.
If Windows, then insecure... by gestalt_n_pepper · 2016-02-03 04:12 · Score: 0

and under surveillance.
For whatever reasons, Microsoft is not going to give up on this. Windows will constantly report everything it can about you and your browsing habits.
Want privacy? Forget Windows. Any version.

--
Please do not read this sig. Thank you.
1. Re:If Windows, then insecure... by Anonymous Coward · 2016-02-03 04:21 · Score: 0
  
  Correct but way off topic
2. Re:If Windows, then insecure... by hyperar · 2016-02-03 05:22 · Score: 1
  
  How cute, thinks privacy exists on the internet
3. Re:If Windows, then insecure... by gestalt_n_pepper · 2016-02-03 06:14 · Score: 2
  
  It doesn't. But why make it easier for them? At the very least, I get to opt out of those targeted ads.
  
  --
  Please do not read this sig. Thank you.
4. Re: If Windows, then insecure... by Anonymous Coward · 2016-02-03 15:46 · Score: 0
  
  That's what I finally did! I got my old Win 8.1 on a separate SSD just in case I ever need win-only software still. However, I finally made the big step towards daily Linux/*BSD use and haven't looked back since. Heck, even all of the games I play are now out with native Linux ports.
  I tried this for the first time back in 2006 but the time wasn't right. Not sure if it still is, but it's 300%+ better now than what it was before and I can actually do all of my work on Linux/*BSD now and also everything I used to do on my spare time.
  Anyway, back to tinkering with my gpg keys...
I avoid knockoffs by LichtSpektren · 2016-02-03 04:24 · Score: 4, Insightful

There's a lot of Chromium and Firefox clones/forks by small teams that have certain targeted goals (better UI, different default settings, etc.), but I tend to avoid them; I figure that Google and Mozilla have world-class security experts working for them, whereas these little forks, even if competently done, do not and might introduce security holes by accident.

The same is also true for Linux distros--I advise people stick to the big ones (Debian, Ubuntu, Fedora/Red Hat/CentOS, Arch, Gentoo, SUSE, Tails) since they're thoroughly audited by security professionals, whereas those tiny little forks that do nothing but alter the UI probably aren't.
1. Re:I avoid knockoffs by Flavianoep · 2016-02-03 04:33 · Score: 0
  
  I also avoid anything from my ISP that is not just for internet services, and fortunately, I've never had to install anything from them. Also, I don't install any app that provides the same service that a webpage does, even when there is claim that it is for security. That makes me feel like an average slashdotter.
  
  --
  Linux is for people who don't mind RTFM.
2. Re:I avoid knockoffs by buchner.johannes · 2016-02-03 04:47 · Score: 1
  
  I advise people stick to the big ones (Debian, Ubuntu, Fedora/Red Hat/CentOS, Arch, Gentoo, SUSE, Tails) since they're thoroughly audited by security professionals
  Haha, no! Perhaps a few core libraries are, if you are lucky.
  
  whereas those tiny little forks that do nothing but alter the UI probably aren't.
  Most distros are repackaging from the larger distros (Debian, Red Hat, Arch, Gentoo, SUSE), and security-related changes go upstream and downstream (well, sooner or later). So you there is no major difference in security between UI-altering ones such as Mint and Debian.
  
  --
  NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
3. Re:I avoid knockoffs by Anonymous Coward · 2016-02-03 05:06 · Score: 0
  
  stick to the big ones (Debian, Ubuntu, Fedora/Red Hat/CentOS, Arch, Gentoo, SUSE, Tails) since they're thoroughly audited by security professionals
  Muhahahahahahahahaha ...
  Good one.
4. Re:I avoid knockoffs by Anonymous Coward · 2016-02-03 05:09 · Score: 0
  
  So, the list of things that are listed on their web site as added utility are being listed here as vulnerabilities?
  Anyone who uses a Comodo browser (Dragon, Ice Dragon, or Chromodo) without noticing the BIG BOLD LETTERS stating that you can route everything through their DNS and filtering servers is blind. Personally, I don't use their servers, it's a radio button during the installation, but that is one of their advertising points.
5. Re:I avoid knockoffs by malditaenvidia · 2016-02-03 05:26 · Score: 1
  
  What's noteworthy about this specific instance is that Chromodo is made by Comodo, an anti virus developer, and is supposed to have a focus on security. I've never used the browser itself, but I tend to stay away from chrom* and clones.
6. Re:I avoid knockoffs by Anonymous Coward · 2016-02-03 05:50 · Score: 1
  
