SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral.
To be able to create an SSL connection a web server requires an SSL Certificate. Your web server then creates two cryptographic keys – a Private Key and a Public Key.
Public key cryptography also known as asymmetric cryptography, solves the key exchange problem by defining an algorithm which uses two keys, each of which may be used to encrypt a message. If one key is used to encrypt a message then the other must be used to decrypt it. This makes it possible to receive secure messages by simply publishing one key (the public key) and keeping the other secret (the private key).
The complexities of the SSL protocol remain invisible to your customers. Instead their browsers provide them with a key indicator to let them know they are currently protected by an SSL encrypted session
In 2015 the site -Ars Technica revealed that Lenovo was selling computers that come preinstalled with adware that hijacks encrypted Web sessions (SSL sessions) and may make users vulnerable to HTTPS man-in-the-middle attacks that are trivial for attackers to carry out, security researchers said.
Lenovo PCs that have adware from a company called Superfish installed.
The Superfish package installs a self–signed root HTTPS certificate that can intercept encrypted traffic for every website a user visits.When a user visits an HTTPS site, the site certificate is signed and controlled by Superfish and falsely represents itself as the official website certificate.
Things got so bad the the U.S. government on Friday “advised ” Lenovo Group Ltd customers to remove the Superfish , program pre-installed on some Lenovo laptops, saying it makes users vulnerable to cyberattacks.
How it performs ad injection is by using a SSL interception engine by an Israeli company called Komodia.
A brief step back to understand how Komodia does SSL/TLS interception and what that means.
On installation the Komodia software will install a root CA certificate in the system trust store.
Then when a user tries to visit a HTTPS website, the software will intercept the connection and place itself between the browser and the server.
It will then connect to the server as a client, and relay data between the two. As a certificate to the client it will present a copy of the server certificate, with a different public key and signed by the root it installed.
The worst part is the root private key is the same on all machines, so anyone can take that and sign fake certificates to use in MitM attacks.
Note that this also means that the actual HTTPS connection is handled by the Komodia proxy client – that is, it’s the Komodia software that will connect to the server over the Internet using a common root private key .Source
It appears that Komodia uses the same framework for many, many products (not just Superfish). Here’s some that have been found so far:
- Komodia’s “Keep My Family Secure” parental control software.
- Qustodio’s parental control software
- Kurupira Webfilter
- Staffcop (version 5.6 and 5.8)
- Easy hide IP Classic
- Lavasoft Ad-aware Web Companion
- Hide-my-ip
It is safe to assume that any SSL interception product sold by Komodia or based on the Komodia SDK is going to be using the same method.
What does this mean? Well, this means that those dodgy certificates aren’t limited to Lenovo laptops sold over a specific date range. It means that anyone who has come into contact with a Komodia product, or who has had some sort of Parental Control software installed on their computer should probably check to see if they are affected.
Komodia client side SSL verification
At this point a legit doubt is: what will the Komodia proxy client do when it sees a invalid/untrusted/self-signed certificate? Because copying it, changing its public key and signing it would turn it into a valid one without warnings.
Turns out that if a certificate fails validation the Komodia proxy will still re-sign it (making it trusted), but change the domain name so that a warning is triggered in the browser. Still bad since the user/browser will receive fake information on why the certificate is invalid, but clever.
However the Komodia proxy copies the server certificate almost entirely… What will it do with alternative names?Alternative names are a X509 extension that allows to specify in a special field other domains for which the certificate is valid.
Boom. The Komodia proxy will take a self-signed certificate, leave the alternate names untouched and sign it with their root. The browser will think it’s a completely valid certificate.
So all you need to do to bypass verification is put the target domain in the alternate field, instead of in the main one that will be changed on failure. An attacker can intercept any https connection, present a self-signed certificate to the client and browsers will show a green lock because Komodia will sign it for them.
This means that whoever has Komodia software running on their system will accept ANY certificate that has the domain name in the alternates.
Source Komodia/Superfish SSL Validation is broken
Who owns Komodia and Superfish which ate doing so much damage to the SSL or secure link world
The owner of Komodia is Barak Weichselbaum,who was once a programmer in Israel’s IDF’s Intelligence Corp The Israeli Intelligence Corps is an Israel Defense Forces corps which falls under the jurisdiction of IDF Directorate of Military Intelligence (Aman) The corps includes Unit 8200, which is the IDF central collection unit, responsible for SIGINT collection and cryptographical analysis, including the Hatzav Unit, responsible for collecting OSINT intelligence.
Komodio’s Wikipedia page has disappeared
The Superfish founder Adi Pinhas was formerly of 8200, (on the right) he was also employed by Verint, which was linked to NSA surveillance.Micheal Chertok the CTO is the co founder of Superfish
What about Lenovo ? Well its a Chinese company and its founder is Liu Chuanzhi As of 2013, Liu served as a senior advisor at Kohlberg Kravis Roberts & Company . He also served as the CEO of Rio Tinto.
Is it coincidence that Lenovo whose founder owner is a well connected globalist teamed up with an unknown Israeli company to “inject ads” and that company in turn teamed up with another Israeli company to attack secure connections?
What we have here is two Israeli companies created and owned by men formerly with Israels digital spy agency Unit 8200 messing about with one of the most important of Internet functions …………… secure connections
These secure connections are used in every financial transaction in emails in instant messaging in supposedly secure Government communications , in short in some of the most important digital transactions we engage in
The two companies owned by (former???) spies have great covers
Super Fish is making money by injecting ads Komodio is just helping it BREAK SECURE COMMUNICATIONS to help it make money
But Komodio deliberate weakens security by using weak passwords and messing with security certificates
Any tech savvy person can at anytime completely take over any secure transaction of any person unlucky enough to install any Komodio software They can probably infect the servers of companies they deceive with their fake keys and fake certificates
However until 2015 all these flaws about Superfish and Komodio were unknown Only Lenovo Superfish Komodio employees and possibly Unit8200 knew about them
Since only they knew about the flaws only they could attack and take over secure communications It was sheer bad luck that they were discovered
So is this a one off which was exposed in 2015 and ended that year ? Well that part of Project Talpiot may have ended but you can bet your shekels another head of the hydra headed monster is quietly working somewhere else
Source Article from https://wideawakegentile.wordpress.com/2018/06/06/unit-8200-companies-hacked-ssl-connections/
Related posts:
Views: 0