This is much worse than just installing adware. They install a web proxy which MITMs all web connections, including HTTPS by means of a pre-installed trusted root certificate.
Someone will extract the private key in the next few hours, and then HTTPS will be basically completely broken for all Lenovo users -- anyone will be able to spoof any site to them.
On the bright side, Firefox does not use the system certificates (it has its own list) and Chrome will no doubt push an update to block the certificate promptly.
I'm curious what legal stance Lenovo customers have here - their secure HTTPS connections are being MITMed intentionally - surely that's hacking, or some national security violation?
It actually depends whether or not the practice is directly or indirectly agreed to by the user in the Terms of Use, Privacy Policy or similar document. Now, it's likely that users do agree to it, but if the language in their policies wasn't broad enough to cover action like this, theoretically it would be a violation of the Computer Fraud and Abuse Act, as exceeding authorized use.
This won't hold for Germany though. There is a concept of surprising clause (überraschende Klausel) as well as the concept of an unethical clause (sittenwidrige Klausel). In this case I would assume that both would hold even if there is some clause in the EULA.
The BigCo argument holds in Germany unfortunately as well...
At least PunkBuster is spying for a relatively noble purpose: preventing cheating in online games. Cheating absolutely destroys the experience in multiplayer games and has killed many games.
This is spying with the sole purpose of spreading ads and making money.
So because a few people decide to cheat at a game they paid for, everyone who paid full price for the game is forced to install spyware which can and does modify files on your pc, take screenshots as you play the game, monitor your mouse inputs, keyboard, etc...?
I think that is fine, personally. Obviously others might not. You have to specifically agree to install/allow PunkBuster, and you can choose to play on servers that don't use PunkBuster. With Lenovo not only is there no opt-out, but you're not even aware of the adware and root CA installation.
The "spyware" only spies on modifications to the game client in any way and tries to detect non-human involvement, which of course includes inspecting the file system and RAM. In theory it could harvest irrelevant information from your hard drive or memory, but no reverse engineer has ever made such a claim to my knowledge.
Valve Anti-Cheat does very similar things, but is run by what many consider to be a trustworthy company, so not that many people take issue with it. If one trusts the company that distributes the spyware, it's not really a problem, in my opinion. If Valve were to ever violate that trust, it would severely harm their business.
I also strongly disagree with DRM, because it only harms other players while providing no benefits. In contrast, online cheaters can completely ruin the playing experience for online games, and have heavily contributed to the death of some games.
I also have no issue if people decide to cheat when in single-player mode. If you pay for the game you should be able to do whatever you want if you're not affecting others. It's only a problem when they're playing with other people over the Internet. PunkBuster and VAC only run when you're playing in online mode.
It's not fine because, as is the case with Superfish, this type of software leaves gaping security holes that blackhats can exploit no matter how noble the vendor is.
What security holes does PunkBuster introduce? Adware like Superfish and game client modification detection like PunkBuster are very different kinds of software. I do not support anything like Superfish.
It's not just because they are a big company though. The "community", the industry and the government all share blame for the lack of liability for software.
Edit: It's pretty bad form to downvote new accounts becuase you disagree. Imagine if I didn't know about hellbanning.
Ask yourself what open source licenses, corporate EULAs and the NSAs defense have in common. The best hope here is that Lenovo explicitly promised someone something they didn't keep.
You can bet that if the NSA manages to use this to hoover up some tasty HTTPS, this scandal will be lauded as a big boost to "national security" behind the scenes, and nobody will be punished. For all we know NSA had a hand in engineering this.
Of course, if some government data is stolen as a result, then the whole thing will be thrown under the bus and deemed a threat to "national security".
I hope anyone who uses terms like "national security" does it in full awareness of what Orwell meant by newspeak and doublethink.
Impersonating a CA is not transparent and risks losing that CA if anyone finds out it's forging certs. They probably can do that, but it's a risky nuclear option.
