Kaspersky corrected a certificate validation error in her software that affected 400 millions of users.
Discovered by persistent bug-hunter Tavis Ormandy της Google. Το ελάττωμα έγκειται στο πώς το antivirus της εταιρείας επιθεωρεί την κρυπτογραφημένη κίνηση.
Since it decrypts traffic before inspection, Kaspersky presents its certificates as a trusted authority. If a user opens Google in their browser, for example, the certificate will appear to come from Kaspersky Anti-Virus Our Team Root.
The problem that Ormandy found was that the internal certificates were incredibly weak.
“As the new certificates are created and the wrenches, they enter using the first 32 bits of 3MD5(serialNumber||issuer) as a key … You don't need to be a cryptographer to understand that a 32-bit key is not enough for prevention brute-force attacks", says the researcher.
For error reporting Ormandy gave a PoC certificate conflict between Hacker News and manchesterct.gov:
"If you're using Kaspersky Antivirus in Manchester, and you're wondering why Hacker News doesn't work sometimes, it's because a critical vulnerability disabled SSL certificate validation for 400 million Kaspersky users.”
Kaspersky reportedly corrected the 28 December error.
Kaspersky: SSL interception differentiates certificates with a 32bit hash