back to article SSL-busting adware: US cyber-plod open fire on Comodo's PrivDog

The US Department of Homeland Security's cyber-cops have slapped down PrivDog, an SSL tampering tool backed by, er, SSL certificate flogger Comodo. Comodo, a global SSL authority, boasts a third of the HTTPS cert market, and is already in hot water for shipping PrivDog. What is PrivDog? Let's allow the US Computer Emergency …

  1. Neil Barnes Silver badge
    Flame

    Irrespective of any MITM issues

    What on earth persuaded the makers that software to interrupt your browsing to insert advertisments was a good idea?

    (Yes, this is my rant of the month.)

    1. Bronek Kozicki

      Re: Irrespective of any MITM issues

      money, money, money ... makes the world go round.

      Software companies sell your security and privacy for few bucks more from the advertisers.

    2. Anonymous Coward
      Anonymous Coward

      @Neil Barnes - Re: Irrespective of any MITM issues

      You're so naive! They are fully aware that nobody likes advertisements but they don't care much. Could it be:

      a) - money

      b) - money

      c) - all of the above ?

      1. Anonymous Coward
        Anonymous Coward

        Re: @Neil Barnes - Irrespective of any MITM issues

        d) because - Fuck You ... snooooort ... YEAH!

  2. Rabbers

    Don't content writers usually get a share of the ad revenue?

    It's very cunning how Comodo put a positive spin on replacing ads that pay for content with ads that line their own pocket.This is massively underhanded.

    Does anybody know if they *only* replace malicious ads, or do they replace them all?

    1. Roland6 Silver badge

      Re: Don't content writers usually get a share of the ad revenue?

      Given that many websites currently detect AdBlock, I presume that it will soon be just a matter of time before many more websites will detect (and flag) the use of Ad/content replacement/substitution tools. Certainly where a site earns revenue from the Ad's served I would be looking into this as a revenue protection issue.

      1. Eddy Ito

        Re: Don't content writers usually get a share of the ad revenue?

        Isn't this essentially theft of service? A website provides useful content and uses ads to support that content but if a MITM is blocking the ads that pay the website and substituting ads that pay the MITM it seems to be a clear case of theft.

  3. Anonymous Coward
    Anonymous Coward

    If things like this happened in the real-world...

    If things like this happened in the real-world then we could look forward to Comodo executives being bumped off flights with no compensation because someone else bought a ticket for the same seat later on.

    1. Anonymous Coward
      Anonymous Coward

      Re: If things like this happened in the real-world...

      But when told of that, wouldn't Comodo execs just fire back and REbuy the seat, perhaps at an extra premium? After all, what's good for the goose is good for the gander. You bump me, I'll bump you right back.

  4. JimmyPage
    Mushroom

    If I were a layman

    I'd say the concept of a "trusted" certification authority is bust. Which means SSL is bust.

    Anyone care to correct me - as a layman.

    1. Joe Harrison

      Re: If I were a layman

      It was only nasty cheapo SSL certificates which were busted. Up until now this was fixed by extra-cost extra-trustworthy certificates which displayed a green splodge for higher security.

      Unfortunately the extra-cost certificates are now busted as well, but don't worry as you will soon be able to get extra-extra-cost certificates with a gold splodge.

    2. Lee D Silver badge

      Re: If I were a layman

      I never got why we need a CA anyway.

      If I trust Facebook, then I trust Facebook. I don't necessarily trust every website ever created by anyone who's bought a certificate from the supplier that Facebook's bought their certificate from.

      The CA is merely convenience in the process so that the first time I go on B&Q.com, I don't have to guess whether or not I can trust the certificate.

      But a browser that "accepts" the first certificate it sees for a domain and remembers it forever after, that will flag if the cert changes or expires, more than fulfills most of the issues. We already do this for SSH, for instance.

      Tie it in with a DNSSEC system where the authoritative, untamperanle DNS response for a website includes a proof-of-certificate and you pretty much wipe out the CA's function entirely. We already do this for email (DKIM, etc.).

      To do this for websites isn't that much more of a push forward, and now we have the impetus.

      Key security should be in the DNS, and should be tied - the .uk root should be saying THIS is the cert for the .co.uk TLD and it's the only one I specify. And then when asked, .co.uk will say THIS is the cert for the facebook.co.uk site (and here's the IPv4 and IPv6 addresses). And then Facebook can specify what THEY want under that domain as required. All signed, all authorised, back to the root.

      1. regadpellagru

        Re: If I were a layman

        "I never got why we need a CA anyway.

        If I trust Facebook, then I trust Facebook. I don't necessarily trust every website ever created by anyone who's bought a certificate from the supplier that Facebook's bought their certificate from.

