Don't use Comodo, Their Crapware Completely Breaks the Fundamental Security of the Web!


#1

This is bad, bad, bad, terrible, and more bad.

https://blog.hboeck.de/archives/865-Comodo-ships-Adware-Privdog-worse-than-Superfish.html

tl;dr There is an adware called Privdog that gets shipped with software from Comodo. It totally breaks HTTPS security.

A number of people gathered in a chatroom and we noted a thread on Hacker News where someone asked whether a tool called PrivDog is like Superfish. PrivDog’s functionality is to replace advertising in web pages with it’s own advertising “from trusted sources”. That by itself already sounds weird even without any security issues.

A quick analysis shows that it doesn’t have the same flaw as Superfish, but it has another one which arguably is even bigger. While Superfish used the same certificate and key on all hosts PrivDog recreates a key/cert on every installation. However here comes the big flaw: PrivDog will intercept every certificate and replace it with one signed by its root key. And that means also certificates that weren’t valid in the first place. It will turn your Browser into one that just accepts every HTTPS certificate out there, whether it’s been signed by a certificate authority or not.


#2

This is kind of sad, actually - because some of us can remember a time, not too long ago, when Comodo’s free firewall was considered to be the new “go-to” program regarding reliable protection for the home user.

Now, we have this. How did this happen ?


#3

Far as I’m aware, the firewall’s still good. Just don’t install PrivDog.

That said, it’s really sad that this is also coming from one of the major vendors of SSL certificates - i.e.: the people who should know how to do this right.

Assuming the signing key used by the proxy in PrivDog and similar doesn’t get compromised (it should be unique and randomly generated for each installation), an SSL proxy in itself is not a bad thing. Developers and security researchers commonly use them in debugging tools like Fiddler, and some antivirus suites use them to scan e-mail. It’s how these proxies are handling (or, rather, ignoring) bad external certs that breaks security so unconscionably.

That, and if they’re installing software on the user’s system to begin with then why do they even need a proxy? Why not just inject the tools into the browser, which can already see the traffic in the clear? The only reason I can see is that it’s probably more cost-effective for the vendor - develop a tool that intercepts traffic system-wide, and you don’t have to worry about writing a different version for each browser, e-mail client, or other application the user might need you to support.


#4

Just got an email from Privdog about this forum topic.

Good Afternoon,

I wanted to reach out to Lowell Heddings regarding his recent post on Adtrustmedia’s PrivDog application. Don't use Comodo, Their Crapware Completely Breaks the Fundamental Security of the Web!

The content of your article was based on research posted and directly quotes same research from Hanno Bock. Mr Bock’s post initially referenced PrivDog as being distributed by Comodo. Please note as referenced in the advisory published by PrivDog on February 23rd 2015 the potential vulnerability was never present in the version distributed by Comodo. PrivDog verison 3.0.96.0 available only to limited users is the only version that is potentially affected by this vulnerability and all users have since been updated.

Mr Bock has since updated his post to reflect a more accurate understanding of the situation and we wanted to reach out to request that you update based on this change.

Please feel free to reach out to us anytime to discuss further.

Best,
PrivDog Team


#5

Translated: “We are still shipping adware with our products, just not adware that interferes with SSL.”

That’s still not the kind of thing a security vendor should be doing. Installing third party adware with a security product is a little like sleeping with a hungry badger under the bed and expecting to not get bit.


#6

you really have to dig deep into a comodo installation to keep from installing all this other junkware. no normal user could possibly prevent the installation during the “recommended” install. just another rogue software outfit preying on the innocent.


#7

I don’t think that’s quite accurate. More like “We’re still shipping adware that interferes with SSL, but it’s more responsible about how it interferes with SSL now”.

I used Comodo Firewall, if I recall correctly, from the Windows 9x days up until my (relatively) recent switch to Windows 8. During that time, I would usually re-install my operating system and programs about once a year for various reasons. So, it’s safe to say I’ve been through a few Comodo Firewall installs.

Though I may not have done it recently, with the latest version, I do recall that I’ve installed versions of Comodo where PrivDog was bundled before and never had the slightest bit of trouble finding and excluding it from the installation.

There are obviously a number of exceptions to this, but I generally feel like most of the time such unwanted software gets installed not so much because a vendor has “buried” the opt-out function but because users just don’t even bother to look. They simply click through the defaults regardless of what’s presented on the screen in front of them. Many bundled installers these days have a screen that is solely dedicated to informing the user of what additional software will be installed, and giving them a clear opportunity to opt-out, and yet many users will still just click through it like it wasn’t even there.

Agreed. Undermining the fundamental security principles of one of your own products in the process is even more disdainful.