This week it was announced that next Superfish, standard on some Lenovo notebooks shipped, other programs intercepting SSL traffic. One of these programs was PrivDog . A vulnerability in certain versions of PrivDog caused the software each certificate which replaced the Internet came and intercepted by a self-signed certificate. Even though it was about certificates that were not valid in the first place.
The Decentralized SSL Observatory of the EFF, which gathers information from the HTTPS Everywhere plugin for Firefox, has collected more than 17,000 different certificates PrivDog users. "Each of these licenses may be an attack. Unfortunately there is no way to know this for sure" says Joseph Bonneau of the Electronic Frontier Foundation (EFF).
"So what have we learned from this Lenovo / Superfish / Komodia / PrivDog debacle? For users, we have learned that the software is pre-installed on your computer can not be trusted, which means that reinstalling a clean operating system standard now procedure must be if someone has bought a new computer, " said Bonneau. The main lesson, he says, for software companies, which must stop intercepting SSL traffic of their users.
No comments:
Post a Comment