What about Bitdefender's SSL Certificate?

[wirerogue]

after reading all the bad stuff about superfish, i noticed my web browser was also using ssl certificates that were not issued by site i was visiting.

turns out it was bitdefender's own certificate.

this feature is easy enough to turn off but it's on by default.

does anyone know if this presents the same sort of man in the middle risk as superfish?

 

[MysticRyuujin]

It does.

All that is happening with SuerFish and Bitdefender is that their service is decrypting the page first, looking at it, modifying it, etc, then re-encrypting it using their own private key.

The primary problem is that your browser will always trust the SuperFish and Bitdefender certificates. So if you visit a malicious website with a fake certificate, and SuperFish or Bitdefender doesn't kill that connection it will re-sign it using their trusted certificate, you'll then trust that fake site. SuperFish was stupid and used a 7 character, all lowercase password that was in plain text inside the binary making it even worse. If someone can crack the private key they can start signing sites using that key, making you think they are legitimate sites.

You should note though that Bitdefender is doing this as a way to inspect the encrypted traffic before it hits your browser, while SuperFish was doing it to intentionally give you ads and other crap. I'm not saying it's not a risk or that it's the best way to go about it.

 

[devman]

SuperFish was stupid and used a 7 character, all lowercase password that was in plain text inside the binary making it even worse. If someone can crack the private key they can start signing sites using that key, making you think they are legitimate sites.

SuperFish was stupid, but not because they used a weak password. It is is similar to the DRM problem, you want the program to use the private key to sign things, but you don't want the user to be able to. The issue is that the user controls the computing platform not the program so it should be assumed that the user can extract the private key at will. The solution is to engineer the system so the key itself is relevant only in a limited scope.


Superfish was stupid because they used the same private key on every computer with their software.

The proper way to do this is to have each computer randomly generate its own key so that key extraction is irrelevant.

I would hope BitDefender is doing this, but I don't use BitDefender so I can't check. If BitDefender is using the same private key for every install, they are putting there users at risk just the same as Superfish.