Komodia SSL Holes Could Affect Dozens of Web Products Besides Superfish

Lenovo's Superfish adware is just one of "more than 100 clients" that use Komodia's network-traffic interception libraries.

Komodia Flaw 2

While critics continue to take PC maker Lenovo to task for including Superfish adware on its consumer notebook systems, the flawed security of the network-traffic interception component has turned the spotlight on boutique developer Komodio.

Komodia, a small information-technology firm founded in 2000, sells its network interception technology—Redirector and SSL Digestor—to other software makers. The Komodia software installs a root certificate-authority (CA) certificate to aid in intercepting encrypted traffic. However, because the certificate was poorly secured, attackers could easily conduct a man-in-the-middle attack. In such attacks, an eavesdropper intercepts the encrypted traffic and can read or change it.

While Superfish brought the issue to light, experts have identified about a dozen other software programs using the Komodia components and the company claims that “more than 100 clients” use its software development kits. Each of those products could put the user’s machine at risk, Marc Rogers, principal security researcher for Internet security firm CloudFlare, stated in a blog post.

“If you have come into contact with any Komodia product, I would check for unrestricted private root certificates, before carefully removing them and the associated software from any system that you care about,” he said.

Komodia’s interception technology installs a trusted root CA certificate and uses it to intercept any encrypted Web HTTPS communications. Superfish used this functionality to intercept HTTPS-encrypted Web pages and insert advertisements. However, Komodia made a number of security errors, including using the same key everywhere, encrypting keys with a simple password and allowing self-signed certificates to be trusted without eliciting a browser warning.

Barak Weichselbaum, the founder of Komodia, promptly responded to emails but declined to discuss the issues or the concerns of security researchers. An update for the software is currently being tested, he stated in an e-mail to eWEEK. “We have a release candidate and it’s being tested by us and other parties [to see] if we can release it,” he said.

The Komodia root CA has been found in a number of products, including parental control software, anonymizing software and Web filtering software.

Security software maker Lavasoft had included Komodia’s SSL Digestor software with its Ad-Aware Web Companion for the past year as a new feature to eliminate potential malicious code and advertisements in encrypted Web (HTTPS) traffic. While the company decided against continuing to include the Komodia software, some components of the product remained in the codebase, Lavasoft stated in a security advisory.

“Although Lavasoft’s most recent release of Ad-Aware Web Companion removed this functionality and was not supposed to contain the SSL Digestor, it was determined that trace elements of the Komodia SSL Digestor were still present,” the company said.

Lavasoft issued an update on Feb. 18 to fix the issue.

Lenovo has provided several fixes and is working to remove the Superfish software, which uses Komodia’s technology. Struggling with earlier missteps, Lenovo has committed to cleaning up the pre-configured installation on laptops sold to consumers, working with privacy and security experts on the proper configuration and allowing critics to evaluate its products.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...