Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Software The Internet

Advertising Tool PrivDog Compromises HTTPS Security 95

itwbennett writes: New cases of insecure HTTPS traffic interception are coming to light as researchers probe software programs for implementations that could enable malicious attacks. The latest software to open a man-in-the-middle hole on users' PCs is a new version of PrivDog, an advertising product with ties to security vendor Comodo. PrivDog is marketed as a solution to protect users against malicious advertising without completely blocking ads. The program is designed to replace potentially bad ads with safer ones that are reviewed by a compliance team from a company called Adtrustmedia. However, according to people who recently looked at PrivDog's HTTPS interception functionality, consumers might actually lose when it comes to their system's security if they use the product.
This discussion has been archived. No new comments can be posted.

Advertising Tool PrivDog Compromises HTTPS Security

Comments Filter:
  • Re: (Score:2, Insightful)

    Comment removed based on user account deletion
    • Re: (Score:3, Funny)

      by Anonymous Coward

      Excuse me, but I am a (web) developer! I have a right to run whatever code I want on your computer if you visit my site. You don't have the right to edit my code!

      • Excuse me, but I am a (web) developer! I have a right to run whatever code I want on your computer if you visit my site. You don't have the right to edit my code!

        Pernicious nonsense. If you elect to put some mixture of code, markup, and art assets on a public webserver my user agent will handle the results as much in accordance with my desires as I can make it do so.

        This is how the 'web' has always been supposed to work: support for flexible rendering and fallback to accommodate a variety of user agents with different characteristics and capabilities is built in(although often underused, unless one forces the issue). Were it designed to be all about you, the arra

        • I'm thinking the whole lot of yas just got trolled.

          • It's quite possible; but there definitely are web types(and, even more so, their 'content provider' masters) who think exactly this, so I was willing to take the risk.

            Pretty much this exact attitude is why the "Encrypted Media Extension [github.io]" 'spec' exists, to provide something that qualifies as 'HTML 5' (Don't call it a plugin! It's a 'Content Decryption Module' that just happens to be operationally identical to or worse than a plugin!); but allows the site operator full control over execution.
          • by DarkOx ( 621550 )

            Yes, I am sure the OP was either be sarcastic or trolling but the reality is there are A LOT of web developers and marketing people who think that way. The most basic form of it is web pages that don't flow. Yet people build pages that force 4:3 layouts to this day, make you page through content that could easily scroll or even fit on a single page rendered on a large and hi-res display, etc.

            These people do need to be named, shamed and generally rejected.

            • My personal favourite is sites that get your screen resolution and assume your browser window has the same dimensions.

              My second favourite is sites that try to force every link to open in a new window. (Yes, 90+% of Chinese websites, I'm looking at you. WTF is with that, anyway?)

      • No, you do not. It's even debatable whether you may try. You may refuse to deliver the content I request if I do not comply with your requirements to do so, but that's pretty much all you may.

    • by gl4ss ( 559668 )

      well hat's joke about this product is that.. well.. they replace them with other ads.

      to make money for themselves?

      what's the fucking point for the consumer?

    • Nobody deserves to earn money. Here I am, punching you in the face, so why don't you pay me?

      Provide something I want then you may ask me to pay for it so I may use it. You may earn my money provided you give me something that I deem of equal or higher value.

  • by Anonymous Coward on Monday February 23, 2015 @10:42PM (#49116713)

    Comodo, not to be confused with the similarly named Komodia from yesterday, are the world biggest issuer of SSL certificates. TLS hands trust over to a third party, and in this case that third party is Comodo.

    People wonder how come NSA/GCHQ are able to intercept HTTPS connections so easily and in bulk. The answer is simple, the certificate authorities sign their keys as valid. Making ALL https sessions vulnerable to a man-in-the-middle attack.

    We need to remove the whole signing process and replace it with *time*. The one thing an attacker cannot do is go back in time and change a key exchanged in the past. So we need to constantly be handing out public keys, and each and every end slot needs to store and track these public keys, warning us when they change. That way an attacker needs to man-in-the-middle *EVERY* communication, *ALL* the time, via *EVERY* route, and if they tried to use different keys per user then they'd need to perfectly identify every user. Which is impossible.
    Likewise if they used one public key per site, then they'd need to identify every sysadmin for the site, who would notice their keys are intercepted. They'd need to provide uninterrupted keys for just those users.

    We need to remove the certificate authorities, because they are the weak link in secure comms.

    • by BitZtream ( 692029 ) on Monday February 23, 2015 @11:12PM (#49116807)

      Comodo, not to be confused with the similarly named Komodia from yesterday, are the world biggest issuer of SSL certificates.

      Hardly. They give away a bunch of worthless email certs that aren't trusted by anyone, allow me to make wanking motions. No one that matters uses them and no browser that matters trusts their free certs by default.

      Ahh, the post of someone who's riled up but doesn't actually understand what they are talking about.

