
Comodo “Chromodo” Browser disables same origin policy - polemic
https://code.google.com/p/google-security-research/issues/detail?id=704
======
steckerbrett
Ah the old, break the PoC to make the researcher stop complaining move but
don't fix the underlying insanity. Classic.

~~~
david_shaw
My background's in application security assessments. I've seen this hundreds
(or more) times, from developers that should really know better.

"Hey, there's SQLi in this input form! Better make sure ' OR 1=1;-- is
blacklisted," but don't properly parameterize their queries or sanitize input.

~~~
dsacco
"Hey, they reported cross-site scripting! Let's blacklist angle brackets,
that'll do the trick!"

In case this is not clear to anyone in 2016, blacklisting known-dangerous
characters is not an adequate bug fix. It's a rabbit hole, you will burn hours
trying to blacklist every character or character combination that can cause a
vulnerability just to have someone own you anyway.

~~~
TTPrograms
What's current best practice?

~~~
sarciszewski
The proper fixes for common web application vulnerabilities are as follows:

 _Session Hijacking /Fixation/etc._: Use TLS.

 _SQL Injection_ : Prepared statements that AREN'T emulated; PHP's defaults
are bad here.

EDIT: If you're writing in another language, make sure it's not providing
string escaping masquerading as prepared statements, but _actual_ prepared
statements. (My earlier comment was too broad; some forms of emulated prepared
statements might be OK, but PHP's is dangerous.)

 _Cross-Site Scripting_ : Context-aware escaping (templating libraries) +
Security Headers

 _Cross-Site Request Forgery_ : CSRF tokens

 _Password storage_ : bcrypt, scrypt, PBKDF2-SHA2, Argon2

 _Encryption, Digital Signatures, Authenticated Key Exchanges, etc._ : Hire an
expert, don't do it yourself based on the advice contained within HN comments.

 _File Inclusion / Directory Traversal_: Don't write your applications in a
dumb way that makes these vulnerabilities possible. But if you must, use
something like realpath() with a sanity check based on the expected parent
directory (in PHP).

 _XML External Entities_ : Make sure you disable the entity loader:

    
    
        libxml_disable_entity_loader(true);
    

_PHP Object Injection_ in PHP 5: don't ever pass user input to unserialize();
use json_decode() instead.

 _PHP Object Injection_ in PHP 7: either disable object loading or whitelist
the allowed types; i.e. unserialize($var, false); or unserialize($var,
['DateTime']);

These are just some of the common problems I frequently find, of course. There
are more basic ways to mess up an application ("not even checking that you're
authenticated" being at the top of that list).

[https://paragonie.com/blog/2015/08/gentle-introduction-
appli...](https://paragonie.com/blog/2015/08/gentle-introduction-application-
security)

Further reading and resources:

* [https://securityheaders.io](https://securityheaders.io)

* [https://github.com/paragonie/awesome-appsec](https://github.com/paragonie/awesome-appsec)

And if anyone wants their code reviewed:
[https://paragonie.com/services](https://paragonie.com/services)

~~~
ineedtosleep
Is it too early to be suggesting Argon2? I've not heard of it until now, but
the Wikipedia entry[1] shows that the paper was just released late last year.

[1]
[https://en.wikipedia.org/wiki/Argon2](https://en.wikipedia.org/wiki/Argon2)

~~~
oxguy3
My suggestion, if you really want to overkill and knock it out of the park:
use both. Run it through bcrypt, then through Argon2. If something happens
where one of them is deemed insecure/bad practice, you've still got the other
one.

~~~
technion
This falls into the category of "coming up with your own system". It sounds
theoretically as strong as either one, but it could end up weaker overall.

Define X as the maximum time you can allow a hash to run on your server,
before it either starts to annoy users, or becomes a DoS issue. Moving from
"Argon2, such that it runs for X" to "both algorithms, with a total cost X"
means both of them are running with a much reduced work strength.

In the case of Argon2, there is an "iterations" counter, but t=2 is already
reasonable, and on low end hardware, you may see t=1. So as per the spec,
reducing runtime in order to make whole thing work is going to involve
reducing m.

Except bcrypt is already not memory hard, and you've just reduced the only
memory constraint in your algorithm.

And entirely possible there are bigger issues I didn't up with two minutes of
thinking about it.

------
derFunk
Comodo, TrendMicro, AVG... A lot of security suites made it into headlines the
past couple of months, because of their incredible questionable practices.
What's the reason for this?

~~~
thekos
Taviso has been on a rampage.

~~~
derFunk
Yeah I forgot to mention Sophos. I'm glad we have him.

