Advertising Tool PrivDog Compromises HTTPS Security 95
itwbennett writes: New cases of insecure HTTPS traffic interception are coming to light as researchers probe software programs for implementations that could enable malicious attacks. The latest software to open a man-in-the-middle hole on users' PCs is a new version of PrivDog, an advertising product with ties to security vendor Comodo. PrivDog is marketed as a solution to protect users against malicious advertising without completely blocking ads. The program is designed to replace potentially bad ads with safer ones that are reviewed by a compliance team from a company called Adtrustmedia. However, according to people who recently looked at PrivDog's HTTPS interception functionality, consumers might actually lose when it comes to their system's security if they use the product.
Re: (Score:2, Insightful)
Re: (Score:3, Funny)
Excuse me, but I am a (web) developer! I have a right to run whatever code I want on your computer if you visit my site. You don't have the right to edit my code!
Re:No no! (Score:4, Insightful)
No, no, NO!
If the NSA does it, it is pure fucking evil
If a company does it, then it is the free market and you better suck it up
Re: (Score:3)
You do not have to suck it up or even like it. The idea behind a free market is that you can stay away from what you do not like and go to what you do like.
Of course if it's the only choice, it isn't a free market is it?
Re: (Score:3)
It's exactly this attitude that made ad blockers and script killers popular.
You know, if companies asked whether they may display ads and if those ads were not intrusive, in-your-face, with speakers blaring, I know a lot of people would accept it and even welcome it, as a way to award those that deserve it. You know, as in what the customer's job is in the free market, to award those that provide a service they want.
Instead you abused us long enough that we simply assumed the same position as the industry:
Re: (Score:2)
How about a three strikes law? They're really popular these days.
If your page causes three waves of infections, you're no longer allowed to be on the internet. Forever.
Re: (Score:2)
Excuse me, but I am a (web) developer! I have a right to run whatever code I want on your computer if you visit my site. You don't have the right to edit my code!
Pernicious nonsense. If you elect to put some mixture of code, markup, and art assets on a public webserver my user agent will handle the results as much in accordance with my desires as I can make it do so.
This is how the 'web' has always been supposed to work: support for flexible rendering and fallback to accommodate a variety of user agents with different characteristics and capabilities is built in(although often underused, unless one forces the issue). Were it designed to be all about you, the arra
Re: (Score:3)
I'm thinking the whole lot of yas just got trolled.
Re: (Score:2)
Pretty much this exact attitude is why the "Encrypted Media Extension [github.io]" 'spec' exists, to provide something that qualifies as 'HTML 5' (Don't call it a plugin! It's a 'Content Decryption Module' that just happens to be operationally identical to or worse than a plugin!); but allows the site operator full control over execution.
Re: (Score:2)
Yes, I am sure the OP was either be sarcastic or trolling but the reality is there are A LOT of web developers and marketing people who think that way. The most basic form of it is web pages that don't flow. Yet people build pages that force 4:3 layouts to this day, make you page through content that could easily scroll or even fit on a single page rendered on a large and hi-res display, etc.
These people do need to be named, shamed and generally rejected.
Re: (Score:2)
My personal favourite is sites that get your screen resolution and assume your browser window has the same dimensions.
My second favourite is sites that try to force every link to open in a new window. (Yes, 90+% of Chinese websites, I'm looking at you. WTF is with that, anyway?)
Re: (Score:2)
Such a system would have died pretty fucking quickly. Whether something like the web would have developed instead depends on how many patents could be abused to prevent it.
Re: (Score:2)
No, you do not. It's even debatable whether you may try. You may refuse to deliver the content I request if I do not comply with your requirements to do so, but that's pretty much all you may.
Re: (Score:2)
well hat's joke about this product is that.. well.. they replace them with other ads.
to make money for themselves?
what's the fucking point for the consumer?
Re: (Score:2)
Nobody deserves to earn money. Here I am, punching you in the face, so why don't you pay me?
Provide something I want then you may ask me to pay for it so I may use it. You may earn my money provided you give me something that I deem of equal or higher value.
Re:all ads are malware (Score:4, Funny)
Re: (Score:2)
also anything which allows ads are too.
Please don't dilute serious concerns with this hyperbole.
