Security Failures in Web Content-Filtering Software, Net Nanny, Expose Users to Attacks that Allow Perpetrators to Intercept Secure Traffic Originating from the Victim’s Computer and View it, in Plain Text.
To be Able to Impose Restrictions for Viewing Online Content, the Application Intercepts Communication Entering the Computer, by Installing a Man-in-the-Middle (MitM) Proxy that Uses a Verified Root Certificate to Prove it Can be Trusted.
The Method is Widely Used with Software that Filters Encrypted Traffic and it Doesn't Pose Risks as Long as it is Implemented Correctly and the Certificate Doesn't Fall into the Wrong Hands.
However, Recent Incidents, such as that, Caused by SuperFish, or the One involving PrivDog, Have Showed that, Secure Implementation of MitM Proxies is Far from Being a Standard and Sparked a Violent Reaction from the Security Industry.
Root Certificates are Particularly Important because, they Can be Used Past the Trust Bestowed by the Issuing Authority to Other Certificates. As such, they Should Benefit from Increased Protection Lest they are Stolen and Used to Impersonate Legitimate Domains for Nefarious Purposes.
The Problem with ContentWatch's Net Nanny is that, the Application Uses the Same Root Certificate and Private Key for Generating it for All Software Installations. More than this, the Developer included the Private Key in Plain Text in the Application, Said in a Warning Garret Wassermann from Carnegie Mellon’s CERT Division.
The Risk Emerging from this, is that, an Attacker Could Use the Key to Generate New Certificates that Would Appear Trustworthy and Employ them to Spoof Legitimate Websites.
This Way, the User Wouldn't Receive any Alerts When Connecting to a Malicious Domain that Spoofs a Legitimate One. According to CERT, Version 7.2.4.2 has been Confirmed to be Affected but Other Releases Could also be Vulnerable.
The Organization Offers 2 Methods for Mitigating the Risk. One Refers to Uninstalling Net Nanny from the System, an Action that also Removes the Root Certificate from the Operating System’s Certificate Store.
The Other Workaround is, to Disable SSL Filtering and Remove the Certificate Manually. CERT Says that, this Solution Mitigates the Risk and Doesn't Impact Other Features of the Program.
Info Source:
http://www.kb.cert.org/vuls/id/260780
_Robot_Glove_Pics_1.jpg)
.jpg)
0 comentários:
Enviar um comentário