
Comodo ships Adware Privdog worse than Superfish - hannob
https://blog.hboeck.de/archives/865-Comodo-ships-Adware-Privdog-worse-than-Superfish.html
======
jgwest
I think the worst aspect of all these bad actors is how they use misleading
language to hide what they are doing.

Consider PrivDog's sales pitch:

 _PrivDog® protects your privacy while browsing the web and more! Get safer,
faster and more private web browsing today!_

In fact, the point of the software from PrivDog's perspective is to replace
web ads from third-party ad networks with web ads from PrivDog's own third-
party ad network -- i.e. AdTrustMedia.

Similar language is used in Lenovo's ex-post-facto sales pitch for Silverfish:

 _The goal was to improve the shopping experience using their visual discovery
techniques._

No, the goal from your point of view was to insert your own advertising
network links into user's webpages. And it's installed by default (no need to
worry... you can trust your new Lenovo machine!) as a self-encrypted subsystem
(which underscores the tricky intentions).

Perhaps the use of misleading language is what primarily leads people to
regard these sorts of things as inappropriate bait-and-switch badware
installs? The problem is, of course, that these sales techniques work, or at
least the offending companies seem to believe that they will work for enough
unsophisticated users.

------
slipstream-
Of course, Comodo has done some bad things in the past:
[http://dottech.org/10032/paying-a-price-to-use-free-
software...](http://dottech.org/10032/paying-a-price-to-use-free-software-the-
dark-side-of-comodo-products/)
[https://www.schneier.com/blog/archives/2011/03/comodo_group_...](https://www.schneier.com/blog/archives/2011/03/comodo_group_is.html)

(FYI, I'm @TheWack0lian on twitter, and have helped investigate the whole
superfish/komodia thing. I also helped to verify Privdog. There's an IRC
channel currently being used to corraborate knowledge about this stuff that I
set up: irc.ringoflightning.net #kekmodia)

------
justcommenting
Browser vendors need to rethink the mostly blind eye they've been turning
toward corporate DPI and silent MITM.

I don't think browser vendors are necessarily responsible for Superfish or
Privdog, but I do think they play a role when they make design choices that
sacrifice more than most users realize at the altar of maximum compatibility
without convenient alternative configuration options.

Even today, trust agility for CAs in Firefox is still one of the hardest-to-
configure parts of the software for non-technical users. In a world of HSTS,
why on earth should non-programmers have to click through a kludgy GUI for
each of hundreds of CAs just to avoid trusting Chinese, Turkmenistani and
various other CAs with no warnings by default? This seems like an area ripe
for extension development; e.g. with something like RequestPolicy's categories
defined by geography, level of paranoia, etc. - or AdBlock Edge's subscription
lists. Firefox could pretty easily incorporate Certificate Patrol
functionality and make it more usable for less technical users. And so on.

Companies producing this sort of malware deserve to be punished for misleading
their customers and putting them at risk, but perhaps another solution is to
pressure browser vendors to start thinking about the way crypto gets used with
a lot more nuance as a potential attack surface, and from whose vantage point
MITM confers _transitive risk_. When vendors leave those sorts of backdoors
quietly open for corporate DPI, users often lose control over who _else_ might
try to use a similar type of backdoor.

There may be a legal difference between corporate DPI and Privdog, but we
should stop pretending that there's a huge technical or ethical distinction
between Privdog and browser vendors turning a blind eye to silent DPI against
someone who does not get a say in it, and often does not even know about it.

Browser vendors hide behind 'compatibility' excuses for crappy defaults and
glaringly absent warnings in much the same way PrivDog misleads people;
browser vendors just tend to commit sins of _omission_ rather than commission.

~~~
jgraham
> Browser vendors need to rethink the mostly blind eye they've been turning
> toward corporate DPI and silent MITM.

It is unclear to me if browser vendors could actually do anything meaningful
here. After all a sufficiently motivated company could just deploy a private
fork of an open source browser with any code changes they want. No doubt, if
there is demand, someone would be happy to sell pre-customised versions of
these browsers. The only restriction they would have is that they couldn't
call the result "Firefox" or "Chrom[ium]", but since they set the IT policy,
requiring all employees to use FooCorp Internet Browser isn't a problem. I
guess the trademark issue, but really only the trademark issue, does make that
approach less viable for adding MITM "capabilities" to OEM-distributed
browsers.

(note: I work for Mozilla, but am not a security expert)

~~~
justcommenting
I actually think reframing these issues as something that might necessitate a
fork for corporates could be good for all involved because that hopefully
would mean less egg on Mozilla's face when someone finds out they're being
DPIed.

