I think the worst aspect of all these bad actors is how they use misleading language to hide what they are doing.
Consider PrivDog's sales pitch:
PrivDog® protects your privacy while browsing the web and more! Get safer, faster and more private web browsing today!
In fact, the point of the software from PrivDog's perspective is to replace web ads from third-party ad networks with web ads from PrivDog's own third-party ad network -- i.e. AdTrustMedia.
Similar language is used in Lenovo's ex-post-facto sales pitch for Silverfish:
The goal was to improve the shopping experience using their visual discovery techniques.
No, the goal from your point of view was to insert your own advertising network links into user's webpages. And it's installed by default (no need to worry... you can trust your new Lenovo machine!) as a self-encrypted subsystem (which underscores the tricky intentions).
Perhaps the use of misleading language is what primarily leads people to regard these sorts of things as inappropriate bait-and-switch badware installs? The problem is, of course, that these sales techniques work, or at least the offending companies seem to believe that they will work for enough unsophisticated users.
(FYI, I'm @TheWack0lian on twitter, and have helped investigate the whole superfish/komodia thing. I also helped to verify Privdog. There's an IRC channel currently being used to corraborate knowledge about this stuff that I set up: irc.ringoflightning.net #kekmodia)
Browser vendors need to rethink the mostly blind eye they've been turning toward corporate DPI and silent MITM.
I don't think browser vendors are necessarily responsible for Superfish or Privdog, but I do think they play a role when they make design choices that sacrifice more than most users realize at the altar of maximum compatibility without convenient alternative configuration options.
Even today, trust agility for CAs in Firefox is still one of the hardest-to-configure parts of the software for non-technical users. In a world of HSTS, why on earth should non-programmers have to click through a kludgy GUI for each of hundreds of CAs just to avoid trusting Chinese, Turkmenistani and various other CAs with no warnings by default? This seems like an area ripe for extension development; e.g. with something like RequestPolicy's categories defined by geography, level of paranoia, etc. - or AdBlock Edge's subscription lists. Firefox could pretty easily incorporate Certificate Patrol functionality and make it more usable for less technical users. And so on.
Companies producing this sort of malware deserve to be punished for misleading their customers and putting them at risk, but perhaps another solution is to pressure browser vendors to start thinking about the way crypto gets used with a lot more nuance as a potential attack surface, and from whose vantage point MITM confers transitive risk. When vendors leave those sorts of backdoors quietly open for corporate DPI, users often lose control over who else might try to use a similar type of backdoor.
There may be a legal difference between corporate DPI and Privdog, but we should stop pretending that there's a huge technical or ethical distinction between Privdog and browser vendors turning a blind eye to silent DPI against someone who does not get a say in it, and often does not even know about it.
Browser vendors hide behind 'compatibility' excuses for crappy defaults and glaringly absent warnings in much the same way PrivDog misleads people; browser vendors just tend to commit sins of omission rather than commission.
> Browser vendors need to rethink the mostly blind eye they've been turning toward corporate DPI and silent MITM.
At this point I'm thinking it's more than a "blind eye", it's willful collusion. It's been too long since problem like these have been pointed out publicly. Moxie Marlinspike talked about SSL certificate problems back in 2011. Similarly, Certificate Patrol has tried to solve a real problem since 2012 if not earlier.
But the browser vendors take very half-hearted steps to solve the problem. E.g. Firefox. Mozilla gets on the order of $300 million per year in revenue. Huh? WTF? Where does all the money go if high priority issues like this are attacked mostly by promises and baby steps?
At what point do we begin to think that something that outwardly appears to be simple neglect is actually a lot more sinister?
Before Edward Snowden's revelations I wasn't nearly as paranoid as the above sounds. Now, almost nothing I can think of is as bad as what the NSA and its ilk throughout the world have been doing to us for years.
> Browser vendors need to rethink the mostly blind eye they've been turning toward corporate DPI and silent MITM.
It is unclear to me if browser vendors could actually do anything meaningful here. After all a sufficiently motivated company could just deploy a private fork of an open source browser with any code changes they want. No doubt, if there is demand, someone would be happy to sell pre-customised versions of these browsers. The only restriction they would have is that they couldn't call the result "Firefox" or "Chrom[ium]", but since they set the IT policy, requiring all employees to use FooCorp Internet Browser isn't a problem. I guess the trademark issue, but really only the trademark issue, does make that approach less viable for adding MITM "capabilities" to OEM-distributed browsers.
(note: I work for Mozilla, but am not a security expert)
I actually think reframing these issues as something that might necessitate a fork for corporates could be good for all involved because that hopefully would mean less egg on Mozilla's face when someone finds out they're being DPIed.
