This has been a bad week for the secure socket layer and the news just keeps getting worse. Comodo provides around one out of every three SSL certs currently in use as they have, until now, had a stirling reputation and were a trusted provider. It turns out that this reputation may not be deserved seeing as how their Internet Security 2014 product ships with an application called Adtrustmedia PrivDog, which is enabled by default. Not only does this app install a custom root CA certificate which intercepts connections to websites to be able to insert customized ads like SuperFish does it can also turn invalid HTTPS certificates into valid ones. That means that an attacker can use PrivDog to spoof your banks SSL cert, redirect you to a fake page and grab your credentials, while all the time your browser reports a valid and secure connection to the site.
The only good news from The Register's article is that this specific vulnerability is only present in PrivDog versions 3.0.96.0 and 3.0.97.0 and so has limited distribution. The fact that this indicates the entire SSL certificate model is broken and even those who create the certs to assure your security feel that inserting a man in the middle attack into their software does not contravene their entire reason for existing is incredibly depressing.
Update: The Register's article was originally based on research from Hanno Bock who referred to PrivDog as being distributed by Comodo. Comodo does not distribute the standalone desktop version of PrivDog only the browser extension application which was never vulnerable to the TLS interception.
"The US Department of Homeland Security's cyber-cops have slapped down PrivDog, an SSL tampering tool backed by, er, SSL certificate flogger Comodo.
Comodo, a global SSL authority, boasts a third of the HTTPS cert market, and is already in hot water for shipping PrivDog."
Here is some more Tech News from around the web:
- AMD previews Carrizo APU, offers insights into power savings @ The Tech Report
- Amazon tries to patent 3D printers on trucks @ The Register
- Mozilla Firefox 36 is second major browser to bring HTTP/2 @ The Inquirer
- Samb-AAAHH! Scary remote execution vuln spotted in Windows-Linux interop code @ The Register
- JEDEC publishes eMMC 5.1 standard @ DigiTimes
- Red Hat: Traditional virtualisation isn't going anywhere @ The Inquirer
FFFFFFFFFFFFFFFFFFUUUUUUUUUUU
FFFFFFFFFFFFFFFFFFUUUUUUUUUUUUUUUU
Seriously Comodo, what the
Seriously Comodo, what the fuck?
fuck, guess nobody can be
fuck, guess nobody can be trusted anymore.
maybe the more of these getting fried for doing this shit will make others think twice.
I guess you could say that
I guess you could say that this proves that Internet Security is all SuperFish-ial 😀
I see what you did there.
I see what you did there.
It’s the ad pushers, and even
It’s the ad pushers, and even the start menu(Pokki Start Menu) folks, anywhere those Ad pushers can get a looksee at your metrics, damn the personal privacy and the constitution, those ad pushers, and their sponsors, want all your secrets! the better to manipulate you with! Time to stop all the bloatware/spyware madness, More ads and crapware pushing, even Google’s search results are crap for any sort of productive searching, dew to the gaming of search results, by the ad pushers. Really, the entire internet, and its ecosystem is so clogged up with the marketing plaque, that the veins of the internet are about to explode. So much for the original dreams of the internet as a betterment of humanity, it’s more of a Mos Eisley, “You will never find a more wretched hive of scum and villainy” out there on the internet, to hell with all you ad rats, and your plague of annoyances, spying, and outright thievery!
Well, this is what inevitably
Well, this is what inevitably happens when one puts one’s security in the hands of others, while blindly trusting their motivation and competence to keep one safe.
As I’ve said before, so often that all are sick of reading it in my posts, one should approach all online activity as if you are shouting it out loud while standing in a popular public park. Expect that level of privacy and security in everything that you do.
Don’t worry-
They’re still
Don’t worry-
They’re still trying to get a SOPA/CISPA bill through. Then the government will fix it all.
The worst offense here is
The worst offense here is using that terrible shot of Picard. Grab an HD screenshot off the Blu-ray or Amazon Prime!
Well you just run down there
Well you just run down there to where Sir Patrick Stewart is performing one of the Bard of Avon’s many good works. Yes, let’s have the good Sir, dawn the Stark Trek garb with the captain’s pips, and bend down with a double handed facepalm, and wrenched gut, in a true thespian fashion, and be sure to rent the appropriate set pieces and have the lighting director work his, or her magic, all while using the best Red/other super-uber-duper high resolution camera. While you are at it get various single facepalm shots of varying magnitude, so that there will be some shutter stock to suit your exacting needs for all manner/degrees of cockups in the future!
Number One: Please could you get me an earl Gray Hot, with Alka Seltzer, and could you, Chief O’Brien, and lieutenant La Forge, please shut Data off, he’s spouting ads for feminine hygiene products, and Viagra!! What was Star fleet thinking when they purchased that security software from the Ferengi!
Edit: Number One:
Captain
Edit: Number One:
Captain Picard: Number One!,
It’s the Captain, not the first officer, doing the ordering, and such!
While it’s still unclear how
While it’s still unclear how many versions 3.0.96.0 and 3.0.97.0 are currently online, Comodos’ reputation will hardly recover from this e-reputation site