There's a lot more nuance than I've acknowledged, but I'd much rather people
make a fairly consistent set of assumptions about the trustworthiness of
Firefox and a second, different set of assumptions about corporate MITMfox.

Even though I'm not a fan of it, I also recognize that companies own their
assets and need to protect their networks. But should Firefox stay completely
quiet by default when an IT department MITMs an employee's traffic? Even if we
all acknowledge the same IT department could turn those warnings off, I think
it would still be a start.

This will always be a cat-and-mouse game and I agree that Mozilla may not be
able to permanently 'win' on behalf of users, but I think browser vendors in
general could do more to shift norms and change the 'framing' of whether users
see (for example) a monkey-in-the-middle icon instead of a lock icon by
default when they're being MITMed by adware or corporate DPI.

------
mintplant
_However here comes the big flaw: PrivDog will intercept every certificate and
replace it with one signed by its root key. And that means also certificates
that weren 't valid in the first place. It will turn your Browser into one
that just accepts every HTTPS certificate out there, whether it's been signed
by a certificate authority or not._

Superfish does this too, actually.

[https://news.ycombinator.com/item?id=9078536](https://news.ycombinator.com/item?id=9078536)

~~~
takluyver
It sounds like PrivDog is slightly worse. Superfish tries to verify the cert
and provide an invalid cert if the original one is invalid, but it overlooks
SubjectAltNames [1]. So if you know about this, you can make it produce a
valid certificate.

By the sounds of it, PrivDog doesn't verify the cert at all - even if it gets
a totally invalid cert, it will produce a valid one for that domain.

The distinction is largely academic, though. If you have either Superfish or
PrivDog, any attacker who knows what they're doing can MITM your HTTPS
connections.

[1] [https://blog.filippo.io/komodia-superfish-ssl-validation-
is-...](https://blog.filippo.io/komodia-superfish-ssl-validation-is-broken/)

~~~
patcheudor
"So if you know about this, you can make it produce a valid certificate."

Since Filippo Valsorda already went public with the same findings (I held off
on the details and let the community figure it out while working with the
vendor), here's the thing. SSLSplit does wildcard SAN out of the box. Any WiFi
Pineapple with the SSLSPlit infusion can be up and running, MitM'ing Superfish
in no time at all without even knowing about the Superfish SAN validation
issue. As such, it wouldn't surprise me at all if people MitM'ing WiFi
connections already got in the middle without even trying. Keep in mind that
Superfish was running on consumer convertible devices like the Yoga 2 which
functions either as a laptop or tablet, in short, a device you'd expect to be
connecting to WiFi nearly exclusively, thus making the attack surface much
larger than a desktop machine connected via a LAN cable to your DSL router.

------
john_saxon
The core of the outrage about Superfish is centered on the fact that it is
_preinstalled_ , that we are given no choice about its existence. In the case
of PrivDog, we _do_ have a choice to install it. Shady software will always
exist, it's just that in the Superfish case it was shoved down our throats
without our knowledge.

~~~
mkozlows
The core of the outrage about Privdog is that it's created by the founder of
Comodo, and distributed with Comodo products, and therefore Comodo doesn't
really seem like a company you should trust, but you don't have a choice,
because they're a trusted root CA.

~~~
userbinator
The question is, do you trust Comodo's Privdog ad-networks more or less than
all the others out there? If you are already trusting Comodo as a CA, wouldn't
you think that Privdog's ad networks have been through some sort of approval
process by Comodo and therefore, more trustworthy somehow? Thus, wouldn't it
be better if those were the only ads you saw? That seems to be their sales
pitch.