        SNIP

        Key security should be in the DNS, and should be tied - the .uk root should be saying THIS is the cert for the .co.uk TLD and it's the only one I specify. And then when asked, .co.uk will say THIS is the cert for the facebook.co.uk site (and here's the IPv4 and IPv6 addresses). And then Facebook can specify what THEY want under that domain as required. All signed, all authorised, back to the root."

        Actually, I don't think security by network (which seems to be your point) is enough. After DNS is secured, you have to secure the transport, and the physical layer etc ... Long efforts before you're SURE www.facebook.com is really facebook.

        SSL took the approach of end to end cryptography, which is desirable and good.

        The only problem is there is a gap: all CAs are hard coded in the browser and no user ever look at them (they're so obscure ...) and there is no secure directory service. That's the current security hole exploited by superfish and its siblings and the real short-coming of SSL.

        1. Robert Helpmann??
          Childcatcher

          Re: If I were a layman

          As long as people use this practice of 'breaking the chain of trust' there are bound to be some who implement it utterly wrong.

          In other words, as long as it is possible to exploit this, someone will. Not exactly deep wisdom, but true nonetheless. It seems it is past time to plug this gap.

        2. Charles 9

          Re: If I were a layman

          You just hit a HARD problem in computer security. It basically boils down to a question of "Who can you trust?" Because the first rule to having ANY form of trust system (chain, web, et al) is the need to trust someone or something; IOW, someone has to play the role of Trent. Only problem is, given sufficient resources, Mallory (or Gene) can impersonate anyone: including Trent. So ask yourself, "What now?"

  5. the idiotuk

    What about other adblockers? What about Adblock? How is it different?

    1. naive

      What about designing legislation that can be used to put these white collar criminals, who produce and sell this malware, for years in the slammer.

    2. Eddy Ito

      Other ad blockers block ads. When you go to your bank's website with other ad blockers you're pretty sure you're connected to your bank as the bank's certificate is trusted. This acts as a proxy and uses its trusted certificate to tell you that the bank's certificate is legit. The problem is that it doesn't actually care if the certificate is actually legit. If it's not your bank's website and is actually a clone made by some guy sitting in Lagos with a laptop that you're giving your bank credentials to, well the proxy is ok with that because it didn't check to see if Mr. Lagos' certificate was valid.

      1. Anonymous Coward
        Anonymous Coward

        Adblock Plus headed down the same road when they started whitelisting ads for a price. Hence all the forks like Adblock Edge. Some do what they say... and some are out to trick unsuspecting users.

    3. This post has been deleted by its author

  6. Mark Allen

    Does IBM's Rapport spot this?

    With all the UK Banks keen to install IBM's Rapport thing if you do online banking, does that flag up these advert SSL MITM attacks? Does that stop the user from doing online banking if Superfish, PrivDog, etc are installed?

  7. Anonymous Coward
    Anonymous Coward

    Funny

    Isn't it funny how anti-crap software always morphs into the opposite?

    And SSL is so awesome, it couldn't prevent this either.

    And the company pushing SSL the hardest, which everyone loves and can do no evil, has, like Comodo, morphed into a self-perpetuating robot army that feeds on sleazy advertising.

    *sigh* Why can't we have an internet that favors decent ads, and honest search results, and privacy, and...?

    1. adnim
      Unhappy

      Re: Funny

      *sigh* Why can't we have an internet that favors decent ads, and honest search results, and privacy, and...?

      Greed

      Being decent and honest rarely gets one a Ferrari, yacht or a Villa in the Maldives.

  8. Anonymous Coward
    Anonymous Coward

    Goddammit! Anyone know what the SSL cert looks like? Ironically enough, I used comodo to block the PrivDog stuff (There's no way I'm running anything from a company called AdTrustMedia). Thought I'd got it all....

  9. Dan 55 Silver badge
    Thumb Up

    It looks like it's becoming unacceptable to MITM SSL connections for antivirus software. Hopefully it'll be equally unacceptable to get them MITM'd at work just because you're at work.

    1. Remy Redert

      Let's be fair here. Implemented properly a local mitm does not need to constitute a security risk. But the software doing it needs check the validity of certificates and either block untrusted ones and inform the user or pass untrusted certificates straight to the browser for it to handle.

      1. Dan 55 Silver badge

        I'm sure it is possible to set up a local MITM properly, it doesn't change the fact that if I log onto my bank at lunchtime then everything I read or key in may be taken down as evidence and used however the local BOFH sees fit.

        1. Anonymous Coward
          Anonymous Coward

          Then that should tell you you shouldn't be banking on the company network. Their network, their rules. Pretty sure they spelled that out when you started working there. Indeed, given the Verizon deal, since none of us lay down our own cabling direct to where we communicate on a regular basis, we are basically at the mercy of whoever provides the pipes.

