<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
        {mso-style-priority:99;
        mso-style-link:"Plain Text Char";
        margin:0cm;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif";
        mso-fareast-language:EN-US;}
p
        {mso-style-priority:99;
        mso-margin-top-alt:auto;
        margin-right:0cm;
        mso-margin-bottom-alt:auto;
        margin-left:0cm;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
span.EmailStyle18
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
span.PlainTextChar
        {mso-style-name:"Plain Text Char";
        mso-style-priority:99;
        mso-style-link:"Plain Text";
        font-family:"Calibri","sans-serif";}
.MsoChpDefault
        {mso-style-type:export-only;
        mso-fareast-language:EN-US;}
@page WordSection1
        {size:612.0pt 792.0pt;
        margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-GB link=blue vlink=purple><div class=WordSection1><p class=MsoPlainText>Hi Chris,<o:p></o:p></p><p class=MsoPlainText>                PrivDog is not a Comodo Group product.  Comodo ships a version of PrivDog with Comodo Internet Security (CIS) and with Comodo browsers, but that is an earlier release which does not exhibit the identified behaviour.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>The PrivDog versions being downloaded and evaluated by security researchers is a newer stand-alone version that has never been distributed by Comodo.<o:p></o:p></p><p class=MsoPlainText>The issue is only present in PrivDog versions 3.0.96.0 and 3.0.97.0 and is apparently due to a bug in a third party library that PrivDog bought in.<o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>The PrivDog team has released an advisory with more information, available here: <a href="http://privdog.com/advisory.html">http://privdog.com/advisory.html</a><o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>I see that Hanno has updated his page somewhat, too, to remove the claim that it is Comodo distributing this flawed version of PrivDog.<o:p></o:p></p><p class=MsoPlainText><a href="https://blog.hboeck.de/archives/865-Adware-Privdog-worse-than-Superfish.html">https://blog.hboeck.de/archives/865-Adware-Privdog-worse-than-Superfish.html</a><o:p></o:p></p><p class=MsoPlainText>c.f. <a href="http://web.archive.org/web/20150223010209/https:/blog.hboeck.de/archives/865-Comodo-ships-Adware-Privdog-worse-than-Superfish.html">http://web.archive.org/web/20150223010209/https://blog.hboeck.de/archives/865-Comodo-ships-Adware-Privdog-worse-than-Superfish.html</a><o:p></o:p></p><p class=MsoPlainText><o:p> </o:p></p><p class=MsoPlainText>Regards<o:p></o:p></p><p class=MsoPlainText>Robin Alden<o:p></o:p></p><p class=MsoPlainText>Comodo CA Ltd.<o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt'><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> public-bounces@cabforum.org [mailto:public-bounces@cabforum.org] <b>On Behalf Of </b>Chris Palmer<br><b>Sent:</b> 23 February 2015 14:38<br><b>To:</b> Ryan Sleevi<br><b>Cc:</b> public@cabforum.org<br><b>Subject:</b> Re: [cabfpub] Lenovo installation of malicious root.<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p>Also, Comodo might want to tell us what is going on here:<o:p></o:p></p><p><a href="http://news.softpedia.com/news/Comodo-s-PrivDog-Breaks-HTTPS-Security-Possibly-Worse-than-Superfish-473968.shtml">http://news.softpedia.com/news/Comodo-s-PrivDog-Breaks-HTTPS-Security-Possibly-Worse-than-Superfish-473968.shtml</a><o:p></o:p></p><div><p class=MsoNormal>On Feb 23, 2015 11:05, "Ryan Sleevi" <<a href="mailto:sleevi@google.com">sleevi@google.com</a>> wrote:<o:p></o:p></p><p class=MsoNormal>On Mon, Feb 23, 2015 at 10:41 AM, Bruce Morton <<a href="mailto:bruce.morton@entrust.com">bruce.morton@entrust.com</a>> wrote:<br>> Have we just come across an issue with operating systems/browsers and<br>> private roots?<br>><br><br>Yes<br><br>><br>><br>> I suppose an attacker can install proxy software with their private root and<br>> examine all secured traffic. We don’t need Lenovo to install this software,<br>> this could easily be done by any corner-store computer shop.<br>><br><br>Correct<br><br>><br>><br>> Should private roots get the same trust indication as public trust roots?<br>><br><br>Yes.<br><br>><br>><br>> Public key pinning didn’t even catch this issue as the private root seems to<br>> be trusted more than the public trust roots are.<br><br>Correct, because public key pinning is not designed to catch such<br>issues, as it cannot catch such issues.<br><br><a href="http://www.chromium.org/Home/chromium-security/security-faq#TOC-How-does-key-pinning-interact-with-local-proxies-and-filters-" target="_blank">http://www.chromium.org/Home/chromium-security/security-faq#TOC-How-does-key-pinning-interact-with-local-proxies-and-filters-</a><br><br>><br>><br>><br>> Thanks, Bruce.<br>><br>_______________________________________________<br>Public mailing list<br><a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br><a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></p></div></div></div></body></html>