The _implementation_ lacking any cert verification is a total fail (it might
not be intentional at all), and I personally trust
[http://localhost:8080/blocked.gif](http://localhost:8080/blocked.gif) more
than any ad network... but I can see the reasoning behind the product.

~~~
seestheday
I'd argue that this is also stealing from the content creators or other
people/companies that added actual value (e.g. group running a forum that pays
for hosting with ads).

------
Animats
Comodo is a root certificate authority. Is this grounds for removing their
root cert from Firefox and making all Comodo certs invalid?

~~~
tombrossman
They probably deserve it but the net effect would be to break many sites for
many users. One step forward, two steps back.

What privacy-minded users need is a trusted list of root CA's and a
(relatively) easy way to instruct their browsers to use only that list. For
example, The Hong Kong Post Office is a CA installed in your browser and you
can choose to delete or distrust it. Same thing for Turktrust, AOL, etc.

I imagine there are plenty of other CA's which could be distrusted but I don't
know enough to make an informed decision and I don't want to start deleting
them randomly and breaking my browsing experience. I'd love to see a list
curated by a trusted organisation like the EFF or the Open Rights Group, which
I could refer to when choosing which CA's to remove from my browser.

~~~
Animats
Does anyone have a copy of the certificate used by PrivDog? If so, please
publish it for examination. Is it signed by Comodo's CA? If so, they've acted
improperly as a certificate authority. That's grounds for revocation of their
CA privileges.

~~~
edwintorok
"PrivDog recreates a key/cert on every installation" \- I don't think it can
be signed with a chain rooted at the Comodo CA if its regenerated on the
installed machine, but would be good to confirm.

------
brazzledazzle
I can't understand how someone who understands CAs enough to build a dynamic
one doesn't also understand that you should build the CA certificate and
private key dynamically at the point of installation, not when you compile.
That would have changed these publicly embarrassing situations from dangerous
to simply controversial.

Edit: And they should know that it needs to be smart enough to deal with an
invalid certificate appropriately, regardless of Subject Alternative Names or
any other extensions.

~~~
bjornsing
Agree. And to think that this someone is also the CEO of a "real" CA trusted
by "over 99.9% of all browsers"... OMG.

(Or am I missing something? I just can't believe it...)

------
PythonicAlpha
If this is correct, this is really a big thing!

It seems, everybody on the internet isn't caring anymore about security or is
totally ignorant. Comodo as certificate authority should care about internet
security and should know better.

Who should trust certs anymore or trust the trust-chain, when even the certs
don't care?

------
Dylan16807
This does sound a bit worse, but Superfish also makes many self-signed and
invalid certs into valid ones.

When Superfish finds a bad cert it corrupts the main name, but leaves Subject
Alternative Names intact on a shiny new 'valid' certificate.

------
wasyl
I don't know if anyone confirms, but my default installation of Kaspersky
Internet Security tried to MiTM my traffic as well. I couldn't download some
packages (Android SDK I think) beacuse of certificate error. It then turned
out some default feature in KIS installs own certificate and proxies secure
traffic through

~~~
hannob
What Kaspersky does is different: It creates a new cert/key for every
installation. Same with Avast.

You can still argue whether it's a good idea to intercept HTTPS at all (I'd
say it's certainly not a good idea). But it doesn't have any super-severe
vulns like superfish or privdog (at least not any I could find having a quick
look at it).

------
kristofferR
Why would anyone use an ad replacer that doesn't pay you instead of just an ad
blocker?

You might as well just donate money to them, that's simpler.

------
brohee
From an attacker point of view, Privdog looks a lot better than Superfish
since the traffic toward the specific ad network identifies people likely to
have it installed.

Much less chance to be caught red handed MitMing someone not vulnerable if the
victims broadcast their vulnerability.

------
TZer0
[http://i.imgur.com/5bSfFJr.png](http://i.imgur.com/5bSfFJr.png)

Maybe it is time for a change of certificate?

