Net Nanny Fail

An issue with the content-control software Net Nanny could open users’ systems up to man-in-the-middle (MiTM) attacks, HTTPS spoofing and intercept, researchers warned Monday.

First released in 1995, the internet filtering service is primarily used by parents to control their children’s online activity.

According to a warning on CERT’s Vulnerability Notes Database yesterday however, the service is “broadly vulnerable” to HTTPS spoofing since it uses a shared private key and root certificate authority.

Garret Wassermann, a vulnerability analyst at CERT says :

“The certificate used by Net Nanny is shared among all installations of Net Nanny,”

“Furthermore, the private key used to generate the certificate is also shared and may be obtained in plaintext directly from the software.”

This means that an attacker could generate new certificates signed by the service, which would by extension, appear trustworthy. In turn, since browser certificate warnings wouldn’t get triggered by the certs, users could get tricked into thinking they were visiting a safe, HTTPS site when in actuality its certificate could be spoofed.

While CERT suggests other versions may also be vulnerable, version 7.2.4.2 is the build it warned was affected on Monday.

CERT/CC is recommending users flat out uninstall NetNanny to remove any bogus certificates it could have created or to disable SSL filtering and manually remove certificates from there.

Emails to Net Nanny’s developing company ContentWatch Inc. inquiring whether the company was working on a fix for the issue went unanswered on Tuesday.

NO COMMENTS