'Secure' advertising tool PrivDog compromises HTTPS security
(IT World):
http://www.itworld.com/article/2887635/secure-advertising-tool-privdog-compromises-https-security.html
"Unlike Superfish, PrivDog installs a different root certificate on
every system, so there's no shared private key that would allow
attackers to generate rogue certificates. However, it turns out they
don't even need a shared key The error in PrivDog's implementation is
simpler than that: The program doesn't properly validate the original
certificates it receives from websites. It will therefore accept rogue
certificates that would normally trigger errors inside browsers and
will replace them with certificates that those browsers will trust.
For example, an attacker on a public wireless network or with control
over a compromised router could intercept a user's connection to
bankofamerica.com and present a self-signed certificate that would
allow him to decrypt traffic. The user's browser would normally reject
such a certificate. However, if PrivDog is installed, the program
will take the attacker's self-signed certificate and will create a
copy signed with its own trusted root certificate, forcing the browser
to accept it. In essence, the user's traffic would be intercepted and
decrypted by the local PrivDog proxy, but PrivDog's connection to the
real site would also be intercepted and decrypted by a hacker."
- - -
--Lauren--
Lauren Weinstein ([email protected]): http://www.vortex.com/lauren
Founder:
- Network Neutrality Squad: http://www.nnsquad.org
- PRIVACY Forum: http://www.vortex.com/privacy-info
Co-Founder: People For Internet Responsibility: http://www.pfir.org/pfir-info
Member: ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
Google+: http://google.com/+LaurenWeinstein
Twitter: http://twitter.com/laurenweinstein
Tel: +1 (818) 225-2800 / Skype: vortex.com
_______________________________________________
nnsquad mailing list
http://lists.nnsquad.org/mailman/listinfo/nnsquad
