[cabfpub] Lenovo installation of malicious root.

Robin Alden robin at comodo.com
Mon Feb 23 21:21:47 MST 2015


Hi Chris,

                PrivDog is not a Comodo Group product.  Comodo ships a version of PrivDog with Comodo Internet Security (CIS) and with Comodo browsers, but that is an earlier release which does not exhibit the identified behaviour.

 

The PrivDog versions being downloaded and evaluated by security researchers is a newer stand-alone version that has never been distributed by Comodo.

The issue is only present in PrivDog versions 3.0.96.0 and 3.0.97.0 and is apparently due to a bug in a third party library that PrivDog bought in.

 

The PrivDog team has released an advisory with more information, available here: http://privdog.com/advisory.html

 

I see that Hanno has updated his page somewhat, too, to remove the claim that it is Comodo distributing this flawed version of PrivDog.

https://blog.hboeck.de/archives/865-Adware-Privdog-worse-than-Superfish.html

c.f. http://web.archive.org/web/20150223010209/https://blog.hboeck.de/archives/865-Comodo-ships-Adware-Privdog-worse-than-Superfish.html <http://web.archive.org/web/20150223010209/https:/blog.hboeck.de/archives/865-Comodo-ships-Adware-Privdog-worse-than-Superfish.html> 

 

Regards

Robin Alden

Comodo CA Ltd.

 

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Chris Palmer
Sent: 23 February 2015 14:38
To: Ryan Sleevi
Cc: public at cabforum.org
Subject: Re: [cabfpub] Lenovo installation of malicious root.

 

Also, Comodo might want to tell us what is going on here:

http://news.softpedia.com/news/Comodo-s-PrivDog-Breaks-HTTPS-Security-Possibly-Worse-than-Superfish-473968.shtml

On Feb 23, 2015 11:05, "Ryan Sleevi" <sleevi at google.com> wrote:

On Mon, Feb 23, 2015 at 10:41 AM, Bruce Morton <bruce.morton at entrust.com> wrote:
> Have we just come across an issue with operating systems/browsers and
> private roots?
>

Yes

>
>
> I suppose an attacker can install proxy software with their private root and
> examine all secured traffic. We don’t need Lenovo to install this software,
> this could easily be done by any corner-store computer shop.
>

Correct

>
>
> Should private roots get the same trust indication as public trust roots?
>

Yes.

>
>
> Public key pinning didn’t even catch this issue as the private root seems to
> be trusted more than the public trust roots are.

Correct, because public key pinning is not designed to catch such
issues, as it cannot catch such issues.

http://www.chromium.org/Home/chromium-security/security-faq#TOC-How-does-key-pinning-interact-with-local-proxies-and-filters-

>
>
>
> Thanks, Bruce.
>
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20150223/593d33ca/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5776 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20150223/593d33ca/attachment-0001.bin 


More information about the Public mailing list