Tuesday 21 April 2015

Net Nanny Brings SSL Connections At Risk


Users of Net Nanny, a popular product for parental control, risk attackers intercept traffic to HTTPS sites and eavesdropping, or that they are undetected to phishing sites so warns the CERT Coordination Center (CERT / CC) at Carnegie Mellon university. To the SSL traffic to monitor computers install Net Nanny a Man-in-the-Middle proxy, as well as their own root CA certificate.

Net Nanny for all installations appears to use the same certificate. In addition, the private key of the certificate directly from the software to retrieve. An attacker could use the private key to generate new certificates that Net Nanny will just trust. A user will be alerted in this case if it goes to a malicious HTTPS site as Net Nanny trust the rogue SSL certificate.

The vulnerability has been found in Net Nanny 7.2.4.2 but other versions may be vulnerable. At present, according to the CERT / CC not yet practical solution. However, users can choose to disable SSL filtering and removing the license or uninstall Net Nanny. The problem is similar to that of Super Fish. The adware that was installed on Lenovo laptops and also installed its own certificate allowing users at risk.

No comments:

Post a Comment