Monday, 23 February 2015

Weak "Superfish Certificate" Found In More Software

It is not just the owners of a Lenovo laptop that ran through the Super Fish-adware risk that their SSL traffic was intercepted, also all kinds of other programs using the same kind of certificate. That security researchers discovered Marc Rogers and Filippo Valsorda , both working for CloudFlare. The certificate used Superfish was from Komodia, an Israeli company.

The company shows the framework that for Superfish also used to have used other software. This relates to Keep My Family Secure, Easy hide IP Classic, Lavasoft Ad-aware Web Companion, Staffcop version 5.6 and 5.8, Kurupira Webfilter and Qustodio's parental control software. Also hide-my-ip is called by Rogers, only this software does not use SSL man-in-the-Middle and the certificate used is slightly different with the other programs. Yet it still uses an unrestricted root certificate with a simple password in plain text. Furthermore, the certificates Komodia for these programs used weak and the password is always Komodia.

"I think it's safe to assume that every SSL interception product sold by Komodia or Komodia SDK is based on the same method will be used," said Rogers. This means that the dangerous certificates are not only restricted to the laptops from Lenovo. Everyone who has come into contact with a product or Komodia parental control software installed check that it is not at risk.

"This problem is much bigger than we thought," warns Rogers. By using weak certificates, an attacker can eavesdrop on traffic or manipulate, without requiring users to see this. Even if the SSL connection is checked, the user sees only the strength of the connection between the Komodia software and its browser, and not the connection which goes over the internet. Users can use this page to check if it is installed on their computer, one of the Komodia certificates.

Meanwhile Superfish puts the blame down to Komodia. The company leaves opposite the Associated Press that the vulnerability was inadvertently caused by a third party in the software. Superfish CEO Adi Pinhas also denounces the "false and misleading messages" in the media.

No comments:

Post a Comment