  These browsers cannot be more secure than their upstream, unless they have further mitigations in place. The reason is that the biggest vulnerabilities are, depending on your view, 0-days or patched vulnerabilities you leave unpatched in you latest version. In the case of zero days, minus additional mitigations, both up and downstream are equally effected. In the case of patched vulnerabilities, only downstream are affected.
  In the particular case of Comodo, they are two months out of date and don't have any additional mitigations I can find, other than disabling safe-browsing and substituting in their own version.
7. Re:I avoid knockoffs by castionsosa · 2016-02-03 06:00 · Score: 1
  
  Precisely. A browser needs to have security patches be ready for users almost immediately, so if a downstream fork doesn't get patches propagated, it becomes a security issue in waiting.
  Because browsers are either the primary attack vector for malware, or at least comparable to Trojans, security is paramount, and firms forking a browser cannot take doing this lightly, because there will need to be maintainers who have to see what security issues are going on with the upstream and either copy code, or write code to fix them in their product.
  The "furthest" I wind up straying is using Chromium on Ubuntu. Since Chrome and Chromium have a lot of cross-pollination, a bug in one will get patched in both.
8. Re:I avoid knockoffs by Anonymous Coward · 2016-02-03 06:04 · Score: 0
  
  There is a good reason why websites like going to apps. Safari will at least prompt you if a page wants to open something in another store. Running an app, that protection isn't there. A good example is the Cracked app, which uses that to redirect someone to the App Store with virtually every page click or mouseover in hopes for another Lyft or Candy Crush install. Everything in the Cracked app on iOS is doable in a web browser.
  Android is worse... the Cracked app (last time I checked) wants every permission under the sun, including gross/fine GPS coords.
9. Re:I avoid knockoffs by castionsosa · 2016-02-03 06:07 · Score: 1
  
  RedHat, and SuSE have been given FIPS/Common Criteria/EAL certification in the past. Right now, it is pending for RHEL 7.x, but it will come eventually, and this shows the OS has seen independent validation by a very expensive lab that isn't just limited to one country.
  CentOS, Oracle Linux, and other downstreams inherit this as well... maybe not the certification, but the structure.
  Debian/Ubuntu isn't a slouch either, nor are the other mainstream variants, just because there are people who actually care about security scrutinizing the distributions. They won't catch everything, but it gives some assurance that the OS will pass muster.
10. Re:I avoid knockoffs by Anonymous Coward · 2016-02-03 06:38 · Score: 0
  
  Sounds like APK needs to educate them on the malwaredomains hostfile blocklist.
11. Re:I avoid knockoffs by LichtSpektren · 2016-02-03 08:00 · Score: 1
  
  I advise people stick to the big ones (Debian, Ubuntu, Fedora/Red Hat/CentOS, Arch, Gentoo, SUSE, Tails) since they're thoroughly audited by security professionals
  Haha, no! Perhaps a few core libraries are, if you are lucky.
  
  whereas those tiny little forks that do nothing but alter the UI probably aren't.
  Most distros are repackaging from the larger distros (Debian, Red Hat, Arch, Gentoo, SUSE), and security-related changes go upstream and downstream (well, sooner or later). So you there is no major difference in security between UI-altering ones such as Mint and Debian.
  Mint's probably not bad since it's such a large project now. But I would never use something like elementaryOS or Parsix, since I have no idea about the competence of their security teams.
12. Re:I avoid knockoffs by LichtSpektren · 2016-02-03 08:01 · Score: 1
  
  Chrome and Chromium don't just have "lots of cross-pollination", they're the exact same browser, using the exact same UI and rendering engine. The only differences are that Chrome comes with proprietary media codecs, Flash, and an auto-updater.
13. Re:I avoid knockoffs by Trax3001BBS · 2016-02-04 01:53 · Score: 2
  
  What's noteworthy about this specific instance is that Chromodo is made by Comodo, an anti virus developer, and is supposed to have a focus on security. I've never used the browser itself, but I tend to stay away from chrom* and clones.
  