Re:all ads are malware (Score:4, Insightful)
"Adware is malware with better lawyers"
said @axeexcess on the Twitter
Comodo are the biggest Cert issuer (Score:5, Interesting)
Comodo, not to be confused with the similarly named Komodia from yesterday, are the world biggest issuer of SSL certificates. TLS hands trust over to a third party, and in this case that third party is Comodo.
People wonder how come NSA/GCHQ are able to intercept HTTPS connections so easily and in bulk. The answer is simple, the certificate authorities sign their keys as valid. Making ALL https sessions vulnerable to a man-in-the-middle attack.
We need to remove the whole signing process and replace it with *time*. The one thing an attacker cannot do is go back in time and change a key exchanged in the past. So we need to constantly be handing out public keys, and each and every end slot needs to store and track these public keys, warning us when they change. That way an attacker needs to man-in-the-middle *EVERY* communication, *ALL* the time, via *EVERY* route, and if they tried to use different keys per user then they'd need to perfectly identify every user. Which is impossible.
Likewise if they used one public key per site, then they'd need to identify every sysadmin for the site, who would notice their keys are intercepted. They'd need to provide uninterrupted keys for just those users.
We need to remove the certificate authorities, because they are the weak link in secure comms.
Re:Comodo are the biggest Cert issuer (Score:5, Insightful)
Comodo, not to be confused with the similarly named Komodia from yesterday, are the world biggest issuer of SSL certificates.
Hardly. They give away a bunch of worthless email certs that aren't trusted by anyone, allow me to make wanking motions. No one that matters uses them and no browser that matters trusts their free certs by default.
Ahh, the post of someone who's riled up but doesn't actually understand what they are talking about.
People wonder how come NSA/GCHQ are able to intercept HTTPS connections so easily and in bulk.
Only the ignorant wonder that, just because you do, doesn't mean everyone does.
We need to remove the whole signing process and replace it with *time*. The one thing an attacker cannot do is go back in time and change a key exchanged in the past.
You don't have any idea how this system works currently, do you?
You want the websites to tell you their public key information, and for everyone else on the Internet to remember it and tell you when it changes ...
or ...
you could just learn what certificate pinning is.
We need to remove the certificate authorities, because they are the weak link in secure comms.
So you want me to ask Google what Google's public key is and then trust whatever I get sent is actually the public key, with no verification of that, other than it came from the request I sent asking Google for their public key. So ... then the NSA just returns a key that says its Google and intercepts the traffic.
The certificate authorities purpose in life is to provide 3rd party verification of certificates in an automated way. What you want is to remove all of that, and do it ad-hoc, by everyone on the Internet. Slashdot doesn't allow posts long enough for me to explain all the ways why thats exactly the opposite of a actual solution.
'Web of trust' doesn't work, we know this because NO ONE FUCKING USES IT BECAUSE ITS TOO MUCH FUCKING EFFORT. END USERS DON'T GIVE A FUCK about verifying every cert they see and will just click Ok/Next/Allow. THAT is WHY we use certificate authorities.
You are proposing nothing new. Its been done, and its failed repeatedly.
Certificate authorities ARE the solution you want, the problem is, no one actually cares enough about security to black ball the certificate authorities that aren't trust worthy (i.e. all of them), which means they certainly don't care enough to deal with the method you propose.
Re: (Score:2)
the key you received in 2005 is the key you use in 2015
Unless the other endpoint was compromised at some point and legitimately changed their key as a mitigation measure. Solve that problem and we'll be in agreement.
Re: (Score:2)
You can change your key, but everyone is made AWARE the key has changed and you have to INFORM them why it changed and for what reason and they have to accept it or not.
Or, someone else changes the key, MITM's the site, injects a brief explanation of why the key was changed into a banner on the page (oh, but you have to accept the new key in order to see that, assuming the site uses SSL everywhere as it should) or spoofs an email with the explanation, or spoofs a social media campaign with the explanation, whatever.
Maybe they target an individual user, that user gets the spoofed email and sees the spoofed tweets, and accepts the new key. Company would never be the wiser,
Re: (Score:2)
I disagree. The web of trust only didn't work in the past because it wasn't automated. While I agree the abolition of certificate authorities is the wrong idea, blindly trusting them is equally wrong.
