Two more software makers have been caught adding dangerous, Superfish-style man-in-the-middle code to the applications they publish. The development is significant because it involves AV company Lavasoft and Comodo, a company that issues roughly one-third of the Internet’s Transport Layer Security certificates, making it the world’s biggest certificate authority.
Lavasoft and Comodo were added just as researchers were discovering simpler, more potent ways to exploit the vulnerabilities. Late last week came word that self-signed Secure Sockets Layer certificates installed by a company called Komodia caused most browsers to trust any self-signed certificate that used the same easily extracted private key. That was bad, but now, researchers have discovered vulnerabilities in the closely related proxy software of interception applications from Komodia and Comodo. The new insight makes it even easier for attackers to forge trusted credentials that impersonate Bank of America, Google, or any other HTTPS-protected destination on the Internet.
The first case involves Lavasoft Ad-aware Web Companion, software that’s distributed by antivirus provider Lavasoft. Like Superfish software included in Lenovo laptops and more than 14 other companies later confirmed, Lavasoft incorporated SSL-interception technology sold by Komodia.