          1. Anonymous Coward
            Anonymous Coward

            I think that any company that intercepts your login and session with your bank is or should be committing a crime. If the company needs to prevent you from doing this kind of thing from the office then it should block the connection rather than snoop on it.

            1. Anonymous Coward
              Anonymous Coward

              But how can the company know what to block and what not to block without snooping? And don't mention whitelists and blacklists given that whitelists can stale as sites relocate and blacklists can be end-run around by using a proxy located elsewhere.

            2. Adam 1

              There are lots of banks. There are even more providers for whom you are arguing should be blacklisted.

              So who maintains the list? That list will get big for an enterprise running in 50 countries.

              Much easier to just tell people it is not permitted and may be monitored. If you know the risk and do it anyway, that is your fault.

        2. obrien

          It depends on what country you are in but that could be illegal. In some countries your company is not allowed to MitM certain sites like banking, healthcare, etc. But SSL scanning is important - there's malware that uses HTTPS simply because so many organisations do not MitM it for malware scanning. SSL scanning on sites like dropbox, etc, is critical.

    2. Adam 1

      Their tools their rules.

      If I want to create my own fake root cert and install it on my own box and inform anyone who uses my box that i can record any traffic going to the web, that is my prerogative.

      I don't see any difference between me doing it for personal reasons and a company doing it for security reasons.

      If you want to use a personal service, use hardware you own, not mine.

  10. John H Woods

    Passing off

    I still can't understand why this isn't passing off. IANALBIPOOTI and I believe that Reckitt & Colman Products Ltd v Borden Inc established that there are three criteria: the trader enjoys some goodwill; there is some misrepresentation by a third party; and the trader suffers damage to the aforementioned goodwill.

    OK, so HSBC has some goodwill. Yes they launder drug money; help people evade taxes and charge you a fortune for incurring a small overdraft. But nevertheless, you trust them not to hand over your account to a third party for them to do as they will.

    When you https:// to hsbc.co.uk, you are using their goods and services, to wit, their online banking facility. Part of that service is your assurance that you are connected to HSBC before you start typing the sort of stuff you really want to remain private. When you see the padlock in the address bar, you believe that you have a connection to an entity whose identity is assured by another entity that can be trusted to assure that identity. Any software that presents you with an MITM certificate for hsbc.co.uk signed by one of these dodgy outfits who have installed a bogus (yes I really think that's the word) root cert is surely passing off their own certificate as the certificate which has been presented to you by the organisation you think you are connected to?

  11. Mark 85

    I'm not a Sysadmin or Security Expert

    But... would deleting all the certs (except the require MS ones) and starting over create problem? I just found a pile of Comodo certs.... <sigh> Not sure how they got there, but this does raise my curiosity level. I found these in both Firefox and IE... I also see them at my work place.

    1. Anonymous Coward
      Anonymous Coward

      Re: I'm not a Sysadmin or Security Expert

      I seem to have 3 Comodo certificates. All 3 are "COMODO x Certification Authority"s, where x is either empty, "ECC" or "RSA".

      I certainly wouldn't suggest deleting all of your certificates except the MS ones. Most of the certificates that you encounter online are signed by someone besides MS. I seem to have a lot more TRCAs than I remember (100-200 now) and a lot of them look particular to certain countries. (Just glancing through, I see a Greek one, a Finnish one and a couple Chinese ones.) If you're really worried about having some bad certificates, be sure to export them before deleting them. That way when you discover that you really needed one of those, you can add it back.

  12. Anonymous Coward
    Anonymous Coward

    He said...

    « Amichai Shulman, CTO at Imperva, commented: “As long as people use this practice of 'breaking the chain of trust' »

    A chain of trust that can be broken (so easily) is not a chain of trust at all.

  13. pierce
    Devil

    chain of trust? more like chain of fools (que up the motown...)

  14. TheWizechatMgr

    So it works

    Just like zScaler with the MiM certificate. The only thing zScaler probably does right is they don't add any additional ads, yet...

  15. This post has been deleted by its author

  16. Al fazed

    Short term memory loss

    Hmmm, no comments above about Comodo being hacked a couple of years back when the perps made off with amongst other things, an unknown number of legal SSL Certs, which have been used to by pass browser security.

    Did they ever find out who did this ?

    Here they go Comodo issuing useless certs ?

    Comodo inserting adds !

    Why on earth anyone is still using the company and their products defeats my imagination.

  17. adam payne

    I like the Comodo Firewall and have been using it for years but with everything I install it's a custom installation. I never install all the option extras and i'm disappointed in Comodo for dumping lots of extra and unwanted things in the installer.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like