~~~
knd775
Don't forget FireEye

------
Cartwright2
Wasn't there a similar issue in another browser here on HN recently? How does
this actually happen - two different security companies both push out "secure"
browsers that are fundamentally insecure. I'm not even in the security
business and I know it would be fatal to publish a Chrome build without cors.
What I can't understand is why would they ever disable it? Seems almost like
an act of malice.

~~~
wepple
I'd argue Comodo isn't a security company. It's a software company that
markets software which intends to have a positive effect on one aspect of your
security (namely, malware). They're using 20 yearold ineffective techniques to
do attempt to have a positive effect on your security, and whether there is a
positive, negative, or neutral net effect is to be debated.

They continue to make hundreds of millions of dollars, so they keep going.

Edit: are you talking about this:
[https://news.ycombinator.com/item?id=8866784](https://news.ycombinator.com/item?id=8866784)
? I'd have thought a company like whitehatsec _would_ be able to do a better
job with a browser.

------
jameslk
I just uninstalled this "Internet Security" piece of software recently and had
only kept it on my media PC because it was more of a burden to remove it. Once
upon a time, they used to receive high marks for their antivirus software, but
as of late, their antivirus software has done nothing but plague me with ads
that popup over the taskbar and rob me of my computational resources. It isn't
surprising that it is also riddled with security issues like this.

This seems to be the trend in antivirus software (like the other gangbuster
revelation with Trend Micro). They've slowly turned their software into the
crapware they used to defend against in response to their increasing
irrelevance.

------
sarciszewski
Comodo should have crashed and burned years ago.

[https://www.youtube.com/watch?v=Z7Wl2FW2TcA](https://www.youtube.com/watch?v=Z7Wl2FW2TcA)

~~~
jakub_g
Interesting video, thanks for sharing. One question about it if you don't
mind: with the Moxie's proposed client-based solution, how do I know that the
communication with notaries is safe? If there's an (active) MITM in the
network, they could hijack the connections to all the notaries as well, and
whatever the query from client, they'd respond "yeah that cert is totally
valid".

I guess I'd have to manually install notaries and somehow verify their certs
myself upon installation.

Edit: well I could rely on Firefox/Chrome to prebundle some "trusted"
notaries' certs, like they do with CA certs now, but then I would be able to
delete all but a few, contrary to the current situation where deleting some CA
certs is breaking the internet.

~~~
sarciszewski
I don't even know if Convergence is being maintained anymore, but pinning the
public key of the notaries would make an active MITM nigh-impossible.

------
snakebitten101
Comodo's browsers should not be trusted. They have jumped the shark and do not
value their users security or privacy in the slightest. Why do I say so? For
things like this: [http://forums.comodo.com/help-
cd-b206.0/-t108748.0.html](http://forums.comodo.com/help-
cd-b206.0/-t108748.0.html)

------
__jal
Their PKI infrastructure was compromised a few years back, too.

Obviously a very different corner of the security landscape, but it doesn't
seem like they've gotten any more careful.

Avoid.

------
JohnTHaller
Comodo's "secure" browsers have a tendency to lag rather badly behind Chrome.
So a major security fix will land in Chrome and be pushed to stable along with
the relevant security bug being made public but Comodo's Chrome-based browser
won't land the patch for weeks or months.

------
AdmiralAsshat
Wow, that's disconcerting. Different product, but I'm almost tempted to
uninstall the Comodo Firewall that's running on my Windows laptop out of fear
that there's some other blatant security blunder waiting to be exploited.

Anyone have any suggestions for a free firewall alternative?

~~~
jve
Are you using Windows? What's wrong with the Built-in Advanced Firewall?

~~~
josefresco
Pretty much this. I stopped using Comodo when the built in Firewall was "good
enough" I did miss (briefly) the yay/nay for every connection that Comodo
offered.

------
twiss
I don't understand the testcase they provide. It opens a window at
[https://ssl.comodo.com/](https://ssl.comodo.com/) and sends a message to it
with `postMessage`. However, the whole point of postMessage is to provide
cross-origin communication. Continuing, the message they send is:

    
    
         {
            command: "execCode",
            code:    "alert(document.cookie)",
         }
    

Apparently [https://ssl.comodo.com/](https://ssl.comodo.com/) used to then
proceed to execute that code. However, this is not a vulnerability in the
browser, but in that website. Am I missing something? Was Chromodo breaking
the `messageEvent.origin` property, breaking same-origin checks in JavaScript?
Seems far-fetched.

~~~
lolc
What postMessage() does is immaterial. This is where it should fail,
referencing into another domain:

obj.postMessage

~~~
twiss
No, that shouldn't fail. `postMessage` is not a random function defined inside
the window at ssl.comodo.com. It's a function defined by the browser,
available on every Window object, including ones returned by window.open():

[https://developer.mozilla.org/docs/Web/API/Window/postMessag...](https://developer.mozilla.org/docs/Web/API/Window/postMessage)

~~~
lolc
Thanks for the correction. I didn't know postMessage() was special. Now I too
am confused as to why the browser should be to blame here.

------
vetrom
Empowering Honest Achmed worldwide since 2011!

------
mschuster91
Guess the reason is because some site failed to implement CORS.

But, on the other side, it's a TRUE PITA to debug.

------
JukEboX
I can't find any information as to how you would contract this.

~~~
cjbprime
What do you mean by contract? You download it from
[https://www.comodo.com/home/browsers-toolbars/chromodo-
priva...](https://www.comodo.com/home/browsers-toolbars/chromodo-private-
internet-browser.php).