I like the solution that looks to see if a particular connection is suffering from a MITM. The Perspectives plugin for browser does something like this. It is interested in not only if the certificate you received is valid, but also if the certificate you receive is the same certificate that several other peopl
Re: (Score:2)
Snowden of course used PGP which uses the web of trust system, it works enough to protect Greenwald and Snowden from NSA snooping.
To be fair, Snowden and Greenwald met in person and verified their key fingerprints. While useful in many situations, the WoT was not really a factor there.
Re: (Score:2)
Comodo, not to be confused with the similarly named Komodia from yesterday, are the world biggest issuer of SSL certificates.
Hardly. They give away a bunch of worthless email certs that aren't trusted by anyone, allow me to make wanking motions. No one that matters uses them and no browser that matters trusts their free certs by default.
Ahh, the post of someone who's riled up but doesn't actually understand what they are talking about.
Email certs != SSL server certs. Are you sure you aren't thinking about CAcert instead, which does offer free email and server certs, but which isn't included in browsers? Obviously, CAcert's lack of inclusion in browsers makes it less useful for mose uses. Comodo, however, is a major certificate authority.
Various surveys, including this one [w3techs.com] (daily updates available here [w3techs.com]), scan HTTPS-enabled and report on the share of CAs.
Comodo recently overtook Symantec, which was probably helped by CloudFlare enabling TL [cloudflare.com]
Re: (Score:2)
Certificate pinning (though downright irritating if you are doing local development) really is the right solution.
Outside your bank where you probably could get a self signed key given to you when you open an account, most of us don't have a way to initially verify the authenticity of a site. We need the 3rd party CAs. No web of trust does not really work because I for one don't known enough people I trust to competently handle key signing, and transitive authorization decisions better than the CAs do.
Pin
Re: (Score:2)
Still I trusted them and privdog on an older system I used to run based on good ratings. That and I used commodo dragon for a little while so I wouldn't be spied upon.
Turns out I had been had.
Yes Comodo had a good name to it until today. Shame on you!
Re: (Score:2)
based on good ratings
There's your problem. People rating apps generally haven't performed security audits.
Re: (Score:2)
I used av-totals. They are a professional certification group
Re: (Score:2)
As near as I can tell, av-totals is just measuring how effective things are in terms of antivirus. They don't appear to be analyzing the AV software itself for security problems such as the bogus cert. That's not a fault with them -- that's expecting them to be doing something they aren't claiming to do.
Comodo, shame on you! (Score:2)
...insecure HTTPS traffic interception ... an advertising product with ties to security vendor Comodo...
Comodo is a vendor that I [currently] rely upon for my PC firewall and my SSL certificates.
.
So, on one hand, I'm looking to Comodo to help me secure my computers and usage of my computers.
And on the other hand, Comodo is looking to install HTTPS traffic interceptors on my computers that increase the security vulnerability of my computers?
What frigging kind of security company is Comodo? Is Comodo a security company at all?
Re: (Score:2)
What frigging kind of security company is Comodo? Is Comodo a security company at all?
Google for "cheap ssl" or "discount ssl", you will see them a lot. This is the Walmart of ssl.
It does not mean their certificates are not good, but buy a certificate from them and see the crappy online account management (a friggin popup that gets blocked by most browsers) and a flood of "special offers" in your inbox. Low-rent.
Re: (Score:2)
What frigging kind of security company is Comodo? Is Comodo a security company at all?
Google for "cheap ssl" or "discount ssl", you will see them a lot. This is the Walmart of ssl.
It does not mean their certificates are not good, but buy a certificate from them and see the crappy online account management (a friggin popup that gets blocked by most browsers) and a flood of "special offers" in your inbox. Low-rent.
Who buys certs direct from Comodo? I always get them via a reseller like NameCheap. The NameCheap user interface is halfway decent: no need to deal with Comodo online management, popups, etc. I've never gotten any "special offers" or unwanted mail as a result of buying their certs. Your mileage may vary, of course.
But yeah, they're cheap, widely trusted by browsers, and generally work well. They're also the only CA I know that issues ECDSA certs from an all-ECDSA root/intermediate chain at a reasonable pric
Re: (Score:2)
I'll give you a multiple-choice question.
Security companies want to:
a) Keep you secure.
b) Make more money.
Just put your pencil down when you're done.
