Software named PrivDog will intercept every certificate and replace it with one signed by its root key, according to research.
That includes certificates that weren’t valid in the first place. “It will turn your browser into one that just accepts every HTTPS certificate out there, whether it’s been signed by a certificate authority or not,” researcher Hanno Böck said.
As well as that, it directs to a webpage that has a self-signed certificate and adds another self-signed certificate with 512-bit RSA built into the root certificate store of Windows. All other certificates are replaced by 1024-bit RSA certificates signed by a locally created PrivDog certificate authority.
In an update posted by Böck to his blog, he said the TLS interception behaviour is part of the latest version of PrivDog 3.0.96.0, which can be downloaded from the PrivDog webpage. As Comodo Internet Security bundles an earlier version of PrivDog that works with a browser extension, it is not directly vulnerable to this threat. According to online sources PrivDog 3.0.96.0 was released in December 2014 and changed the TLS interception technology.
Currently, PrivDog is shipped with products produced by Comodo. Bromium co-founder and CTO, Simon Crosby, said: “PrivDog is in every sense as malicious as Superfish. It intercepts and decrypts supposedly secure communication between the browser and a remote site (such as the user’s bank), ostensibly to insert its own advertising into pages in the browser.
“It is substantially more scary though because PrivDog effectively turns your Browser into one that just accepts every HTTPS certificate out there without checking its validity, increasing vulnerability to phishing attacks, for example.”
Mark James, security specialist at ESET, recommended uninstalling the stand-alone version of Privdog or the Lavasoft Ad-aware web companion, making sure you remove the associated root certificates as soon as possible.
“The stand-alone version of Privdog when installed recreates a key/cert on each installation, it will intercept every certificate it finds and then replace it with one signed by its root key, this enables it to replace adverts in web pages with its own ads from ‘Trusted Sources’,” he said.
“The implications are massive. One of the biggest problems here is the fact that it will replace certificates with a valid certificate even if the original cert was not valid for any reason. This means it essentially makes your browser accept every HTTPS certificate regardless if it’s been signed by a certificate authority or not.
“By comparison, the Superfish ‘man-in-the-middle’ process at least requires the name of the targeted website to be inserted into the certificates alternate name field. Although Superfish allows the possibility of massive exploitation, with this flaw it is still marginally better than what Privdog is doing.”
UPDATE –
In an advisory, Privdog said that PrivDog 3.0.105.0 has been released with a fix to address the security issue found in the third party library.
“A minor intermittent defect has been detected in a third party library used by the PrivDog standalone application which potentially affects a very small number of users,” it said. “This potential issue is only present in PrivDog versions, 3.0.96.0 and 3.0.97.0. The potential issue is not present in the PrivDog plug-in that is distributed with Comodo Browsers and Comodo has not distributed this version to its users.”
It said that there is potentially a maximum of 6,294 users in the USA (57,568 users globally) that this could potentially impact. It confirmed that the third party library used by PrivDog is not the same third party library used by Superfish, and that the issue potentially affects a very limited number of websites.