      People wonder how come NSA/GCHQ are able to intercept HTTPS connections so easily and in bulk.

      Only the ignorant wonder that, just because you do, doesn't mean everyone does.

      We need to remove the whole signing process and replace it with *time*. The one thing an attacker cannot do is go back in time and change a key exchanged in the past.

      You don't have any idea how this system works currently, do you?

      You want the websites to tell you their public key information, and for everyone else on the Internet to remember it and tell you when it changes ...

      or ...

      you could just learn what certificate pinning is.

      We need to remove the certificate authorities, because they are the weak link in secure comms.

      So you want me to ask Google what Google's public key is and then trust whatever I get sent is actually the public key, with no verification of that, other than it came from the request I sent asking Google for their public key. So ... then the NSA just returns a key that says its Google and intercepts the traffic.

      The certificate authorities purpose in life is to provide 3rd party verification of certificates in an automated way. What you want is to remove all of that, and do it ad-hoc, by everyone on the Internet. Slashdot doesn't allow posts long enough for me to explain all the ways why thats exactly the opposite of a actual solution.

      'Web of trust' doesn't work, we know this because NO ONE FUCKING USES IT BECAUSE ITS TOO MUCH FUCKING EFFORT. END USERS DON'T GIVE A FUCK about verifying every cert they see and will just click Ok/Next/Allow. THAT is WHY we use certificate authorities.

      You are proposing nothing new. Its been done, and its failed repeatedly.

      Certificate authorities ARE the solution you want, the problem is, no one actually cares enough about security to black ball the certificate authorities that aren't trust worthy (i.e. all of them), which means they certainly don't care enough to deal with the method you propose.

      • I disagree. The web of trust only didn't work in the past because it wasn't automated. While I agree the abolition of certificate authorities is the wrong idea, blindly trusting them is equally wrong.

        I like the solution that looks to see if a particular connection is suffering from a MITM. The Perspectives plugin for browser does something like this. It is interested in not only if the certificate you received is valid, but also if the certificate you receive is the same certificate that several other peopl

      • by heypete ( 60671 )

        Comodo, not to be confused with the similarly named Komodia from yesterday, are the world biggest issuer of SSL certificates.

        Hardly. They give away a bunch of worthless email certs that aren't trusted by anyone, allow me to make wanking motions. No one that matters uses them and no browser that matters trusts their free certs by default.

        Ahh, the post of someone who's riled up but doesn't actually understand what they are talking about.

        Email certs != SSL server certs. Are you sure you aren't thinking about CAcert instead, which does offer free email and server certs, but which isn't included in browsers? Obviously, CAcert's lack of inclusion in browsers makes it less useful for mose uses. Comodo, however, is a major certificate authority.

        Various surveys, including this one [w3techs.com] (daily updates available here [w3techs.com]), scan HTTPS-enabled and report on the share of CAs.

        Comodo recently overtook Symantec, which was probably helped by CloudFlare enabling TL [cloudflare.com]

    • by DarkOx ( 621550 )

      Certificate pinning (though downright irritating if you are doing local development) really is the right solution.

      Outside your bank where you probably could get a self signed key given to you when you open an account, most of us don't have a way to initially verify the authenticity of a site. We need the 3rd party CAs. No web of trust does not really work because I for one don't known enough people I trust to competently handle key signing, and transitive authorization decisions better than the CAs do.

      Pin

    • Still I trusted them and privdog on an older system I used to run based on good ratings. That and I used commodo dragon for a little while so I wouldn't be spied upon.

      Turns out I had been had.

      Yes Comodo had a good name to it until today. Shame on you!

      • based on good ratings

        There's your problem. People rating apps generally haven't performed security audits.

        • I used av-totals. They are a professional certification group

          • As near as I can tell, av-totals is just measuring how effective things are in terms of antivirus. They don't appear to be analyzing the AV software itself for security problems such as the bogus cert. That's not a fault with them -- that's expecting them to be doing something they aren't claiming to do.

  • ...insecure HTTPS traffic interception ... an advertising product with ties to security vendor Comodo...

    Comodo is a vendor that I [currently] rely upon for my PC firewall and my SSL certificates.

    .
    So, on one hand, I'm looking to Comodo to help me secure my computers and usage of my computers.

    And on the other hand, Comodo is looking to install HTTPS traffic interceptors on my computers that increase the security vulnerability of my computers?

    What frigging kind of security company is Comodo? Is Comodo a security company at all?

    • by lucm ( 889690 )

      What frigging kind of security company is Comodo? Is Comodo a security company at all?

      Google for "cheap ssl" or "discount ssl", you will see them a lot. This is the Walmart of ssl.

      It does not mean their certificates are not good, but buy a certificate from them and see the crappy online account management (a friggin popup that gets blocked by most browsers) and a flood of "special offers" in your inbox. Low-rent.

      • by heypete ( 60671 )

        What frigging kind of security company is Comodo? Is Comodo a security company at all?

