14 DAY TRIAL // SSL Digestor, the flawed traffic interception engine from Komodia included by browser component Superfish, has also been employed in Ad-Aware Web Companion from antivirus provider Lavasoft.
The engine relies on the same root certificate and the same RSA private key to replace the digital certificates of any HTTPS website contacted by the user.
Lavasoft's product acted locally, no data collected
It acts as a transparent proxy between the client and the server, processing all SSL traffic exchanged between the two parties, thus being able to decode the encrypted stream.
Last week, it was discovered that the Superfish browser component that had been pre-loaded on Lenovo laptops for consumers posed a serious risk to Lenovo customers, as all the signing was done locally and the certificate’s private key could be extracted without too much effort.
Since then, security experts found that the insecure code from Komodia was present in a slew of other applications.
The antivirus maker issued a statement on Sunday, admitting that the HTTPS-inspection functionality included in Web Component for protecting users against malicious content/advertising coming through a secure connection also relied on Komodia’s SSL Digestor, putting users at risk.
The company stresses the fact that it did not collect or analyze encrypted data because the entire process was carried out locally.
Komodia root certificate no longer delivered by Web Companion
Lavasoft also said that before the Lenovo/Superfish blunder became public, it made the decision to remove the functionality from its product and stop the delivery of the root certificate that broke the HTTPS protection. This came as a result of consulting with its partners and evaluation of the risks and benefits to the users.
Since the private key that encrypted the root certificate was stored locally, an attacker could extract it and use it to sign malicious websites.
By compromising a public Wi-Fi network, the malicious actor could run man-in-the-middle (MitM) attacks on computers that still had the certificate installed in Windows’ or Mozilla’s private store.
The latest version of Ad-Aware Web Companion, published on February 18, no longer sports the ability to inspect HTTPS traffic. However, the company adds that it is “not yet able to confirm with certainty that the compromised component of the Komodia SSL Digestor has been removed.”
If the root certificate is still present on client machines, Lavasoft says that a new Web Companion build with routines to eliminate it will be issued on Monday.