There's a lot more nuance than I've acknowledged, but I'd much rather people make a fairly consistent set of assumptions about the trustworthiness of Firefox and a second, different set of assumptions about corporate MITMfox.
Even though I'm not a fan of it, I also recognize that companies own their assets and need to protect their networks. But should Firefox stay completely quiet by default when an IT department MITMs an employee's traffic? Even if we all acknowledge the same IT department could turn those warnings off, I think it would still be a start.
This will always be a cat-and-mouse game and I agree that Mozilla may not be able to permanently 'win' on behalf of users, but I think browser vendors in general could do more to shift norms and change the 'framing' of whether users see (for example) a monkey-in-the-middle icon instead of a lock icon by default when they're being MITMed by adware or corporate DPI.
>Browser vendors need to rethink the mostly blind eye they've been turning toward corporate DPI and silent MITM.
This kind of inspection is becoming more and more important for companies with every very public and expensive hack that occurs. Google, Microsoft and Apple all produce closed source software that they do not want leaked. They all have secrets and embarrassing private issues that have happened. I doubt you'll see cooperation from them in removing the ability to inspect traffic that leaves their networks or machines.
>Firefox is still one of the hardest-to-configure parts of the software for non-technical users
I'd agree that it's difficult for a non-technical user to configure, but that lack of easier configurability is a sign that Mozilla isn't really beholden to these organizations. If they were they'd just use the standard OS CA certificate stores like Safari, Chrome and Internet Explorer do.
>There may be a legal difference between corporate DPI and Privdog, but we should stop pretending that there's a huge technical or ethical distinction between Privdog and browser vendors turning a blind eye to silent DPI against someone who does not get a say in it, and often does not even know about it.
I agree, but I also recognize the importance of this feature to companies, big or small. While Chrome and Internet Explorer both have consumer and enterprise versions/configurations for their browsers, they could split security features with the user in mind too. I'd say Safari could do more in general but I feel like Apple has such a love/hate relationship with enterprise customers that it would be hit or miss in execution.
However here comes the big flaw: PrivDog will intercept every certificate and replace it with one signed by its root key. And that means also certificates that weren't valid in the first place. It will turn your Browser into one that just accepts every HTTPS certificate out there, whether it's been signed by a certificate authority or not.
It sounds like PrivDog is slightly worse. Superfish tries to verify the cert and provide an invalid cert if the original one is invalid, but it overlooks SubjectAltNames [1]. So if you know about this, you can make it produce a valid certificate.
By the sounds of it, PrivDog doesn't verify the cert at all - even if it gets a totally invalid cert, it will produce a valid one for that domain.
The distinction is largely academic, though. If you have either Superfish or PrivDog, any attacker who knows what they're doing can MITM your HTTPS connections.
"So if you know about this, you can make it produce a valid certificate."
Since Filippo Valsorda already went public with the same findings (I held off on the details and let the community figure it out while working with the vendor), here's the thing. SSLSplit does wildcard SAN out of the box. Any WiFi Pineapple with the SSLSPlit infusion can be up and running, MitM'ing Superfish in no time at all without even knowing about the Superfish SAN validation issue. As such, it wouldn't surprise me at all if people MitM'ing WiFi connections already got in the middle without even trying. Keep in mind that Superfish was running on consumer convertible devices like the Yoga 2 which functions either as a laptop or tablet, in short, a device you'd expect to be connecting to WiFi nearly exclusively, thus making the attack surface much larger than a desktop machine connected via a LAN cable to your DSL router.
The core of the outrage about Superfish is centered on the fact that it is preinstalled, that we are given no choice about its existence. In the case of PrivDog, we do have a choice to install it. Shady software will always exist, it's just that in the Superfish case it was shoved down our throats without our knowledge.
The core of the outrage about Privdog is that it's created by the founder of Comodo, and distributed with Comodo products, and therefore Comodo doesn't really seem like a company you should trust, but you don't have a choice, because they're a trusted root CA.
The question is, do you trust Comodo's Privdog ad-networks more or less than all the others out there? If you are already trusting Comodo as a CA, wouldn't you think that Privdog's ad networks have been through some sort of approval process by Comodo and therefore, more trustworthy somehow? Thus, wouldn't it be better if those were the only ads you saw? That seems to be their sales pitch.
The implementation lacking any cert verification is a total fail (it might not be intentional at all), and I personally trust http://localhost:8080/blocked.gif more than any ad network... but I can see the reasoning behind the product.
I'd argue that this is also stealing from the content creators or other people/companies that added actual value (e.g. group running a forum that pays for hosting with ads).