        Google for "cheap ssl" or "discount ssl", you will see them a lot. This is the Walmart of ssl.

        It does not mean their certificates are not good, but buy a certificate from them and see the crappy online account management (a friggin popup that gets blocked by most browsers) and a flood of "special offers" in your inbox. Low-rent.

        Who buys certs direct from Comodo? I always get them via a reseller like NameCheap. The NameCheap user interface is halfway decent: no need to deal with Comodo online management, popups, etc. I've never gotten any "special offers" or unwanted mail as a result of buying their certs. Your mileage may vary, of course.

        But yeah, they're cheap, widely trusted by browsers, and generally work well. They're also the only CA I know that issues ECDSA certs from an all-ECDSA root/intermediate chain at a reasonable pric

    • by WD ( 96061 )

      I'll give you a multiple-choice question.
      Security companies want to:
      a) Keep you secure.
      b) Make more money.

      Just put your pencil down when you're done.

  • by 93 Escort Wagon ( 326346 ) on Monday February 23, 2015 @11:47PM (#49116977)

    Their product is designed to replace ads... with OTHER ads, provided by themselves. And it's not hard to imagine that cash considerations are involved with making those choices.

    Even if you set aside the security implications - that is pretty much exactly the sort of sleazy behavior that has gotten quite a few companies into trouble in the past.

  • "The program is designed to replace potentially bad ads with safer ones" Why would anyone choose this? I mean is this an opt-in thing, or do they just force it on you? I can't imagine anyone cognitively choosing a product that replaces ads with other ads, when there are other products already on the market that replace ads with no ads instead.
    • Why people are actually buying penis enlargement pumps? You will always find enough idiots in this world to make anyone rich, it is just a matter of reach enough of them which the web excels at.
  • Not very secure, is it? Better make that a small s

    This stuff is a placebo, at best.

  • by WaffleMonster ( 969671 ) on Tuesday February 24, 2015 @01:28AM (#49117239)

    Anyone smart enough to write an HTTPS proxy able to dynamically create and sign certs surely must have known enough about underlying technology to recognize and comprehend importance of validating trust chain. How does someone innocently "overlook" this in either design or test? Simply MUST have occurred to someone.

    • Re:Circle of weeds (Score:5, Insightful)

      by nyet ( 19118 ) on Tuesday February 24, 2015 @01:54AM (#49117291) Homepage

      It all started with corporate "enterprise" firewall vendors who saw a demand for MiTM-in-a-box from "enterprise" IT.

      Corporations are notoriously uninterested in the repercussions of their actions.

    • by BVis ( 267028 )

      "Do this HTTwhatever thingy."
      "It's a bad idea for *reasons*"
      "Blah blah blah do it."
      "I'm not comfortable doing that, it's unethical"
      "I don't give a fuck about your ethics, we pay you to code, not have ethics. Do what you've been assigned or get fired."

      Sooner or later you will find a coder that wants to keep feeding his/her family and will do what's requested.

  • by Tom ( 822 ) on Tuesday February 24, 2015 @03:14AM (#49117513) Homepage Journal

    It's clear advertisement companies have declared war on us, and think any and all means are permissable. No other mindset can explain these actions. If these people would not consider us enemies, they could not possibly look at themselves in a mirror.

    So when will Firefox ship with ABE (or some other fork, don't use the original AdBlock, it has been sold to an advertisement company) and default to having it enabled?

    I mean, aside from the hacking and privacy issues, every time I see the Internet on a browser without ad blocker, I can't believe people endure this crap.

    • What worries me is corporations too now bust SSL as well to spy on employees.

      Now since the cat is out of the bag this maybe common. This will kill all commerce on the web as payment processing companies insurance plans won't insure online transactions without proof of a true encrypted connection.

      This in term will de-value the online advertisement market if people stop buying shit online.

      We need to stand up and do something and real advertisers need to step in before their business models get destroyed. This

  • The program is designed to replace potentially bad ads with safer ones that are reviewed by a compliance team from a company called Adtrustmedia

    Now there's a big frickin' lie ... Adtrustmedia is like "MRE" (meal ready to eat) ... it's three lies in one.

    There simply is no entity involved in advertising who you should be trusting.

    Assume they're all greedy sociopaths, and just save yourself the time.

    This is precisely why I feel no guilt about blocking ads ... because I think the players are shady, and are sure

  • by Billly Gates ( 198444 ) on Tuesday February 24, 2015 @09:29AM (#49118653) Journal

    Shoot Hairyfeet is a big proponent of them and I used to use both too.

    Wow.

    I hope MS decertifies all Comodo certificates. I expect a big lawsuit from this and perhaps Commodo disabling Microsofts root certificates in return. Fun times.

    Another lawsuit coming up.

    • It's a bit of a shame since Comodo Dragon was my favorite Chrome-but-not-actually-Chrome browser. However this and them dragging their feet on updates means I'll be switching to something else.

news: gotcha

Working...