"Unlike Superfish, PrivDog installs a different root certificate on every system, so there’s no shared private key that would allow attackers to generate rogue certificates. However, it turns out they don’t even need a shared key
The error in PrivDog’s implementation is simpler than that: The program doesn’t properly validate the original certificates it receives from websites. It will therefore accept rogue certificates that would normally trigger errors inside browsers and will replace them with certificates that those browsers will trust.
For example, an attacker on a public wireless network or with control over a compromised router could intercept a user’s connection to bankofamerica.com
and present a self-signed certificate that would allow him to decrypt traffic. The user’s browser would normally reject such a certificate.
However, if PrivDog is installed, the program will take the attacker’s self-signed certificate and will create a copy signed with its own trusted root certificate, forcing the browser to accept it. In essence, the user’s traffic would be intercepted and decrypted by the local PrivDog proxy, but PrivDog’s connection to the real site would also be intercepted and decrypted by a hacker."