Over the past week many more details have emerged about the HTTPS-breaking Superfish software that Lenovo pre-installed on its laptops for several months. As is often the case with breaking security incidents, most of what we know has come from security engineers volunteering their time to study the problem and sharing their findings via blogs and social media.
Unfortunately, the security implications have gone from bad to worse the more we’ve learned. For instance, researchers have determined that the software library Superfish uses to intercept traffic—developed by a company known as Komodia—is present in more than a dozen other software products, including parental control software and (supposed) privacy-enhancing/ad-blocking software. All of these products have the same vulnerability that Superfish does: anyone with a little technical know-how could intercept and modify your otherwise secure HTTPS traffic.
What’s worse is that these attacks are even easier than researchers originally thought, because of the way Komodia’s software handles invalid certificates: it alters the part of the certificate which specifies what website the certificate is for—for example changing www.eff.org to verify_fail.www.eff.org—and then signs the certificate and sends it on to your browser. Since the website listed on the certificate (verify_fail.www.eff.org) doesn’t match the website the user is actually visiting (www.eff.org), the browser shows a warning to the user.
But certificates have another field, called the Subject Alternative Name, which is used to list alternative domain names for which the certificate can be used (so that website operators can re-use the same certificate across all of their domain names). EFF, for example, uses the same certificate for eff.org, www.eff.org, and *.eff.org. Even if the “main” domain name listed in the certificate doesn’t match the domain name of the website the user is browsing, the certificate will still be accepted as long as one of the alternative names match. And because Komodia’s software signs the certificate (and tells your browser that it should trust certificates it signs if they’re otherwise valid), the certificate will pass all the browser’s checks, and come up smelling like roses.
This means that an attacker doesn’t even need to know which Komodia-based product a user has (and thus which Komodia private key to use to sign their evil certificate)—they just have to create an invalid certificate with the target domain as one of the alternative names, and every Komodia-based product will cause it to be accepted.
Evidence of Man-in-the-Middle Attacks in the Decentralized SSL Observatory
We searched the Decentralized SSL Observatory for examples of certificates that Komodia should have rejected, but which it ended up causing browsers to accept, and found over 1600 entries. Affected domains included sensitive websites like Google (including mail.google.com, accounts.google.com, and checkout.google.com), Yahoo (including login.yahoo.com), Bing, Windows Live Mail, Amazon, eBay (including checkout.payments.ebay.com), Twitter, Netflix, Mozilla’s Add-Ons website, www.gpg4win.org, several banking websites (including mint.com and domains from HSBC and Wells Fargo), several insurance websites, the Decentralized SSL Observatory itself, and even superfish.com.1
While it’s likely that some of these domains had legitimately invalid certificates (due to configuration errors or other routine issues), it seems unlikely that all of them did. Thus it’s possible that Komodia’s software enabled real MitM attacks which gave attackers access to people’s email, search histories, social media accounts, e-commerce accounts, bank accounts, and even the ability to install malicious software that could permanently compromise a user’s browser or read their encryption keys.
To make matters worse, Komodia isn’t the only software vendor that’s been tripped up by this sort of problem. Another piece of software known as PrivDog is also vulnerable. Ostensibly, PrivDog is supposed to protect your privacy by intercepting your traffic and substituting ads from “untrusted sources” with ads from a “trusted” source, namely AdTrustMedia. Like Komodia’s software, PrivDog installs a root certificate when it’s installed, which it then uses to sign the certificates it intercepts. However, a bug in certain versions of PrivDog cause it to sign all certificates, whether they’re valid or not. Simply put, this means that any certificate your browser sees while PrivDog is installed could be the result of a man-in-the-middle attack, and you’d have no way of knowing. The Decentralized SSL Observatory has collected over 17,000 different certificates from PrivDog users, any one of which could be from an attack. Unfortunately, there’s no way to know for sure.
So what can we learn from this Lenovo/Superfish/Komodia/PrivDog debacle? For users, we’ve learned that you can’t trust the software that comes preinstalled on your computers—which means reinstalling a fresh OS will now have to be standard operating procedure whenever someone buys a new computer.
But the most important lesson is for software vendors, who should learn that attempting to intercept their customers’ encrypted HTTPS traffic will only put their customers’ security at risk. Certificate validation is a very complicated and tricky process which has taken decades of careful engineering work by browser developers.2 Taking certificate validation outside of the browser and attempting to design any piece of cryptographic software from scratch without painstaking security audits is a recipe for disaster.
Let the events of the last week serve as a warning: attempting to insert backdoors into encryption as Komodia attempted to do (and as others have called for in other contexts) will inevitably put users’ privacy and security at risk.
- 1. Based on the “verify_fail” pattern, we also found certificates that purport to be from five pieces of software which, to our knowledge, haven’t yet been identified as using Komodia’s proxy software. The issuer fields for these certificates were: "O=Sweesh LTD, L=Tel Aviv, ST=Tel Aviv, C=IL, CN=Sweesh LT", "O=Kinner lake Gibraltar, L=My Town, ST=State or Providence, C=GI, CN=Kinner lake Gibraltar", "C=US, ST=California, L=SanDiego, O=EdgeWave.com, OU=Security, CN=EdgeWave.com/emailAddress=support@edgewave.com", "O=NordNet/emailAddress=cert-ssl@nordnet.net, L=HEM, ST=HEM, C=FR, CN=Nordnet.fr", and "O=PSafe Tecnologia S.A./emailAddress=psafe@psafe.com, L=Rio de janeiro, ST=Rio de janeiro, C=BR, CN=PSafe Tecnologia S.A.". While we were unable to identify any organizations associated with the first two certificates, EdgeWave, NordNet, and PSafe appear to sell antivirus or web filtering products.
- 2. Just last year, for example, researchers found a number of bugs in certificate validation libraries [PDF] through fuzz testing.