------
gscott
While you are at it... buying Comodo certificates through NameCheap.com they
are delivered in zip files through email and are not password protected. It
seems unusual since email is not very secure.

~~~
dan1234
That's just the public part, which your server will send to clients. The
private part is the key, which shouldn't leave your server.

------
where_is_mh370
The best "free" Comodo app was their firewall. Now it seems far better to pay
for a corporate non-expiring/no-nonsense host-based fw, i.e., CheckPoint
Endpoint firewall which used to be similar (shared code for a time) to
ZoneAlarm. (ZA is what we used at the UCD netsec grad lab, because it was
free.) There are others (Symantec SEP). (Yes, host-based endpoint protection
is mostly a feel-good joke on the user.)

------
userbinator
_PrivDog 's functionality is to replace advertising in web pages with it's own
advertising "from trusted sources"._

So it's an ad-replacer, not an ad-blocker, but works in a similar way to other
ad-blocking proxies like Proxomitron. The main problem here is in bad
certificate verification, which seems to be a common trend with these bugs
(Apple's "goto fail" was another much-publicised one.)

As I mentioned before about Superfish, I really hope these discoveries aren't
used as an excuse to take away the right of the user to choose what he/she
trusts, in a similar way to how "terrorism" is being used as an excuse to
further surveillance. In contrast, it used to be really easy to enable/disable
certificate verification completely - browsers had configuration options to do
that. (Why? So I can use a proxy that doesn't resign certificates. It means
that instead of trusting the browser, I can trust the proxy to do the
certificate verification instead; and I should absolutely have the right to do
that and inspect what data my traffic contains via that proxy.)

~~~
duskwuff
Replacing ads with other ads "from trusted sources" seems incredibly
underhanded anyways. Who gets the money from clicks on the new ads? Probably
not the web site owner...

~~~
seestheday
I agree. This is theft. It's technical and complicated so it likely won't be
ever be enforced or prosecuted, but I think this is outright stealing.

~~~
userbinator
Would you say that using an ad-blocker is also "stealing"? How about changing
the channel when ads come on TV - which could make you see a _different_ ad
instead (since a lot of them tend to synchronise the times when they play
ads...), similar to what Privdog does, or just doing something else completely
(analogous to a pure ad-blocker)?

I think this goes back to the philosophical debate about adblocking that won't
be over anytime soon... and I'm firmly on the side of the user retaining full
control over the content he/she consumes, which in some ways is equivalent to
the freedom one has to close his/her eyes or look away at something else, and
believe that technological measures like ad-blockers are a way of protecting
this freedom.

The alternative, which advertisers would very much like to happen, is for even
those basic freedoms to be taken away; for users to essentially be _forced_
into consuming whatever content they desire.

~~~
stevenh
You are vehemently and loquaciously defending malware. You are also callously
disregarding sites operating on razor-thin profit margins from their ads
which, if lost to a firestorm of theft of revenue by criminals distributing
malware such as Superfish and Privdog, will cause them to have to shut down
their sites altogether.

The only site owners who aren't hurt by this type of malware are the terrible
ones with no regard for their users, who are willing to double up on now many
popups they slam the visitor with, or ironically even willing to join shady
pay-per-install malware networks just to get their revenue back up to normal
levels.

I'd like to believe you've never run a site before, because otherwise you'd
have an idea of just how expensive it can be.

~~~
userbinator
How exactly is advocating users' freedoms "defending malware"? By the same
reasoning that advocating privacy is "defending terrorists"? I wouldn't want
to use Privdog or Superfish, but if someone _voluntarily_ wants to change how
he/she views the Internet on their own machine, they should be well within
their rights to do so.

 _The only site owners who aren 't hurt by this type of malware are the
terrible ones with no regard for their users_

...or the ones who _don 't put any ads on their site_? I do happen to have
such a site, and the reason it doesn't have any ads is because it doesn't need
them.

In my experience, the most ad-filled sites also tend to be of the content-farm
type, providing little in the way of quality content.

~~~
seestheday
I'm not arguing that users blocking ads is an issue. To me that is the same as
someone deciding to not look at an ad in a magazine or tear them out/cover
them up before reading the article. What they decide to do it up to them.

See my billboard example reply to the comment above to see why I believe that
Privdog and Superfish are run by thieves.

