Author Topic: Polonus also had some junk in firefox. (Read 5601 times)

polonus · « **on:** February 28, 2015, 06:41:07 PM »

Just ran JRT and it cleansed this:

Quote

user_pref("extensions.TrafficLightSettings.ph_white", "thecrims.com\nhattrick.org\nraiffeisenonline.ro\nbrd-net.ro\ningonline.ro\nbancpost.ro\nbtrl.ro\ncrediteurope.ro\nalphab
user_pref("extensions.TrafficLightSettings.time", "23");
user_pref("extensions.TrafficLightSettings.trackerAssocMD5", "removed by me");
user_pref("extensions.TrafficLightSettings.trackerMD5", "removed by me");
user_pref("extensions.TrafficLightSettings.trackerSlfContent", "\r\n/******************************************************************************/\r\n/**********************
user_pref("extensions.TrafficLightSettings.trackersAssoc", "{\n \"GOOGLE_TRADITIONAL_TRACKER\" : \"Google Analytics\",\n \"GOOGLE_ASYNCHRONOUS_TRACKER\" : \"Google Analytics\"
user_pref("extensions.TrafficLightSettings.whiteMD5", "///////////////////////bf9a2770");
user_pref("extensions.TrafficLightSettings.widget_visible", "0");

Bye bye to this scam..

polonus

polonus · « **Reply #1 on:** February 28, 2015, 06:48:05 PM »

Seems to be Creative Solutions crap but from where did it land?
Anyone? I now have a hunch it came from HP?
Has Bitdefender TrafficLight extension already moved to one 100 % cloud support?

pol

polonus · « **Reply #2 on:** February 28, 2015, 11:00:02 PM »

@visitors of these support forums and users of additional Bitdefender tools,

It seems now that some Bitdefender products also are found to break HTTPS certificate revocation
using the poorly designed Komodia HTTPS interception library.:
http://www.pcworld.com/article/2889692/some-bitdefender-products-break-https-certificate-revocation.html

As I said earlier in another place here on the forums the Superfish, PrivDog, Komodia scandal is just the tip of an iceberg. It will take some time before trust will be re-established and it will take some time before the size of this scandal will be fully known. Where did the marketeering swindle begin and where will this manipulation end?

The user is slowly wakening up to this undesirable situation. All unreliable root certificates should be revoked and this should be a task for Microsoft to protect the very users of their OS against https certificate scam and manipulation by non-trusted third parties.

I found out by a simple Junkware Removal Tool scan, but how many of the users out there are still unaware victims?

Damian

REDACTED · « **Reply #3 on:** February 28, 2015, 11:28:22 PM »

Oh Dear, so Bitdefender is using an unsecure HTTPs intercept module? Welp looks like i'll be avoiding them. Thanks for the heads up!

polonus · « **Reply #4 on:** March 01, 2015, 12:15:54 AM »

Hi Oliver,

The latest Komodia free SSL sniffer report: http://safestdownloads.net/komodia-free-ssl-sniffer-safe-download.aspx
How reliable might that info be as Bitdefender already fell through.

polonus

digmor crusher · « **Reply #5 on:** March 01, 2015, 06:02:12 AM »

Hi Polonus, just a question. Are you saying Bitdefender Trafficlight is breaking HTTPS certificate revocation in Firefox? In one of your links it seems to indicate that only the Bitdefender AV products are doing this. I use Trafficlight extension in Chrome, ran JRT and it picked up nothing. So would like your opinion, is it safe to run Trafficlight in Chrome? Thanks.

polonus · « **Reply #6 on:** March 01, 2015, 01:27:25 PM »

Hi digmor crusher,

Not exactly sure where the Komodia comedy starts and ends and there are complicating factors.
Google Chrome might have seen this coming (just a far-fetched assumption on my part) so they stopped checking in their browser since 2012.

