
Komodia SSL certificates are in many products - jgrahamc
http://marcrogers.org/2015/02/19/will-the-madness-never-end-komodia-ssl-certificates-are-everywhere/
======
jrochkind1
Um, this is missing even a link to an explanation of what the issue actually
is, seems to just assume the reader knows. I do not and googling isn't working
out. Am I being dense?

~~~
x0x0
tl;dr

Komodia is a company that makes an SSL hijacking product, as described on
their site:

    
    
       Our advanced SSL hijacker SDK is a brand new technology that allows you to 
       access data that was encrypted using SSL and perform on the fly SSL 
       decryption. The hijacker uses Komodia’s Redirector platform to allow you 
       easy access to the data and the ability to modify, redirect, block, and 
       record the data without triggering the target browser’s certification 
       warning. [1]
    

A necessary feature of such a product appears to be the inclusion of the
private SSL key in any product using their hijacking tech and the installation
of komodia as a valid certificate in the OS certificate store. Therefore,
anyone who wants can buy a product using Komodia, extract the private SSL key,
and MITM at will any computer infected with any product using Komodia
software.

Any website protected by SSL where that SSL authority isn't pinned by chrome
(do other browsers have such tech?) is now trivially vulnerable to SSL
hijacking by, eg, anyone in the same coffee shop or local network. And, of
course, between that user and their destination site.

The current kerfuffle is due to the fact that Lenovo was caught pre-installing
Superfish, an adware/spyware product -- for the users benefit! -- that, in
turn, installed the Komodia ssl hijacking toolkit and broke SSL on any such
infected computer.

The race is now on for every goddamn script kiddie in the entire world to the
bank accounts of any suckers that trusted Lenovo. Go up to Seattle where
windows laptops are more common, roll into a coffee shop, and I bet you can
earn yourself some bank account logins.

ps -- this is a reason people buy macs. You get a vanilla OS install; that's
currently only really available for Windows afaik from the Microsoft store.

[1] [http://www.komodia.com/](http://www.komodia.com/)

~~~
mikeash
I've barely touched a Windows machine in many years, so I'm a bit out of
touch. How difficult is it to do a clean, vanilla install on one of these
computers these days? I imagine that's the first thing you'd want to do after
pulling it out of the box.

~~~
TeMPOraL
It's trivial to do even for a complete non-techie (just click next, next, ok,
type something, next, next, done) and has been for a long time. The problem is
that if you bought a computer with Windows that has bundled crapware, you
won't get the vanilla Windows - the installation/recovery medium will have the
same crapware bundled. You need to get your hands on a clean Windows, which
usually means buying it (or pirating it, as was common in the past - yet
another case where what you pirate is better for you than what you buy).

~~~
kentonv
The last few times I've tried to install Windows on things, it was actually
surprisingly horrible. The problem is, the generic install media has basically
no drivers on it, so you have to go fetch it all manually, from all the
respective manufacturers' web sites. It is, of course, fairly hard to download
your network driver without a network driver, so you'd better have another
computer and some USB storage around. Also, many of the drivers come only in
the form of installer bundles that are themselves hundreds of megabytes and
full of crapware.

In comparison, installing Ubuntu is a breeze, almost all the drivers you need
are included with the install media and installed automatically, etc. Unless
you have brand new, just-released hardware, it "just works", and even with
brand new hardware there tend to be guides on the internet that are still
easier than getting drivers installed on Windows.

Actual thing that happened: My mom said she needed to reformat an old laptop
but didn't have the Windows media and wondered what to do. On a lark I
suggested installing Ubuntu. A few weeks later, having not heard anything, I
asked what happened to the laptop. She said she installed Ubuntu and it worked
great. Never asked me a single question.

~~~
TeMPOraL
I wonder how long ago were you trying that. Since Windows 7 all drivers
download themselves via Windows Update. So as long as you're not using a
bootleg CD key for your Windows, it should install as smoothly as Ubuntu, only
with more stuff working OOTB.

~~~
eggy
I would have to agree with the ease of loading vanilla windows. I've done it
quite easily with both an Alienware 14 (2013) and a Sony Vaio that is 4 years
old. I downloaded the proper copy of Windows from the MS site, which was Win 7
Ultimate 64bit for the Sony, and make a disk or usb stick. Then it was a few
prompts and that was it. Instead of letting Windows Update load the drivers, I
found my specific build on the Sony site with the correct drivers for all the
bits and pieces. I did not install any of the free software, or Sony-specific
software, which was easily to discern on the downloads page. Same for the
Alienware. BTW, I have installed, used and programmed on OSX, Minix, FreeBSD,
Ubuntu, Backbox, and others. I find the Windows/Linux/BSD/OS X comments on
usage to be about preference rather than actual steps involved.