  What's noteworthy about this specific instance is that Chromodo is made by Comodo, an anti virus developer, and is supposed to have a focus on security. I've never used the browser itself, but I tend to stay away from chrom* and clones.
  I use Comodo firewall version 5.3.176757.1236 ~If it ain't broke don't fix it, been using it for
  years now. Between it and my hosts file I've stopped a lot of problems others have had.
  This version is very easy to configure, and a very small foot print, and it's on top of every file that want's access. Charter.com turned MMC.exe into a keylogger, Comodo caught it, became the front program and the scrolling stopped you couldn't miss the event. (I bought a streighttalk phone with a reused number flagged by Charter.com for a debit, and I had direct deposit). It's an issue still in the process of my satisfaction.
  Just had to get a shout out for Comodo, it's treated my very well for a long time now. As a firewall, sandbox and a fairly decent antivirus (which I quit using long ago), so fills a small gap as well.
14. Re:I avoid knockoffs by Anonymous Coward · 2016-02-05 15:04 · Score: 0
  
  Don't forget Google tracking what you do too. That's one of the big reasons people use the various Chrome "knockoffs", is that they strip all that stuff out.
15. Re:I avoid knockoffs by toddestan · 2016-02-05 15:27 · Score: 1
  
  Not necessarily. They can be more secure by stripping out components that might have security holes in them. Like, say, an integrated Flash player. They can add in things like built-in ad blockers. Or not trust certificates from issuers who have issued bad certificates the past, such as Comodo.
  And then there's security through obscurity. Some potential attacks might not know what to do with a browser that identifies as "Chromodo" or "Oprah" browser. And even something as simple as recompiling the browser could defeat some attacks that depend on something being at a certain memory address.
  Though most of these browsers seem to sell privacy more than security, mostly by stripping out things like Google's tracking.
16. Re:I avoid knockoffs by Anonymous Coward · 2016-02-07 04:55 · Score: 0
  
  Different AC here. I don't think you two disagree. What I hear from both of you is that they can only be more secure if they have additional mitigations. That is what removing parts and adding adblockers is, isn't it?
What? by ArchieBunker · 2016-02-03 04:31 · Score: 4, Insightful

A shady browser that nobody has ever heard of is insecure? Who actually finds and installs this garbage besides the clueless and elderly?

--
Only the State obtains its revenue by coercion. - Murray Rothbard
1. Re:What? by amicusNYCL · 2016-02-03 05:04 · Score: 1
  
  Right, all of those clueless elderly people browsing around the Comodo website trying to update their servers' SSL certificates and notice that, hey, apparently Comodo publishes a browser based on Chromium.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
2. Re:What? by wbr1 · 2016-02-03 05:08 · Score: 1
  
  Anyone who downloads and uses comodo products, expecting it to be secure. Since they are 3-6% below the average on catching well known malware, I would say they are spending more time on bells and whistles to capture data or hook users into additional services than actual security. https://www.av-test.org/en/ant...
  Where have we seen this pattern before... Norton, McCaffe, AVG, etc......
  
  --
  Silence is a state of mime.
3. Re:What? by amorsen · 2016-02-03 05:38 · Score: 1
  
  Comodo is well known for lousy security. That they're still trusted by major browsers is a miracle. Never use any of their products if you can avoid it.
  Then again, as far I am concerned there are only two reputable SSL vendors: GlobalSign and Let's Encrypt. The rest have either issued fraudulent certificates at least once or they simply shouldn't be in the business in the first place.
  With my luck, that probably means that GlobalSign is secretly owned by North Korea and run by the Illuminati or something. Even then they'd be better than most of their competitors.
  
  --
  Finally! A year of moderation! Ready for 2019?
4. Re:What? by Anonymous Coward · 2016-02-03 05:45 · Score: 0
  
  Who actually finds and installs this garbage besides the clueless and elderly?
  Given who subbed the story, I'm guessing timothy.
5. Re:What? by castionsosa · 2016-02-03 06:09 · Score: 1
  
  AV software is just for checking that box for the legal eagles. The real security comes from keeping the web browser from being hit by exploits. Toss in NoScript and AdBlock, and this will go a lot further, security-wise, than any AV product. Mainly because AV products are always trying to play catch-up, while if the malvertising doesn't make it to the browser, or get executed, even a zero-day is defeated.
6. Re:What? by ArchieBunker · 2016-02-03 06:30 · Score: 1
  
  Again, who has ever heard of this company?
  
