Chromodo Browser Disables Key Web Security

An anonymous reader writes: A Google Security Research update has claimed that Comodo's internet browser Chromodo, based on the open-source project Chromium, contains significant security failings and puts its users at risk. This week's Google alert suggested that the Chromodo browser – available as a standalone download, as well as part of the company's Security package – is less secure than it promises. According to analysis, the browser is disabling the Same Origin policy, hijacking DNS settings, and replacing shortcuts with Chromodo links, among other security violations.

I avoid knockoffs

[LichtSpektren]

There's a lot of Chromium and Firefox clones/forks by small teams that have certain targeted goals (better UI, different default settings, etc.), but I tend to avoid them; I figure that Google and Mozilla have world-class security experts working for them, whereas these little forks, even if competently done, do not and might introduce security holes by accident.

The same is also true for Linux distros--I advise people stick to the big ones (Debian, Ubuntu, Fedora/Red Hat/CentOS, Arch, Gentoo, SUSE, Tails) since they're thoroughly audited by security professionals, whereas those tiny little forks that do nothing but alter the UI probably aren't.

Re:I avoid knockoffs

[buchner.johannes]

I advise people stick to the big ones (Debian, Ubuntu, Fedora/Red Hat/CentOS, Arch, Gentoo, SUSE, Tails) since they're thoroughly audited by security professionals

Haha, no! Perhaps a few core libraries are, if you are lucky.

whereas those tiny little forks that do nothing but alter the UI probably aren't.

Most distros are repackaging from the larger distros (Debian, Red Hat, Arch, Gentoo, SUSE), and security-related changes go upstream and downstream (well, sooner or later). So you there is no major difference in security between UI-altering ones such as Mint and Debian.

Re:I avoid knockoffs

[malditaenvidia]

What's noteworthy about this specific instance is that Chromodo is made by Comodo, an anti virus developer, and is supposed to have a focus on security. I've never used the browser itself, but I tend to stay away from chrom* and clones.

Re:I avoid knockoffs

These browsers cannot be more secure than their upstream, unless they have further mitigations in place. The reason is that the biggest vulnerabilities are, depending on your view, 0-days or patched vulnerabilities you leave unpatched in you latest version. In the case of zero days, minus additional mitigations, both up and downstream are equally effected. In the case of patched vulnerabilities, only downstream are affected.

In the particular case of Comodo, they are two months out of date and don't have any additional mitigations I can find, other than disabling safe-browsing and substituting in their own version.

Re:I avoid knockoffs

[castionsosa]

Precisely. A browser needs to have security patches be ready for users almost immediately, so if a downstream fork doesn't get patches propagated, it becomes a security issue in waiting.

Because browsers are either the primary attack vector for malware, or at least comparable to Trojans, security is paramount, and firms forking a browser cannot take doing this lightly, because there will need to be maintainers who have to see what security issues are going on with the upstream and either copy code, or write code to fix them in their product.

The "furthest" I wind up straying is using Chromium on Ubuntu. Since Chrome and Chromium have a lot of cross-pollination, a bug in one will get patched in both.

Re:I avoid knockoffs

[castionsosa]

RedHat, and SuSE have been given FIPS/Common Criteria/EAL certification in the past. Right now, it is pending for RHEL 7.x, but it will come eventually, and this shows the OS has seen independent validation by a very expensive lab that isn't just limited to one country.

CentOS, Oracle Linux, and other downstreams inherit this as well... maybe not the certification, but the structure.

Debian/Ubuntu isn't a slouch either, nor are the other mainstream variants, just because there are people who actually care about security scrutinizing the distributions. They won't catch everything, but it gives some assurance that the OS will pass muster.

Re:I avoid knockoffs

[LichtSpektren]

I advise people stick to the big ones (Debian, Ubuntu, Fedora/Red Hat/CentOS, Arch, Gentoo, SUSE, Tails) since they're thoroughly audited by security professionals

Haha, no! Perhaps a few core libraries are, if you are lucky.

whereas those tiny little forks that do nothing but alter the UI probably aren't.

Most distros are repackaging from the larger distros (Debian, Red Hat, Arch, Gentoo, SUSE), and security-related changes go upstream and downstream (well, sooner or later). So you there is no major difference in security between UI-altering ones such as Mint and Debian.

Mint's probably not bad since it's such a large project now. But I would never use something like elementaryOS or Parsix, since I have no idea about the competence of their security teams.

Re:I avoid knockoffs

[LichtSpektren]

Chrome and Chromium don't just have "lots of cross-pollination", they're the exact same browser, using the exact same UI and rendering engine. The only differences are that Chrome comes with proprietary media codecs, Flash, and an auto-updater.

Re:I avoid knockoffs

[Trax3001BBS]

What's noteworthy about this specific instance is that Chromodo is made by Comodo, an anti virus developer, and is supposed to have a focus on security. I've never used the browser itself, but I tend to stay away from chrom* and clones.

What's noteworthy about this specific instance is that Chromodo is made by Comodo, an anti virus developer, and is supposed to have a focus on security. I've never used the browser itself, but I tend to stay away from chrom* and clones.

