Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Security Chromium Open Source

Chromodo Browser Disables Key Web Security (thestack.com) 54

Posted by timothy from the it's-only-a-browser dept.
An anonymous reader writes: A Google Security Research update has claimed that Comodo's internet browser Chromodo, based on the open-source project Chromium, contains significant security failings and puts its users at risk. This week's Google alert suggested that the Chromodo browser – available as a standalone download, as well as part of the company's Security package – is less secure than it promises. According to analysis, the browser is disabling the Same Origin policy, hijacking DNS settings, and replacing shortcuts with Chromodo links, among other security violations.
This discussion has been archived. No new comments can be posted.

Chromodo Browser Disables Key Web Security More

Chromodo Browser Disables Key Web Security

Comments Filter:

  • and under surveillance.

    For whatever reasons, Microsoft is not going to give up on this. Windows will constantly report everything it can about you and your browsing habits.

    Want privacy? Forget Windows. Any version.

  • I avoid knockoffs (Score:5, Insightful)

    by LichtSpektren ( 4201985 ) on Wednesday February 03, 2016 @11:24AM (#51431213)
    There's a lot of Chromium and Firefox clones/forks by small teams that have certain targeted goals (better UI, different default settings, etc.), but I tend to avoid them; I figure that Google and Mozilla have world-class security experts working for them, whereas these little forks, even if competently done, do not and might introduce security holes by accident.

    The same is also true for Linux distros--I advise people stick to the big ones (Debian, Ubuntu, Fedora/Red Hat/CentOS, Arch, Gentoo, SUSE, Tails) since they're thoroughly audited by security professionals, whereas those tiny little forks that do nothing but alter the UI probably aren't.
    • I also avoid anything from my ISP that is not just for internet services, and fortunately, I've never had to install anything from them. Also, I don't install any app that provides the same service that a webpage does, even when there is claim that it is for security. That makes me feel like an average slashdotter.

    • I advise people stick to the big ones (Debian, Ubuntu, Fedora/Red Hat/CentOS, Arch, Gentoo, SUSE, Tails) since they're thoroughly audited by security professionals

      Haha, no! Perhaps a few core libraries are, if you are lucky.

      whereas those tiny little forks that do nothing but alter the UI probably aren't.

      Most distros are repackaging from the larger distros (Debian, Red Hat, Arch, Gentoo, SUSE), and security-related changes go upstream and downstream (well, sooner or later). So you there is no major difference in security between UI-altering ones such as Mint and Debian.

      • I advise people stick to the big ones (Debian, Ubuntu, Fedora/Red Hat/CentOS, Arch, Gentoo, SUSE, Tails) since they're thoroughly audited by security professionals

        Haha, no! Perhaps a few core libraries are, if you are lucky.

        whereas those tiny little forks that do nothing but alter the UI probably aren't.

        Most distros are repackaging from the larger distros (Debian, Red Hat, Arch, Gentoo, SUSE), and security-related changes go upstream and downstream (well, sooner or later). So you there is no major difference in security between UI-altering ones such as Mint and Debian.

        Mint's probably not bad since it's such a large project now. But I would never use something like elementaryOS or Parsix, since I have no idea about the competence of their security teams.

    • What's noteworthy about this specific instance is that Chromodo is made by Comodo, an anti virus developer, and is supposed to have a focus on security. I've never used the browser itself, but I tend to stay away from chrom* and clones.

      • Re: (Score:1)

        by Anonymous Coward

        These browsers cannot be more secure than their upstream, unless they have further mitigations in place. The reason is that the biggest vulnerabilities are, depending on your view, 0-days or patched vulnerabilities you leave unpatched in you latest version. In the case of zero days, minus additional mitigations, both up and downstream are equally effected. In the case of patched vulnerabilities, only downstream are affected.

        In the particular case of Comodo, they are two months out of date and don't have

        • Not necessarily. They can be more secure by stripping out components that might have security holes in them. Like, say, an integrated Flash player. They can add in things like built-in ad blockers. Or not trust certificates from issuers who have issued bad certificates the past, such as Comodo.