For firefox I know this because of my own JRT scan results showing this up. It seems now that some Bitdefender products also are found to break HTTPS certificate revocation using the poorly designed Komodia HTTPS interception library.:
http://www.pcworld.com/article/2889692/some-bitdefender-products-break-https-certificate-revocation.html

We cannot say for Google Chrome. Since 2012 they do not check for revocation in Google Chrome anymore :
http://arstechnica.com/business/2012/02/google-strips-chrome-of-ssl-revocation-checking/
and here: https://www.imperialviolet.org/2012/02/05/crlsets.html

When we look at the certificate for ep-reverse.nimbus.bitdefender.net, we find "Certificate not valid for domain name".
Secure HTTPS Connectivity

Secure Connection Successful
We were able to connect securely to your HTTPS server. This means that your HTTPS server is listening for and also responding to secure requests.

SHA-1 Certificate Expiring Before 1/1/2016
The certificate has a SHA-1 signature, but it expires before January 2016, and thus will not show any negative UI in Google Chrome. *

Name Mismatch
The server address which you provided does not match the server name on your SSL certificate. The server provided a certificate with a common name of nimbus.bitdefender.net.

From Bitdefender: http://www.bitdefender.com/support/gravityzone-communication-ports-1132.html

Intermediates Not Installed
Your server is either providing no intermediates or does not have the Trustwave intermediates installed.

Extended Validation (EV) Not Installed
Your server is not providing an EV certificate to visitors when they visit your site. If you purchased an EV certificate then it is not installed on your server at this time.

Bitdefender TrafficLight via 148.251.76.152 seems supported by a secure protocol,

For no secure protocol supported IPs -> https://www.ssllabs.com/ssltest/analyze.html?d=ep-reverse.nimbus.bitdefender.net

How things stand with anti malware products that have cloud services is not known yet. See: How reliable can this info be as Bitdefender already fell through - http://safestdownloads.net/komodia-free-ssl-sniffer-safe-download.aspx
Read also here: http://www.kb.cert.org/vuls/id/529496

This is the latest and best information I could provide you with,

polonus (volunteer website security analyst and website error-hunter)

polonus · « **Reply #7 on:** March 01, 2015, 02:22:35 PM »

Remove with JRT and then go here: https://blog.mozilla.org/security/2015/02/27/getting-superfish-out-of-firefox/
Read instructions: https://support.lenovo.com/us/en/product_security/superfish_uninstall

pol

polonus · « **Reply #8 on:** March 01, 2015, 02:58:37 PM »

Bitdefender TrafficLight contact site certificate seems OK

Bitdefender TrafficLight checked here: https://certlogik.com/ssl-checker/
Has a weak key, but it is not on any blacklist, which is good.
ha1WithRSAEncryption (SHA-1 is being phased out)
Not listed; o (website: ep-reverse.nimbus.bitdefender.net is not listed in the certificate)
Issuer = CN = Thawte SSL CA,O = "Thawte, Inc.",C = US
Validity: 9 Apr 2015, 11:59 p.m. check: http://svr-ov-aia.thawte.com/ThawteOV.cer
thawte Primairy Root CA Fingerprint D6:6A:92:1C:83:BF:A2:AE:6F:99:5B:44:E7:C2:AB:2A

polonus

polonus · « **Reply #9 on:** March 01, 2015, 07:16:03 PM »

Now when I start a scan here https://certlogik.com/ssl-checker/ for http://www.bitdefender.com
I get a red connection refused. Unable to connect to servers here: https://www.ssllabs.com/ssltest/analyze.html?d=www.bitdefender.com (response status code 405)

IP    159.253.146.202
Hostname   www.ams1.vdc.bitdefender.net
ASN   AS36351
Organization   SOFTLAYER - SoftLayer Technologies Inc.,US
Prefix   159.253.128.0/19
Country   Netherlands (NL) answers with www.ams1
See: https://www.robtex.com/en/advisory/dns/net/bitdefender/vdc/ams1/www/

polonus

polonus · « **Reply #10 on:** March 02, 2015, 03:17:37 PM »

