Kaspersky corrected a certificate validation error in her software that affected 400 millions of users.
It was discovered by Google's stubborn bug-hunter Tavis Ormandy. The flaw lies in how the company's antivirus inspects encrypted traffic.
Since it decrypts traffic before inspection, Kaspersky presents its certificates as a trusted authority. If a user opens Google in their browser, for example, the certificate it will appear to come from Kaspersky Anti-Virus Personal Root.
The problem that Ormandy found was that the internal certificates were incredibly weak.
"As new certificates and keys are created, they are entered using the first 32 bits of 3MD5 (serialNumber || issuer) as a key… You do not need to be a cryptographer to understand that a 32bit key is not enough to prevent brute-force attacks" , says the researcher.
For the bug report Ormandy provided a PoC conflictof certificates between him Chippers News and manchesterct.gov:
"If you're using Kaspersky Antivirus in Manchester, and you're wondering why Hacker News doesn't work sometimes, it's because a critical vulnerability disabled SSL certificate validation for 400 million Kaspersky users.”
Kaspersky reportedly corrected the 28 December error.
Kaspersky: SSL interception differentiates certificates with a 32bit hash