They probably deserve it but the net effect would be to break many sites for many users. One step forward, two steps back.
What privacy-minded users need is a trusted list of root CA's and a (relatively) easy way to instruct their browsers to use only that list. For example, The Hong Kong Post Office is a CA installed in your browser and you can choose to delete or distrust it. Same thing for Turktrust, AOL, etc.
I imagine there are plenty of other CA's which could be distrusted but I don't know enough to make an informed decision and I don't want to start deleting them randomly and breaking my browsing experience. I'd love to see a list curated by a trusted organisation like the EFF or the Open Rights Group, which I could refer to when choosing which CA's to remove from my browser.
> They probably deserve it but the net effect would be to break many sites for many users. One step forward, two steps back.
This is the attitude that, I think, make these problems possible. There is a time when you should care about collateral damage - say, when deciding whether or not to install malicious crapware that steals from people and/or throws feces in their faces while they browse. But here, it's time to have balls. They should pull it.
Because right now, Comodo literally pulled off the Honest Achmed move[0] - they sold so many certificates that apparently they can do whatever the fuck they want and no one can do anything, because everyone is afraid of breaking browsing for many users.
I say, break it. People will get annoyed, but they will notice. They will learn what happened. A lot of companies will need to spend time and money on new certificates. Let them. They'll learn who fucked them over, and learn to be more careful with who to trust. Not doing anything shows only that the chain of trust is toothless.
Does anyone have a copy of the certificate used by PrivDog? If so, please publish it for examination. Is it signed by Comodo's CA? If so, they've acted improperly as a certificate authority. That's grounds for revocation of their CA privileges.
"PrivDog recreates a key/cert on every installation" - I don't think it can be signed with a chain rooted at the Comodo CA if its regenerated on the installed machine, but would be good to confirm.
I can't understand how someone who understands CAs enough to build a dynamic one doesn't also understand that you should build the CA certificate and private key dynamically at the point of installation, not when you compile. That would have changed these publicly embarrassing situations from dangerous to simply controversial.
Edit: And they should know that it needs to be smart enough to deal with an invalid certificate appropriately, regardless of Subject Alternative Names or any other extensions.
It seems, everybody on the internet isn't caring anymore about security or is totally ignorant. Comodo as certificate authority should care about internet security and should know better.
Who should trust certs anymore or trust the trust-chain, when even the certs don't care?
I don't know if anyone confirms, but my default installation of Kaspersky Internet Security tried to MiTM my traffic as well. I couldn't download some packages (Android SDK I think) beacuse of certificate error. It then turned out some default feature in KIS installs own certificate and proxies secure traffic through
What Kaspersky does is different: It creates a new cert/key for every installation. Same with Avast.
You can still argue whether it's a good idea to intercept HTTPS at all (I'd say it's certainly not a good idea). But it doesn't have any super-severe vulns like superfish or privdog (at least not any I could find having a quick look at it).
From an attacker point of view, Privdog looks a lot better than Superfish since the traffic toward the specific ad network identifies people likely to have it installed.
Much less chance to be caught red handed MitMing someone not vulnerable if the victims broadcast their vulnerability.
While you are at it... buying Comodo certificates through NameCheap.com they are delivered in zip files through email and are not password protected. It seems unusual since email is not very secure.
The best "free" Comodo app was their firewall. Now it seems far better to pay for a corporate non-expiring/no-nonsense host-based fw, i.e., CheckPoint Endpoint firewall which used to be similar (shared code for a time) to ZoneAlarm. (ZA is what we used at the UCD netsec grad lab, because it was free.) There are others (Symantec SEP). (Yes, host-based endpoint protection is mostly a feel-good joke on the user.)
PrivDog's functionality is to replace advertising in web pages with it's own advertising "from trusted sources".
So it's an ad-replacer, not an ad-blocker, but works in a similar way to other ad-blocking proxies like Proxomitron. The main problem here is in bad certificate verification, which seems to be a common trend with these bugs (Apple's "goto fail" was another much-publicised one.)
As I mentioned before about Superfish, I really hope these discoveries aren't used as an excuse to take away the right of the user to choose what he/she trusts, in a similar way to how "terrorism" is being used as an excuse to further surveillance. In contrast, it used to be really easy to enable/disable certificate verification completely - browsers had configuration options to do that. (Why? So I can use a proxy that doesn't resign certificates. It means that instead of trusting the browser, I can trust the proxy to do the certificate verification instead; and I should absolutely have the right to do that and inspect what data my traffic contains via that proxy.)