EDIT: I had the OEM Product Key on the Sony and AW, and they both registered
fine without a problem, no need for pirated versions or any taxes.

------
slipstream-
In case you're wondering, the keys/certs are different for each product.

[https://gist.github.com/Wack0/17c56b77a90073be81d3](https://gist.github.com/Wack0/17c56b77a90073be81d3)

~~~
lurkinggrue
I'm sure it isn't that hard for somebody to get their hands on the private
keys for those products and I bet they used the same password.

Edit: LOL, ok so the keys are right there on that link. Nice!

------
StavrosK
I find it funny that "komodia" is Greek for "comedy".

------
fmela
The founder of Komodia talks about how their products work (2010):
[https://www.youtube.com/watch?v=hCuTRzFY9CQ](https://www.youtube.com/watch?v=hCuTRzFY9CQ)

------
crazychrome
I bet it's going to be linked to NSA, GCHQ and IDF in tomorrow's news paper.

~~~
jgrahamc
Well, if you want to go down that path just visit the Komodia about page:
[http://www.komodia.com/about/](http://www.komodia.com/about/)

 _Barak Weichselbaum founded Komodia, Inc. in 2000, following his military
service as a programmer in the IDF’s Intelligence Core._

But you don't need to worry about provenance to see that technically this is a
scary thing to do.

~~~
woodman
Conscription make the military service irrelevant.

~~~
leesalminen
When you join the military, either through conscription or of your own free
will, their first job is to train you psychologically so that your beliefs are
aligned with theirs.

It usually works.

~~~
woodman
Yup, and it is a temporary effect - that is why there is a graduated rank
structure. As the mental conditioning (to put it charitably) wears off, you
are further removed from danger and positions where immediate obedience to
orders is necessary.

------
maaaats
Honestly, this adds nothing new to the discussion. "Everywhere" with no data
to back it up.

~~~
tlrobinson
_Here’s some that have been found so far:

Komodia’s “Keep My Family Secure” parental control software.

Qustodio’s parental control software

Kurupira Webfilter_

------
notsony
However distasteful Lenovo's business decision to bundle adware on their
consumer laptops, the finger of blame should now rightly point to the third-
party software provider, Komodia.

Lenovo did not vet the software properly before bundling it and heads should
roll, but I do not think they are deliberately evil or malicious.

If Lenovo are to be condemned, then the entire open-source community must also
condemn itself for allowing OpenSSL and Bash to have remained vulnerable for
so long. Just like Lenovo, our eyes were wide shut, and it took a shock to
open them.

~~~
xerphn
No. You are saying that anyone who creates software with a security bug in it
should be condemned. Komodia built their software with a very serious security
hole, _intentionally_ , to sell a product with HTTPS sniffing abilities.

Just because Lenovo didn't build the software, doesn't mean they are not
guilty of overlooking a serious security vulnerability by including software
which provides no benefit to its customers. It's an insult to customers.

The bugs you find in openSSL and Bash are not insults, they are mistakes made
by people who don't get money out of their work (and who don't go out of their
way to sell / track information). Security is hard to build correctly, easy to
break.

~~~
mikeash
MITMing your own SSL connections can be done safely, and for good reasons
(Charles proxy being a good example of both). These guys are doing it
unsafely, and for bad reasons. However, those two parts are unrelated! This
stuff could easily have been safe had they known what they were doing, or
prioritized that. I don't think it's fair to say that the security hole itself
is intentional. Certainly if they hadn't built the product in the first place
the hole wouldn't exist, but building the product doesn't imply the hole had
to be there.

The fundamental problem is that software like this greatly increases your
attack surface, and thus should only be used with careful consideration if the
benefits are worthwhile. Instead, Lenovo put its users at risk without
informing them or providing them with any benefit.

~~~
notsony
Yes, another use-case is if you are running Privoxy on your local computer;
would be great if you could MITM all local SSL connections instead of having
to manually whitelist specific sites.

~~~
SixSigma
Here's how to decrypt ssl sessions in Wireshark

[https://jimshaver.net/2015/02/11/decrypting-tls-browser-
traf...](https://jimshaver.net/2015/02/11/decrypting-tls-browser-traffic-with-
wireshark-the-easy-way/)

Before that I used Burpsuite, but that uses its own self signed cert too.

[http://portswigger.net/burp/](http://portswigger.net/burp/)

Privoxy doesn't do SSL or did I miss something?

