SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral.

To be able to create an SSL connection a web server requires an SSL Certificate.  Your web server then creates two cryptographic keys – a Private Key and a Public Key.

Public key cryptography also known as asymmetric cryptography, solves the key exchange problem by defining an algorithm which uses two keys, each of which may be used to encrypt a message. If one key is used to encrypt a message then the other must be used to decrypt it. This makes it possible to receive secure messages by simply publishing one key (the public key) and keeping the other secret (the private key).

The complexities of the SSL protocol remain invisible to your customers. Instead their browsers provide them with a key indicator to let them know they are currently protected by an SSL encrypted session

In 2015 the site -Ars Technica revealed that Lenovo was selling computers that come preinstalled with adware that hijacks encrypted Web sessions  (SSL sessions) and may make users vulnerable to HTTPS man-in-the-middle attacks that are trivial for attackers to carry out, security researchers said.

Lenovo PCs that have adware from a company called Superfish installed.

The Superfish  package installs a selfsigned root HTTPS certificate that can intercept encrypted traffic for every website a user visits.When a user visits an HTTPS site, the site certificate is signed and  controlled by Superfish and falsely represents itself as the official website certificate.

Things got so bad the the  U.S. government on Friday “advised ” Lenovo Group Ltd customers to remove the Superfish , program pre-installed on some Lenovo laptops, saying it makes users vulnerable to cyberattacks.

How it performs ad injection is by using a SSL interception engine by an Israeli company called  Komodia.

On installation the Komodia software will install a root CA certificate in the system trust store.

Then when a user tries to visit a HTTPS website, the software will intercept the connection and place itself between the browser and the server.

It will then connect to the server as a client, and relay data between the two. As a certificate to the client it will present a copy of the server certificate, with a different public key and signed by the root it installed.

The worst part is the root private key is the same on all machines, so anyone can take that and sign fake certificates to use in MitM attacks.

Note that this also means that the actual HTTPS connection is handled by the Komodia proxy client – that is, it’s the Komodia software that will connect to the server over the Internet using a common root private key .Source

It appears that Komodia uses the same framework for many, many products (not just Superfish). Here’s some that have been found so far:

  • Komodia’s “Keep My Family Secure” parental control software.
  • Qustodio’s parental control software
  • Kurupira Webfilter
  • Staffcop (version 5.6 and 5.8)
  • Easy hide IP Classic
  • Lavasoft Ad-aware Web Companion
  • Hide-my-ip

It is safe to assume that any SSL interception product sold by Komodia or based on the Komodia SDK is going to be using the same method.

All you need to do to bypass verification is put the target domain in the alternate field, instead of in the main one that will be changed on failure. An attacker can intercept any https connection, present a self-signed certificate to the client and browsers will show a green lock because Komodia will sign it for them.

This means that whoever has Komodia software running on their system  will accept ANY certificate that has the domain name in the alternates.

Source Komodia/Superfish SSL Validation is broken

Who owns Komodia and Superfish which are doing so much damage to the SSL or secure link world

The owner of Komodia is Barak Weichselbaum,who was once a programmer in Israel’s IDF’s Intelligence Corp The Israeli Intelligence Corps is an Israel Defense Forces corps which falls under the jurisdiction of IDF Directorate of Military Intelligence (Aman) The corps includes Unit 8200, which is the IDF central collection unit, responsible for SIGINT collection and cryptographical analysis, including the Hatzav Unit, responsible for collecting OSINT intelligence.

Komodio’s Wikipedia page has disappeared

The Superfish founder Adi Pinhas (right) was formerly of 8200 he was also employed by Verint, which was linked to NSA surveillance.Micheal Chertok (left) the CTO is the  co founder of Superfish

What about Lenovo ? Well its a Chinese company and its founder is Liu Chuanzhi  As of 2013, Liu served as a  senior advisor at Kohlberg Kravis Roberts & Company . He also served as the CEO of Rio Tinto.

Is it coincidence that Lenovo whose founder owner is a well connected globalist teamed up with an unknown Israeli company to “inject ads” and that company in turn teamed up with another Israeli company to attack secure connections?

What we have here is two Israeli companies created and owned former Unit 8200   (Israels digital spy agency) agents  messing about with one of the most important of Internet functions …………… secure connections

These secure connections are used in every financial transaction in emails in instant messaging in supposedly secure Government communications , in short in some of the most important digital transactions we engage in

The two companies owned by (former???) spies have great covers for any possible attempts at digital spying

Super Fish’s excuse  is its just making money by injecting ads in your PCs or laptops and Komodio is just helping it BREAK SECURE COMMUNICATIONS to help it plant more ads into your browser

Komodio deliberate weakens security by using weak passwords and messing with security certificates

Any tech savvy person can at anytime completely take over any secure transaction of any person unlucky enough to install any Komodio software They can probably infect the servers of companies they deceive with their fake keys and fake certificates

Kodomdio’s excuse can and will always be It wasnt me it was the man in the middle

However until 2015 all these flaws about Superfish and Komodio were unknown Only Lenovo Superfish Komodio employees and possibly Unit8200 knew about them

Since only they knew about the flaws only they could attack and take over secure communications It was sheer bad luck that they were discovered

So is this a one off which was exposed in 2015 and ended that year ?  Well that part of Project Talpiot may have ended but you can bet your shekels another head of the hydra headed monster is quietly working somewhere else


This entry was posted in Uncategorized. Bookmark the permalink.


  1. Pingback: UNIT 8200 COMPANIES HACKED SSL CONNECTIONS? | The Stoker's Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.