Replacing ads with other ads "from trusted sources" seems incredibly underhanded anyways. Who gets the money from clicks on the new ads? Probably not the web site owner...
Would you say that using an ad-blocker is also "stealing"? How about changing the channel when ads come on TV - which could make you see a different ad instead (since a lot of them tend to synchronise the times when they play ads...), similar to what Privdog does, or just doing something else completely (analogous to a pure ad-blocker)?
I think this goes back to the philosophical debate about adblocking that won't be over anytime soon... and I'm firmly on the side of the user retaining full control over the content he/she consumes, which in some ways is equivalent to the freedom one has to close his/her eyes or look away at something else, and believe that technological measures like ad-blockers are a way of protecting this freedom.
The alternative, which advertisers would very much like to happen, is for even those basic freedoms to be taken away; for users to essentially be forced into consuming whatever content they desire.
You are vehemently and loquaciously defending malware. You are also callously disregarding sites operating on razor-thin profit margins from their ads which, if lost to a firestorm of theft of revenue by criminals distributing malware such as Superfish and Privdog, will cause them to have to shut down their sites altogether.
The only site owners who aren't hurt by this type of malware are the terrible ones with no regard for their users, who are willing to double up on now many popups they slam the visitor with, or ironically even willing to join shady pay-per-install malware networks just to get their revenue back up to normal levels.
I'd like to believe you've never run a site before, because otherwise you'd have an idea of just how expensive it can be.
How exactly is advocating users' freedoms "defending malware"? By the same reasoning that advocating privacy is "defending terrorists"? I wouldn't want to use Privdog or Superfish, but if someone voluntarily wants to change how he/she views the Internet on their own machine, they should be well within their rights to do so.
The only site owners who aren't hurt by this type of malware are the terrible ones with no regard for their users
...or the ones who don't put any ads on their site? I do happen to have such a site, and the reason it doesn't have any ads is because it doesn't need them.
In my experience, the most ad-filled sites also tend to be of the content-farm type, providing little in the way of quality content.
I'm not arguing that users blocking ads is an issue. To me that is the same as someone deciding to not look at an ad in a magazine or tear them out/cover them up before reading the article. What they decide to do it up to them.
See my billboard example reply to the comment above to see why I believe that Privdog and Superfish are run by thieves.
I'm also on the side of user retaining full control over the content he/she consumes, but there's an important difference here - in case of ad blockers, it's your choice as a user to not have ads displayed (or have them changed to something else). However, in case of Privdog, it's a third party changing ads without your or ad-displaying site's knowledge or consent. So maybe I, as a user, did choose to display ads on some site because I want to support them (I do that every now and then if the site asks nicely) - but then the site still doesn't get any of my money because some scumbags injected their own ads.
It's a clear theft - a malicious third party that intercepts money exchange between two other parties without knowledge or consent of either.
It may be easier to think about this in meatspace.
Is it a crime for someone walking around to not look at a billboard? Of course not.
Is it a crime for someone to plaster over an ad on a billboard with their own ad? It isn't explicitly theft, but it is certainly a crime, and the end result is nearly the same (in the meatspace example it is the advertiser that gets the shaft, and in the digital example it is the billboard maker that gets the shaft).
I agree with these statements, but the analogy is flawed because in your second example you are making it impossible for everyone to see the original ad. The software equivalent to your analogy would be hacking into others' servers to replace ads, making that replacement visible to everyone, and that is certainly not what Privdog is doing. This also happens to be the crucial difference between theft and piracy.
Privdog only replaces ads on the machine on which it is installed, and those who don't have it installed will see the original ad. The meatspace equivalent would be something like an augmented reality device that replaces ads for the one wearing it; and this is not a new idea, although no one has wanted to replace ads with other ads:
Consider PrivDog's sales pitch:
PrivDog® protects your privacy while browsing the web and more! Get safer, faster and more private web browsing today!
In fact, the point of the software from PrivDog's perspective is to replace web ads from third-party ad networks with web ads from PrivDog's own third-party ad network -- i.e. AdTrustMedia.
Similar language is used in Lenovo's ex-post-facto sales pitch for Silverfish:
The goal was to improve the shopping experience using their visual discovery techniques.
No, the goal from your point of view was to insert your own advertising network links into user's webpages. And it's installed by default (no need to worry... you can trust your new Lenovo machine!) as a self-encrypted subsystem (which underscores the tricky intentions).
Perhaps the use of misleading language is what primarily leads people to regard these sorts of things as inappropriate bait-and-switch badware installs? The problem is, of course, that these sales techniques work, or at least the offending companies seem to believe that they will work for enough unsophisticated users.