I use Comodo firewall version 5.3.176757.1236 ~If it ain't broke don't fix it, been using it for
years now. Between it and my hosts file I've stopped a lot of problems others have had.

This version is very easy to configure, and a very small foot print, and it's on top of every file that want's access. Charter.com turned MMC.exe into a keylogger, Comodo caught it, became the front program and the scrolling stopped you couldn't miss the event. (I bought a streighttalk phone with a reused number flagged by Charter.com for a debit, and I had direct deposit). It's an issue still in the process of my satisfaction.

Just had to get a shout out for Comodo, it's treated my very well for a long time now. As a firewall, sandbox and a fairly decent antivirus (which I quit using long ago), so fills a small gap as well.

Re:I avoid knockoffs

[toddestan]

Not necessarily. They can be more secure by stripping out components that might have security holes in them. Like, say, an integrated Flash player. They can add in things like built-in ad blockers. Or not trust certificates from issuers who have issued bad certificates the past, such as Comodo.

And then there's security through obscurity. Some potential attacks might not know what to do with a browser that identifies as "Chromodo" or "Oprah" browser. And even something as simple as recompiling the browser could defeat some attacks that depend on something being at a certain memory address.

Though most of these browsers seem to sell privacy more than security, mostly by stripping out things like Google's tracking.

What?

[ArchieBunker]

A shady browser that nobody has ever heard of is insecure? Who actually finds and installs this garbage besides the clueless and elderly?

Re:What?

[amicusNYCL]

Right, all of those clueless elderly people browsing around the Comodo website trying to update their servers' SSL certificates and notice that, hey, apparently Comodo publishes a browser based on Chromium.

Re:What?

[wbr1]

Anyone who downloads and uses comodo products, expecting it to be secure. Since they are 3-6% below the average on catching well known malware, I would say they are spending more time on bells and whistles to capture data or hook users into additional services than actual security. https://www.av-test.org/en/ant...

Where have we seen this pattern before... Norton, McCaffe, AVG, etc......

Re:What?

[amorsen]

Comodo is well known for lousy security. That they're still trusted by major browsers is a miracle. Never use any of their products if you can avoid it.

Then again, as far I am concerned there are only two reputable SSL vendors: GlobalSign and Let's Encrypt. The rest have either issued fraudulent certificates at least once or they simply shouldn't be in the business in the first place.

With my luck, that probably means that GlobalSign is secretly owned by North Korea and run by the Illuminati or something. Even then they'd be better than most of their competitors.

Re:What?

[castionsosa]

AV software is just for checking that box for the legal eagles. The real security comes from keeping the web browser from being hit by exploits. Toss in NoScript and AdBlock, and this will go a lot further, security-wise, than any AV product. Mainly because AV products are always trying to play catch-up, while if the malvertising doesn't make it to the browser, or get executed, even a zero-day is defeated.

Re:What?

[ArchieBunker]

Again, who has ever heard of this company?

Re:What?

[LichtSpektren]

Again, who has ever heard of this company?

Americans don't know much about the Comodo Browser. One of the antitrust rulings against Microsoft in Europe was that they had to provide alternative web browsers for their customers; they avoided Firefox and Chrome and instead opted to display the knockoffs like Comodo Icedragon or whatever. So this story impacts Europeans a lot more than Americans.

Re:If Windows, then insecure...

[hyperar]

How cute, thinks privacy exists on the internet

Re:If Windows, then insecure...

[gestalt_n_pepper]

It doesn't. But why make it easier for them? At the very least, I get to opt out of those targeted ads.

The company behind forged certificates??

[Billly+Gates]

Wasn't this the company who gave us forged compromised certificates last year that installed malware on some pcs and phones?

They use a Lenovo style spearfish SSL MITM and replace legitimate certificates with their own. Gee no security problem with that. Kaspersky does the same too until you tell it not to scan HTTPS connections.

Re:Arch doesn't belong in that list

[LichtSpektren]

Can't comment because I'm not an Arch user and don't know much about it, but Greg Kroah-Hartman endorses it. I assume the world's second foremost kernel hacker knows enough about its security to do such a thing.

Re:Same Origin already broken in Chrome

[oztiks]

Cors in general is broken in general and for numerous reasons but on the client side more than server side.

Cors should be good. Cors could be good. But its primitive, difficult to write with when dealing with things such as Hybrid mobile development. If Web Services need a header acceptance policy solution then drop the same origin policy anyway and make it a totally separate thing. Make it so same origin resource sharing on the local side is blocked by default with an established white-listing system in place the also records management of how the resources are used would be even better!

You can get some of that that with the inspection tools on Chromium now but it would be far better if it was more definitive. E.G LocalStorage we could know when requests are made rather than just seeing the variables change.

Re:Chromium is malware

[toddestan]

Chromium is the open-source base for Chrome. There aren't really releases for it like Chrome. Most Linux distros will have a package for it, but on Windows you pretty much have to seek out and download one of the snapshots which isn't something most casual users are going to do*. So I'd assume anyone who has Chromium installed on Windows probably knows what they are doing.

*Or download someone else repackaging of it, like Chromodo.