Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Komodia SSL Holes Could Affect Dozens of Web Products Besides Superfish

    Written by

    Robert Lemos
    Published February 26, 2015
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      While critics continue to take PC maker Lenovo to task for including Superfish adware on its consumer notebook systems, the flawed security of the network-traffic interception component has turned the spotlight on boutique developer Komodio.

      Komodia, a small information-technology firm founded in 2000, sells its network interception technology—Redirector and SSL Digestor—to other software makers. The Komodia software installs a root certificate-authority (CA) certificate to aid in intercepting encrypted traffic. However, because the certificate was poorly secured, attackers could easily conduct a man-in-the-middle attack. In such attacks, an eavesdropper intercepts the encrypted traffic and can read or change it.

      While Superfish brought the issue to light, experts have identified about a dozen other software programs using the Komodia components and the company claims that “more than 100 clients” use its software development kits. Each of those products could put the user’s machine at risk, Marc Rogers, principal security researcher for Internet security firm CloudFlare, stated in a blog post.

      “If you have come into contact with any Komodia product, I would check for unrestricted private root certificates, before carefully removing them and the associated software from any system that you care about,” he said.

      Komodia’s interception technology installs a trusted root CA certificate and uses it to intercept any encrypted Web HTTPS communications. Superfish used this functionality to intercept HTTPS-encrypted Web pages and insert advertisements. However, Komodia made a number of security errors, including using the same key everywhere, encrypting keys with a simple password and allowing self-signed certificates to be trusted without eliciting a browser warning.

      Barak Weichselbaum, the founder of Komodia, promptly responded to emails but declined to discuss the issues or the concerns of security researchers. An update for the software is currently being tested, he stated in an e-mail to eWEEK. “We have a release candidate and it’s being tested by us and other parties [to see] if we can release it,” he said.

      The Komodia root CA has been found in a number of products, including parental control software, anonymizing software and Web filtering software.

      Security software maker Lavasoft had included Komodia’s SSL Digestor software with its Ad-Aware Web Companion for the past year as a new feature to eliminate potential malicious code and advertisements in encrypted Web (HTTPS) traffic. While the company decided against continuing to include the Komodia software, some components of the product remained in the codebase, Lavasoft stated in a security advisory.

      “Although Lavasoft’s most recent release of Ad-Aware Web Companion removed this functionality and was not supposed to contain the SSL Digestor, it was determined that trace elements of the Komodia SSL Digestor were still present,” the company said.

      Lavasoft issued an update on Feb. 18 to fix the issue.

      Lenovo has provided several fixes and is working to remove the Superfish software, which uses Komodia’s technology. Struggling with earlier missteps, Lenovo has committed to cleaning up the pre-configured installation on laptops sold to consumers, working with privacy and security experts on the proper configuration and allowing critics to evaluate its products.

      Robert Lemos
      Robert Lemos
      Robert Lemos is an award-winning journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's written for Ars Technica, CNET, eWEEK, MIT Technology Review, Threatpost and ZDNet. He won the prestigious Sigma Delta Chi award from the Society of Professional Journalists in 2003 for his coverage of the Blaster worm and its impact, and the SANS Institute's Top Cybersecurity Journalists in 2010 and 2014.

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×