AdTrustMedia Information for VU#366544

Adtrustmedia PrivDog fails to validate SSL certificates

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://www.privdog.com/advisory.html

Addendum

We have confirmed that PrivDog 3.0.96.0 is affected.

Note that the above advisory has several inaccuracies.

      1. "The issue potentially affects a very limited number of websites."
        This is incorrect, as the impact of disabling SSL validation means that every website visited on a vulnerable system is affected.
      2. "In some circumstances self-signed certificates do not trigger a browser warning but encryption is still provided to the end user, hence security via encryption remains intact."
        While encryption may still be present between the client system and the web server, encryption is only one aspect of SSL or TLS. Authentication capabilities are completely disabled when PrivDog is installed.
      3. "The potential issue is only present if a user visits a site that actually has a self-signed certificate."
        This is incorrect, as any legitimate site that is visited can fall victim to a MITM attack.

If you have feedback, comments, or additional information about this vulnerability, please send us email.