'Secure' advertising tool PrivDog compromises HTTPS security

Over the weekend, a user reported on Hacker News that his system failed an online test designed to detect a man-in-the-middle vulnerability introduced by Superfish, a program preloaded on some Lenovo consumer laptops.

However, his system did not have Superfish installed. Instead, the problem was tracked down to another advertising-related application called PrivDog, which was built with the involvement of Comodo's CEO, Melih Abdulhayoglu. New PrivDog releases are announced on the Comodo community forum by people tagged as Comodo staff.

PrivDog is marketed as a solution to protect users against malicious advertising without completely blocking ads. The program is designed to replace potentially bad ads with safer ones that are reviewed by a compliance team from a company called Adtrustmedia. As Abdulhayoglu puts it in a January 2014 post on his personal blog in which he describes the technology: "Consumers win, Publishers win, Advertisers win."

However, according to people who recently looked at PrivDog's HTTPS interception functionality, consumers might actually lose when it comes to their system's security if they use the product.

In order to replace ads on websites protected with HTTPS (HTTP with SSL/TLS encryption), PrivDog installs its own self-generated root certificate on the system and then runs as a man-in-the-middle proxy. When users access HTTPS sites, PrivDog hijacks their connections and replaces the legitimate certificates of those sites with new ones signed with the locally installed root certificate.

Since the root certificate installed by PrivDog on computers is trusted by browsers, all certificates that chain back to it will also be trusted. This means that users will think that they're securely speaking to the websites they accessed, while in the background, PrivDog will decrypt and manipulate their traffic.

That in itself is not a bad implementation. There are legitimate reasons for scanning HTTPS traffic and many security products use similar techniques to analyze encrypted traffic for potential threats.

Unlike Superfish, PrivDog installs a different root certificate on every system, so there's no shared private key that would allow attackers to generate rogue certificates. However, it turns out they don't even need a shared key

The error in PrivDog's implementation is simpler than that: The program doesn't properly validate the original certificates it receives from websites. It will therefore accept rogue certificates that would normally trigger errors inside browsers and will replace them with certificates that those browsers will trust.

For example, an attacker on a public wireless network or with control over a compromised router could intercept a user's connection to bankofamerica.com and present a self-signed certificate that would allow him to decrypt traffic. The user's browser would normally reject such a certificate.

However, if PrivDog is installed, the program will take the attacker's self-signed certificate and will create a copy signed with its own trusted root certificate, forcing the browser to accept it. In essence, the user's traffic would be intercepted and decrypted by the local PrivDog proxy, but PrivDog's connection to the real site would also be intercepted and decrypted by a hacker.

PrivDog is bundled with some products from Comodo, like Comodo Internet Security as well as its Chromodo, Dragon and IceDragon browsers. However, it seems that these products include PrivDog version 2, which lacks the HTTPS proxy functionality, and thus does not expose users to man-in-the-middle attacks.

The PrivDog version that exposes users to man-in-the-middle attacks is version 3, which is available to download as a stand-alone application and which supports a large number of browsers including Google Chrome, Mozilla Firefox and Internet Explorer, according to security researcher Filippo Valsorda, who's online HTTPS test was updated to account for it.

This "potential issue" only exists in PrivDog versions 3.0.96.0 and 3.0.97.0 that have never been distributed by Comodo and are not present in the company's browsers, a Comodo representative said Monday via email.

The PrivDog team at Adtrustmedia has published a security advisory that assigns a low threat level to the vulnerability. A maximum of 6,294 users in the USA and 57,568 users globally are potentially affected by the issue and they will be updated automatically to a patched version, the team said. The new version -- 3.0.105.0 -- is also available for download from the company's site.

"As long as people use this practice of 'breaking the chain of trust' there are bound to be some who implement it utterly wrong," said Amichai Shulman, CTO of security firm Imperva, via email. "Superfish's mistake was using the same root certificate across all deployments. PrivDog's mistake is not validating certificates at all."

Some people believe that the PrivDog vulnerability is even worse than the one introduced by Superfish.

"By comparison, the Superfish 'man-in-the-middle' process at least requires the name of the targeted website to be inserted into the certificates alternate name field," said Mark James, a security specialist at antivirus firm ESET. "Although Superfish allows the possibility of massive exploitation with this flaw it is still marginally better than what PrivDog is doing."

However, it's not just Superfish or PrivDog that open such security holes on computers. Researchers determined that the Superfish vulnerability was actually in a third-party software development kit from a company called Komodia. The same SDK is used in other products as well, including parental control applications, VPN clients and software from a security vendor called Lavasoft.