          And then there's security through obscurity. Some potential attacks might not know what to do with a browser that identifies as "Chromodo" or "Oprah" browser. And even something as simple as recompiling the brow

      • What's noteworthy about this specific instance is that Chromodo is made by Comodo, an anti virus developer, and is supposed to have a focus on security. I've never used the browser itself, but I tend to stay away from chrom* and clones.

        What's noteworthy about this specific instance is that Chromodo is made by Comodo, an anti virus developer, and is supposed to have a focus on security. I've never used the browser itself, but I tend to stay away from chrom* and clones.

        I use Comodo firewall version 5.3.176757.1236 ~If it ain't broke don't fix it, been using it for
        years now. Between it and my hosts file I've stopped a lot of problems others have had.

        This version is very easy to configure, and a very small foot print, and it's on top of every file that want's access. Charter.com turned MMC.exe into a keylogger, Comodo caught it, became the front program and the scrolling stopped you couldn't miss the event. (I bought a streighttalk phone with a reused number flagged by Char

    • Precisely. A browser needs to have security patches be ready for users almost immediately, so if a downstream fork doesn't get patches propagated, it becomes a security issue in waiting.

      Because browsers are either the primary attack vector for malware, or at least comparable to Trojans, security is paramount, and firms forking a browser cannot take doing this lightly, because there will need to be maintainers who have to see what security issues are going on with the upstream and either copy code, or write

      • Chrome and Chromium don't just have "lots of cross-pollination", they're the exact same browser, using the exact same UI and rendering engine. The only differences are that Chrome comes with proprietary media codecs, Flash, and an auto-updater.

  • What? (Score:5, Insightful)

    by ArchieBunker ( 132337 ) on Wednesday February 03, 2016 @11:31AM (#51431293)

    A shady browser that nobody has ever heard of is insecure? Who actually finds and installs this garbage besides the clueless and elderly?

    • Right, all of those clueless elderly people browsing around the Comodo website trying to update their servers' SSL certificates and notice that, hey, apparently Comodo publishes a browser based on Chromium.

      • Re: (Score:2)

        by amorsen ( 7485 )

        Comodo is well known for lousy security. That they're still trusted by major browsers is a miracle. Never use any of their products if you can avoid it.

        Then again, as far I am concerned there are only two reputable SSL vendors: GlobalSign and Let's Encrypt. The rest have either issued fraudulent certificates at least once or they simply shouldn't be in the business in the first place.

        With my luck, that probably means that GlobalSign is secretly owned by North Korea and run by the Illuminati or something. Ev

    • Re: (Score:2)

      by wbr1 ( 2538558 )
      Anyone who downloads and uses comodo products, expecting it to be secure. Since they are 3-6% below the average on catching well known malware, I would say they are spending more time on bells and whistles to capture data or hook users into additional services than actual security. https://www.av-test.org/en/ant... [av-test.org]

      Where have we seen this pattern before... Norton, McCaffe, AVG, etc......

      • AV software is just for checking that box for the legal eagles. The real security comes from keeping the web browser from being hit by exploits. Toss in NoScript and AdBlock, and this will go a lot further, security-wise, than any AV product. Mainly because AV products are always trying to play catch-up, while if the malvertising doesn't make it to the browser, or get executed, even a zero-day is defeated.

      • Again, who has ever heard of this company?

        • Again, who has ever heard of this company?

          Americans don't know much about the Comodo Browser. One of the antitrust rulings against Microsoft in Europe was that they had to provide alternative web browsers for their customers; they avoided Firefox and Chrome and instead opted to display the knockoffs like Comodo Icedragon or whatever. So this story impacts Europeans a lot more than Americans.

  • The company behind forged certificates?? (Score:3)

    by Billly Gates ( 198444 ) on Wednesday February 03, 2016 @01:57PM (#51432959) Journal

    Wasn't this the company who gave us forged compromised certificates last year that installed malware on some pcs and phones?

    They use a Lenovo style spearfish SSL MITM and replace legitimate certificates with their own. Gee no security problem with that. Kaspersky does the same too until you tell it not to scan HTTPS connections.

Slashdot Top Deals

"The most important thing in a man is not what he knows, but what he is." -- Narciso Yepes

Close