Komodia SSL Holes Could Affect Dozens of Web Products Besides Superfish
Lenovo's Superfish adware is just one of "more than 100 clients" that use Komodia's network-traffic interception libraries.While critics continue to take PC maker Lenovo to task for including Superfish adware on its consumer notebook systems, the flawed security of the network-traffic interception component has turned the spotlight on boutique developer Komodio. Komodia, a small information-technology firm founded in 2000, sells its network interception technology—Redirector and SSL Digestor—to other software makers. The Komodia software installs a root certificate-authority (CA) certificate to aid in intercepting encrypted traffic. However, because the certificate was poorly secured, attackers could easily conduct a man-in-the-middle attack. In such attacks, an eavesdropper intercepts the encrypted traffic and can read or change it. While Superfish brought the issue to light, experts have identified about a dozen other software programs using the Komodia components and the company claims that “more than 100 clients” use its software development kits. Each of those products could put the user’s machine at risk, Marc Rogers, principal security researcher for Internet security firm CloudFlare, stated in a blog post. “If you have come into contact with any Komodia product, I would check for unrestricted private root certificates, before carefully removing them and the associated software from any system that you care about,” he said.
Komodia’s interception technology installs a trusted root CA certificate and uses it to intercept any encrypted Web HTTPS communications. Superfish used this functionality to intercept HTTPS-encrypted Web pages and insert advertisements. However, Komodia made a number of security errors, including using the same key everywhere, encrypting keys with a simple password and allowing self-signed certificates to be trusted without eliciting a browser warning.