14 DAY TRIAL // Evidence has been found suggesting that cybercriminals may be relying on the traffic interception engine from Komodia, integrated in Superfish and other software solutions, for nefarious purposes in the wild.
Last week, the browser add-on Superfish that had been pre-loaded on certain Lenovo notebook models intended for consumers sparked debate among security researchers on account of the fact that it added a self-signed certificate to validate HTTPS websites, protected by the same RSA private key on all machines it was installed on.
The software places itself between the client and the server and acts as a proxy for the two parties, being able to decode the encrypted traffic.
By learning the crypto key (Robert Graham did it in three hours), an attacker could intercept the secure communication from a victim’s machine to a server.
Security researchers from Electronic Frontier Foundation (EFF) discovered more than 1,600 cases where Komodia’s software failed to reject invalid certificates presented by HTTPS websites.
Data in Subject Alternative Name remains unaltered
The problem is deeper than this, though, because Komodia would also re-sign an invalid certificate (thus making it valid), but changed the name of the website it vouched for, in order to trigger a warning in the web browser.
However, the same certificate can be used to validate more than one website, by adding the domain name in a field called Subject Alternative Name.
Filippo Valsorda of CloudFlare has found that Komodia leaves this information untouched; this means that the certificate is validated for the alternative domains and the browser issues an alert only in the case of the main one.
High-profile domains may be affected
Joseph Bonneau and Jeremy Gillula from EFF said in a blog post on Wednesday that data from the Decentralized SSL Observatory revealed high-profile domains being affected, from Google, Yahoo, Amazon, Bing, eBay, Twitter, Netflix, GPG4Win.org, several banking websites and Mozilla’s Add-Ons website.
“While it’s likely that some of these domains had legitimately invalid certificates (due to configuration errors or other routine issues), it seems unlikely that all of them did,” the duo said.
“Thus it’s possible that Komodia’s software enabled real MitM attacks which gave attackers access to people’s email, search histories, social media accounts, e-commerce accounts, bank accounts, and even the ability to install malicious software that could permanently compromise a user’s browser or read their encryption keys,” the researchers added.
Komodia licenses its software, called SSL Digestor, and it has been included in more software pieces other than Superfish, which used it to inject ads in websites. It is also used by parental control applications like Qustodio, Kurupira WebFilter or Komodia’s own Keep My Family Secure.