Let me get this straight (Score:3)
Their product is designed to replace ads... with OTHER ads, provided by themselves. And it's not hard to imagine that cash considerations are involved with making those choices.
Even if you set aside the security implications - that is pretty much exactly the sort of sleazy behavior that has gotten quite a few companies into trouble in the past.
WAHHH, stop looking at my stuff that I put online! (Score:2)
Now AdBlock prevents shitbirds like this from benefiting from attempting to steal food from webmaster's children. Which makes it more better, right?
I would welcome AdBlock having some sort of micropayment sponsor system baked in where I could choose to support sites whose content I value. Twenty years of the web, and still nobody's figured how to make that shit work. Is Ted Nelson even still alive?
Why? (Score:2)
Re: (Score:2)
HTTPS (Score:1)
Not very secure, is it? Better make that a small s
This stuff is a placebo, at best.
Re: (Score:1)
Enough 'metadata' leaks out for all your surveillance needs. HTTPS only works if you personally know who/what is at the other end. The certs are wishful thinking. And I will maintain until the end days that publicly available crypto is a fraud. The state is way ahead in every way. The absolute worst must be assumed, and just roll with it. Not a hell of a lot can be done right now.
Re: (Score:2)
We'll always have postcards.
Circle of weeds (Score:3)
Anyone smart enough to write an HTTPS proxy able to dynamically create and sign certs surely must have known enough about underlying technology to recognize and comprehend importance of validating trust chain. How does someone innocently "overlook" this in either design or test? Simply MUST have occurred to someone.
Re:Circle of weeds (Score:5, Insightful)
It all started with corporate "enterprise" firewall vendors who saw a demand for MiTM-in-a-box from "enterprise" IT.
Corporations are notoriously uninterested in the repercussions of their actions.
Re: (Score:2)
http://en.wikipedia.org/wiki/H... [wikipedia.org]
Re: (Score:2)
"Do this HTTwhatever thingy."
"It's a bad idea for *reasons*"
"Blah blah blah do it."
"I'm not comfortable doing that, it's unethical"
"I don't give a fuck about your ethics, we pay you to code, not have ethics. Do what you've been assigned or get fired."
Sooner or later you will find a coder that wants to keep feeding his/her family and will do what's requested.
war (Score:3)
It's clear advertisement companies have declared war on us, and think any and all means are permissable. No other mindset can explain these actions. If these people would not consider us enemies, they could not possibly look at themselves in a mirror.
So when will Firefox ship with ABE (or some other fork, don't use the original AdBlock, it has been sold to an advertisement company) and default to having it enabled?
I mean, aside from the hacking and privacy issues, every time I see the Internet on a browser without ad blocker, I can't believe people endure this crap.
Re: (Score:3)
What worries me is corporations too now bust SSL as well to spy on employees.
Now since the cat is out of the bag this maybe common. This will kill all commerce on the web as payment processing companies insurance plans won't insure online transactions without proof of a true encrypted connection.
This in term will de-value the online advertisement market if people stop buying shit online.
We need to stand up and do something and real advertisers need to step in before their business models get destroyed. This
Re: (Score:2)
You don't have to wait for another major Firefox release
I agree in principle, but this is ludicrous. Firefox releases seem to be twice a week now, and we'll probably all live to see the version number overflow.
Yeah, there should be several competing plugins. But maybe FF can ask you which one you want after install, assuming that anyone with three working brain cells wants an adblocker.
Yeah, right ... (Score:2)
Now there's a big frickin' lie ... Adtrustmedia is like "MRE" (meal ready to eat) ... it's three lies in one.
There simply is no entity involved in advertising who you should be trusting.
Assume they're all greedy sociopaths, and just save yourself the time.
This is precisely why I feel no guilt about blocking ads ... because I think the players are shady, and are sure
Commodo AV and Icedragon too! (Score:3)
Shoot Hairyfeet is a big proponent of them and I used to use both too.
Wow.
I hope MS decertifies all Comodo certificates. I expect a big lawsuit from this and perhaps Commodo disabling Microsofts root certificates in return. Fun times.
Another lawsuit coming up.
Re: (Score:2)
It's a bit of a shame since Comodo Dragon was my favorite Chrome-but-not-actually-Chrome browser. However this and them dragging their feet on updates means I'll be switching to something else.