On 01/04/2016 12:07 PM, Daniel Holbert wrote: > UPDATE: in my family friend's case, the shoddy MITM spyware in question > was "Simmons Connect Research Application", a consumer profiling tool > that's tied to Experian which users can voluntarily install in exchange > for points that you can use to buy stuff.
I reached out to Experian on Twitter: https://twitter.com/CodingExon/status/684105591288008704 ...and also via a web form on one of their Simmons Connect pages. I also sent the following to http://www.digitalmarketresearchapps.com/contact.html , which seems to be the HTTPS interception library that they're using: ====================== Hi, I'm a software engineer at Mozilla, working on the Firefox web browser, and I'm contacting you about something extremely urgent -- I'm hoping to reach an engineer who works on your HTTPS interception library/tool. As of January 1st (several days ago), your tool *entirely breaks* HTTPS connections in Firefox, due to your tool's reliance on a deprecated security algorithm called SHA1. The importance of this is hard to overstate -- for users who have your tool installed, their internet access is *completely* broken, including their ability to download browser updates. Chrome users are (or will soon be) affected as well, and Internet Explorer/Edge users will be affected at some point in the next year -- all browsers are coordinating on phasing out SHA1 certificate support. Specifically: Based on a user report, it seems "Digital Market Research Apps" is issuing certificates for a consumer profiling tool called "Simmons Connect". As of January 1st, this user was unable to visit any HTTPS site in Firefox, because the tool was providing newly-generated certificates using the obsolete SHA1 algorithm. And per https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/ , such certificates are treated as untrusted. Please contact me as soon as possible. For users with your software installed, it's of the utmost urgency that you issue an update, to make your certificates use a newer algorithm than SHA1. _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