A better test, but also one that failed here: https://www.wormly.com/test_ssl/h/www.bitdefender.com/i/184.173.143.50/p/443
and checked here: https://ssltools.websecurity.symantec.com/checker/views/certCheck.jsp
See results: https://www.uploady.com/download/d7alj5ol7f~/_qlUtwvxZPIPygRl
and https://www.uploady.com/download/yTSeIkemAV~/QxYIzMRSU2~Kn9LR

N.B. A smaller SSL handshake means a faster connection.
Reducing the number & size of certificates in your chain, and reducing the size of the public key will reduce this.

polonus

polonus · « **Reply #11 on:** March 02, 2015, 03:33:03 PM »

DrWeb's extension 100% secure: https://www.wormly.com/test_ssl/h/sanchez.drweb.com/i/87.242.75.48/p/443
Certificate information
Common name:
*.drweb.com
SAN:
*.drweb.com, drweb.com
Valid from:
2013-Jul-22 00:00:00 GMT
Valid to:
2015-Jul-22 23:59:59 GMT
Organization:
Doctor Web, Ltd.
Organizational unit:
PremiumSSL Wildcard,Hosted by JSC Regional Network Information Center,IT Department
City/locality:
Moscow
State/province:
Moscow
Country:
RU
Serial number:
629fe06f99f5d787d1267dc2ce7a9cd0
Algorithm type:
SHA1withRSA
Key size:
2048
Certificate chainShow details
*.drweb.comTested certificate
RU-CENTER High Assurance Services CAIntermediate certificate

Warning for Kaspersky's:
Kaspersky has to update the certification chain to be recognizable for older browsers,

polonus · « **Reply #12 on:** March 02, 2015, 03:49:05 PM »

Another check on Bitdefender's at /www.digicert.com:

DNS resolves 'www.wdc1.vdc.bitdefender.net' to 184.173.143.50

HTTP Server Header: Apache

Heartbleed Vulnerability

This server is not vulnerable to the Heartbleed Bug.

Protocol Support

TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0

SSL 3.0 is an outdated protocol version with known vulnerabilities. This should be fixed.

SSL certificate

Common Name = -www.wdc1.vdc.bitdefender.net
Issuer = -www.wdc1.vdc.bitdefender.net
Serial Number = 2DD3
SHA1 Thumbprint = 7D24AD78188015088D7FDCD70E6C53BFE655D618
Key Length = 1024 bit
Signature algorithm = SHA1 + RSA (good)
Secure Renegotiation: Supported
This certificate does not use a vulnerable Debian key (this is good)

SSL Certificate has not been revoked

OCSP Staple:   Not Enabled
OCSP Origin:   Not Enabled
CRL Status:   Not Enabled

SSL Certificate is expired.

The certificate was valid from 04/01/2012 through 04/01/2013.

Certificate Name matches -www.wdc1.vdc.bitdefender.net

Subject   -www.wdc1.vdc.bitdefender.net
Valid from 01/Apr/2012 to 01/Apr/2013
Issuer   -www.wdc1.vdc.bitdefender.net
SSL Certificate is not trusted

The certificate is not signed by a trusted authority (checking against Mozilla's root store). If you bought the certificate from a trusted authority, you probably just need to install one or more Intermediate certificates. Contact your certificate provider for assistance doing this for your server platform.

polonus

polonus · « **Reply #13 on:** March 03, 2015, 01:23:10 AM »

Now a site that was apparently ;aunching BD pop-up advertisements: http://forum.bitdefender.com/lofiversion/index.php/t43714-100.html
See the red warnings here: https://ssl-tools.net/mailservers/horizon.bitdefender.ro
Re: http://who.is/nameserver/horizon.bitdefender.ro/
all green: http://toolbar.netcraft.com/site_report/?url=horizon.bitdefender.ro
Site from Cyprus: http://toolbar.netcraft.com/site_report/?url=mx02.buh.bitdefender.net.+
https://www.wormly.com/test_ssl/h/mx02.buh.bitdefender.net/i/81.161.59.130/p/443

polonus