  --
  Only the State obtains its revenue by coercion. - Murray Rothbard
7. Re:What? by Anonymous Coward · 2016-02-03 06:43 · Score: 0
  
  Comodo used to offer a nice little firewall almost 10 years ago, then they started adding all kinds of "security features" and it became useless bloatware.
8. Re:What? by LichtSpektren · 2016-02-03 07:57 · Score: 1
  
  Again, who has ever heard of this company?
  Americans don't know much about the Comodo Browser. One of the antitrust rulings against Microsoft in Europe was that they had to provide alternative web browsers for their customers; they avoided Firefox and Chrome and instead opted to display the knockoffs like Comodo Icedragon or whatever. So this story impacts Europeans a lot more than Americans.
9. Re: What? by Anonymous Coward · 2016-02-03 14:10 · Score: 0
  
  What? Comodos firewall was garbage from day one. Day fucking one.
Chromium is malware by Anonymous Coward · 2016-02-03 05:05 · Score: 0

Chromioum is usually only found on systems that are heavily infected with malware. I remove it any time I see it on a customers PC. I'm sure "Chromodo" or whatever is no better. If you want to use a webkit browser, stick with Chrome, or Safari.
1. Re: Chromium is malware by Anonymous Coward · 2016-02-03 06:23 · Score: 0
  
  What? I will say it again, what?
2. Re: Chromium is malware by Anonymous Coward · 2016-02-03 10:52 · Score: 0
  
  http://it.slashdot.org/story/1...
3. Re:Chromium is malware by toddestan · 2016-02-05 15:12 · Score: 1
  
  Chromium is the open-source base for Chrome. There aren't really releases for it like Chrome. Most Linux distros will have a package for it, but on Windows you pretty much have to seek out and download one of the snapshots which isn't something most casual users are going to do*. So I'd assume anyone who has Chromium installed on Windows probably knows what they are doing.
  *Or download someone else repackaging of it, like Chromodo.
It makes your apping app APPIER! by Anonymous Coward · 2016-02-03 05:46 · Score: 0

Modern app appers know that only apps can app apps, so Appmodo merely apped their app by making it appier! Only LUDDITES need LUDDITE security options enabled!
Apps!
Comodo browsers have other issues by Anonymous Coward · 2016-02-03 05:58 · Score: 0

I caught Comodo also using at least one version of either Chrome or Firefox behind the native browsers. Now, it may be only days before Comodo updates. But those are extra days exposed to potential exploits.
Arch doesn't belong in that list by Anonymous Coward · 2016-02-03 06:05 · Score: 0

Top 5 reasons why Arch Linux sucks:
1) Lead arch developer got his computer hacked 3 times. see: https://web.archive.org/web/20120805043450/https://bbs.archlinux.org/viewtopic.php?id=12192&p=1
2) Unstable. Go check out arch's forum instead of listening to the fanboy to see the enormous amounts of issues.
3) Unprofessional. Arch isn't used in any professional environment for a good reason. Made by amateurs.
4) Community. Pretentious, trendy, ricer, hippie morons.
5) Forum. Full of noob questions (can't help it as majority is ex-ubuntu users) and have you signed up a account and saw the off-topic section? They closed it to non-members for a reason.
1. Re:Arch doesn't belong in that list by LichtSpektren · 2016-02-03 08:04 · Score: 1
  
  Can't comment because I'm not an Arch user and don't know much about it, but Greg Kroah-Hartman endorses it. I assume the world's second foremost kernel hacker knows enough about its security to do such a thing.
A Google Security Research.. Wait... by Anonymous Coward · 2016-02-03 06:09 · Score: 0

Does anyone see a conflict of interest here? Fox guarding the henhouse tells other foxes to piss off.
Comodo itself is lousy by Anonymous Coward · 2016-02-03 06:36 · Score: 0

A few years ago, their SSL sales process turned into a boilerroom operation, they're constantly calling my customer base and using less-than-savory methods to try to trick people into thinking they need to execute renewals with them (not unlike getting a domain registry letter in the mail from a registrar that isn't your actual registrar trying to fool you into renewing with them).
They're aggressive about it, and somewhat evil ... so not shocked to hear that they have other issues.
The company behind forged certificates?? by Billly+Gates · 2016-02-03 06:57 · Score: 2

Wasn't this the company who gave us forged compromised certificates last year that installed malware on some pcs and phones?
They use a Lenovo style spearfish SSL MITM and replace legitimate certificates with their own. Gee no security problem with that. Kaspersky does the same too until you tell it not to scan HTTPS connections.

