Kaspersky fixed a certificate validation bug in its software that was affecting 400 millions users.
Discovered by persistent bug-hunter Her Tavis Ormandy Google. The fault lies in how the company's antivirus inspects the encrypted traffic.
As it decrypts the traffic before the inspection, Kaspersky presents her certificates as a trusted authority. If a user opens Google in his browser, for example, the certificate will appear to be from Kaspersky Anti-Virus Personal Root.
The problem that Ormandy found was that the internal certificates were incredibly weak.
“As new certificates and keys are generated, they are entered using the first 32 bits of 3MD5(serialNumber||issuer) as key … You don't need to be a cryptographer to understand that a 32-bit key is not enough to prevent brute-force attacks,” the researcher says.
For error reporting Ormandy gave a PoC certificate conflict between Hacker News and manchesterct.gov:
"If useste Kaspersky Antivirus in Manchester, and you're wondering why Hacker News doesn't work sometimes, it's because a critical vulnerability has disabled SSL certificate validation for 400 million Kaspersky users.”
Kaspersky reportedly corrected the 28 December error.
Kaspersky: SSL interception differentiates certificates with a 32bit hash