[German]Yesterday I reported the Lenovo Superfish adware 'incident' (Lenovo ships Superfish adware preinstalled on systems). Today it seems that the problem is even wide spread. Komodia SSL certificates and their SSL hijacking sdk are used in more products.
Marc from Marc's Security Ramblings has posted this blog article. Marc investigated the case and write that a company Komodia (www.komodia.com) created an SSL decoder to hijack SSL communication. Using the Komodia link above results today in a message, that the site is offline due to DDOS attack.
But I was able to get a copy of the article SSL-Decoder/Digestor description. Before it is removed from wayback machine, I've created a few screen shots. Here is a description, what Komodia has developed the SSL decoder/digestor for – here is, what they wrote so far:
»Komodia » Komodia's SSL Decoder/Digestor
Our advanced SSL hijacker SDK is a brand new technology that allows you to access data that was encrypted using SSL and perform on the fly SSL decryption. The hijacker uses Komodia's Redirector platform to allow you easy access to the data and the ability to modify, redirect, block, and record the data without triggering the target browser's certification warning.
This unique technology opens the door to number of exciting possibilities:
- Parental control: Filter SSL data based on keywords and URI – unlike current SSL filtering, which is based on IPs.
- Secure anonymizer: strip data revealing information from SSL traffic.
- Spam filtering: Filter encrypted Outlook mail sessions.
- Traffic monitoring: Track surfing activities containing encrypted data (Current tracking products can only report IPs.)
- Stream sniffing: Sniff encrypted network activity.
Their intension was to hack a system to decode, monitor and manipulate any SSL connection. Komodia has developed a Hijacker SDK and offered it offensively. Here is a screenshot of the website explaining how Komodia SDK components works.
All web site requests from a browser (IE) are redirected from Komodia SSL Hijacker to Komodia Redirector. This enables to record every communication – and owning the SSL root certificate enables to read, manipulate and block any https connection. Here the explanation, obtained from Komodia's promotional website:
- Internet explorer connects to a web server on port 443 using SSL. The data is encrypted.
- Komodia's SSL hijacker intercepts the communication and redirects it to Komodia's Redirector. The channel between the SSL hijacker and the Redirector is encrypted.
- At this stage, Komodia's Redirector can shape the traffic, block it, or redirect it to another website.
- Communication between the Redirector and the website is encrypted using SSL.
- All data received from the website can be again modified and/or blocked. When data manipulation is done, it is forwarded again to Internet explorer.
- The browser displays the SSL lock, and the session will not display any "Certificate warnings".
Marc write in his blog post, that all products using the framework from Komodia (SSL Hijacker) are compromised in the same way. He found the following products using this SSL certificate:
- Komodia's "Keep My Family Secure" Parental Control Software.
- Qustodio's Parental Control Software
- Kurupira Webfilter
All using the same SSL certificate and the password komodia (see Extracting the SuperFish certificate). Overall: It's not a little "Lenovo Bing Bullshit" (which is worse), it's even more worse – it seems that potentially any system could be affected.
Tip: If you like to test if your system comes with Komodia SSL certificate, head over to this website (doesn't work for Firefox, because they use their own certificate).
Postscriptum: Currently I'm asking me, whether a private communication via Internet is still possible? I think: No. And I'm asking me, how much sense does Google's decision makes, to flag any http connection in Google Chrome as "unsequre", whilst https sessions are always flagged as safe? Answer: It's the same bingo bullshit (we called it here "weiße Salbe" – a kind of "white pill" or "lick of paint"). Have a nice friday.
Cookies helps to fund this blog: Cookie settings