AdTrustMedia Information for VU#366544
Adtrustmedia PrivDog fails to validate SSL certificates
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
We have confirmed that PrivDog 188.8.131.52 is affected.
Note that the above advisory has several inaccuracies.
- "The issue potentially affects a very limited number of websites."
This is incorrect, as the impact of disabling SSL validation means that every website visited on a vulnerable system is affected.
- "In some circumstances self-signed certificates do not trigger a browser warning but encryption is still provided to the end user, hence security via encryption remains intact."
While encryption may still be present between the client system and the web server, encryption is only one aspect of SSL or TLS. Authentication capabilities are completely disabled when PrivDog is installed.
- "The potential issue is only present if a user visits a site that actually has a self-signed certificate."
This is incorrect, as any legitimate site that is visited can fall victim to a MITM attack.
If you have feedback, comments, or additional information about this vulnerability, please send us email.