--
http://saveie6.com/
It's why hosts = superior to antivirus by Anonymous Coward · 2016-02-03 08:31 · Score: 0

See subject: Hosts = more speed, security, reliability, & anonymity doing FAR more for FAR less w/ what you natively have (less IS more GOOD engineering minus complexity):
APK Hosts File Engine 9.0++ SR-4 32/64-bit:
http://www.start64.com/index.p...
* Superior to antivirus (Symantec ADMITS isn't effective anymore vs. modern threats) + it's NOT AS REACTIVE & far more PROACTIVE - & yes, their browser attempts too!
HOSTS BLOCK SOURCES OF MALWARE & BOTNETS BEFORE YOU CAN TOUCH THEM!
(& you can't be hurt by what can't get to you in the 1st place!)
Hosts (unlike antivirus slowing you) speed you up 2 ways:
1.) Adblocking, a major infestor itself in ads that slows you down too
+
2.) Hardcoded favorite sites where you spend MOST time online @ the TOP of hosts cached in RAM for fastest possible resolution (faster vs. remote DNS & hosts prevents exploits there avoiding dns a GOOD 95++% of the time)
---
Obtains threat & adblocking data from 10 reputable security community sites!
Hosts beat browser addons by FAR in abilities & for LESS resource use in CPU/RAM by far!
E.G. - UBlock Origin lately using hosts data (imitation's sincerest form of flattery & falls short - it's no resolver: Hosts is & blocks DNS redirect poisoning of which 99.999% of ISP DNS are NOT patched vs. & makes your connection faster + more reliable resolving locally from RAM not just blocking ads for speed & hosts work 1st in kernelmode not slower usermode (1st resolver used))
Hosts != clarityray detectable/blockable like browser addons - it's no browser addon!
APK
P.S.=> Hosts = something OLD = "the way of the future" on grounds I note + hosts' superiority to inferior, crippled, redundant, bloated wasteful slower usermode browser addons (vs. even firewalls' layered filtering drivers & MORE EFFECTIVE as hosts combat what malware uses - host/domain names MOST vs. IP addys) prove it... apk
1. Re:It's why hosts = superior to antivirus by Anonymous Coward · 2016-02-03 10:32 · Score: 0
  
  One post is good, APK. Stop there and you'll get more respect.
I get /. registered users' respect, quoted by Anonymous Coward · 2016-02-03 10:59 · Score: 0

See subject & quotes of them (& don't downmod me minus proving me validly technically wrong, & I don't post again running trolls out of abused modpoints):

"his hosts program is actually pretty good" - by xenotransplant (4179011) on Monday August 10, 2015 @03:34PM (#50287195)

"his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources" by alexgieg (948359) on Friday September 25, 2015 @09:57AM (#50596461)

"I like your host file system." - by Karmashock (2415832) on Wednesday September 09, 2015 @03:57PM (#50489401)

"No complaints from me, I like APK's spam. Reminds me to use a host file. Also, his stuff is free." - by aaaaaaargh! (1150173) on Tuesday November 17, 2015 @09:31AM (#50947415)

"APK is kinda right... I've given up on JS based adblocking and gone to blackholing in /etc/hosts, just like it was back in the 90s. The computational load has gotten intolerable for any ad-blocking using JS. I've tried his hosts file generating software. It works." - by bmo (77928) on Thursday October 15, 2015 @11:30AM (#50736071)

"Actually, APK is totally right on this count. Adblock Plus on Firefox mobile is a dog on older, or lower end, phones. A hostfile based adblocker makes for a much better experience in this context. Of course, your phone has to be rooted, which isn't the case with Firefox + adblock." - by chihowa (366380) on Saturday May 16, 2015 @11:40AM (#49705641)

"In a footnote, I would like to note that I find your hosts file admirable." - by vel-ex-tech (4337079) on Tuesday November 24, 2015 @10:27PM (#50999097)

"APK isn't wrong" - by cfalcon (779563) on Sunday October 04, 2015 @05:11PM (#50657891)
APK
P.S.=> I understand inferior compeition's terrified of me via the fact they can't prove my posts' points on hosts superiority giving users more speed, security, reliability, & anonymity online validly technically wrong when I'm on topic!
... apk
1. Re:I get /. registered users' respect, quoted by Anonymous Coward · 2016-02-03 11:23 · Score: 0
  
  Just go die in a fire already.
2. Re:I get /. registered users' respect, quoted by Anonymous Coward · 2016-02-03 11:51 · Score: 0
  
  Why should apk do something as stupid as you did when he made you eat your words here already http://it.slashdot.org/comment... ? He burnt you so badly you might as well have died in a fire hahahaha!
3. Re: I get /. registered users' respect, quoted by Anonymous Coward · 2016-02-03 14:13 · Score: 0
  
  Right. Lots of respect as if slashdotters are not only senile, but have problems comprehending what a hosts file is. Fuck him and his exe.
4. Re: I get /. registered users' respect, quoted by Anonymous Coward · 2016-02-03 16:13 · Score: 0
  
  Sounds like you wish you were apk. Admit it. You do. We know it. You do deep down inside though you're loathe to admit it.