This is a transparent dragnet that can easily be blamed away, which has been shown to be much more preferable in the NSA's M.O.
The sad thing is we don't need to invoke the big bad NSA here. There is absolutely positively nothing about this that suggests it is anything other than bog-standard SSL incompetence.
And to be clear, I mean, absolutely nothing. This isn't a slightly unlikely thing that still leaves room to wonder about "plausible deniability"... this is a thing that happens all the damned time and the NSA need at most sit back and passively reap the benefits, along with hackers and criminals.
Somebody somewhere wanted to get in on the advertising gig because it looks like free money. Their first attempt didn't work on HTTPS sites. Some techie was ordered to fix it. Said techie read a few things on a few sites and typed in the magic commands to "make it work" and probably literally didn't even know that they'd just annihilated security for all their users... they literally just knew that this made their software "work", and for them, pretty much the first time they clicked on to an HTTPS page and saw their own ads, the story ended. Ship it.
To a first approximation, nobody using SSL in some manner understands SSL.
It does seem like this is more of an amateur hour screw-up. It isn't beyond the NSA to plant developers that can insert backdoors on their behalf or set up front companies to sell vulnerable libraries but one would hope that they have enough sense not to leave cleartext passwords in a binary. Of course that could be an intentional misdirection so one never really knows.
I really don't agree. Every government has an official CA, and last time one was caught (France with fake Google certs IIRC), nothing happened at all. Most CAs are too big to fall anyway.
The employers that I know of who do government work require that all computers/phones work is performed on be of certain manufacturers which are US companies, an issue like this is the exact thing they cite as the reason for not using foreign companies as providers of such hardware. So the chance of government data being stolen is minimal, so the chance of the US government caring much is unlikely. So I doubt this will wind up under that bus.
Isn't superfish (or is it Phish?) a US/Israeli company?
Some of the code inserted is pretty strange, including functions to checks for lenevo, bestbuy.com and isPayingCountry() with a list of country identifiers:
The code you linked is nothing out of the ordinary as far as adware in Chrome plug-ins etc. go. For an example have a look at the source code[1] of "Awesome Screenshot"[2] which is used by ~1,4M users and also calls home to 7 different hosts[3]. This is just one of many many Chrome plug-ins that is injecting ads and Google encourages this[4]. It makes sense to limit injections to markets they can serve / are affiliates in.
I think what you meant to say is that the existing laws that make something like this illegal should be enforceable in a meaningful way against large manufacturers and retailers.
Honestly, I think that's unlikely. This is far too sloppy to have been intentional. There are much better ways to implement a backdoor when you control the OS image. This is just incompetence, plain and simple.
Superfish looks like the kind of crapware that pays OEMs to include it in their bundle. Lenovo took the cash and didn't bother to review the code. Superfish, for its part, probably doesn't have the best and brightest engineers working for them. They probably tasked a junior programmer with working around SSL, who then committed the first solution that worked without ever thinking about security implications, and they shipped it.
Cannot see how this could possibly be true. Having been privy to OS bundling for products, I can assure you there is lengthy contracts, and negotiations, about exactly what is happening. You do no simply walk up to Lenovo and have your "software" installed into the OS without a very detailed contract and pay structure. There also looks to be js injected into pages, which is serving up the ads, and a comment about Lenovo [1]. Think about what the means. There was a project at this company, where they had meetings, project plans, testing to make sure it worked, and a very detailed idea of what was going on. Never mind all the ramping up capacity due to new Lenovo's boxes coming on-line. There is zero chance this was some low level junior programmer fly by night operation.
Oh I'm sure they had lots of meetings about the contracts and pay structure, and they may have done testing to make sure it didn't break things, but apparently no one did a security review. Sadly, this doesn't surprise me that much.
If they did know about the problem, they could have fixed it. If the app simply generated a new key as part of first-time use, then it would just be run-of-the-mill crapware rather than a gaping security hole. Even if Lenovo has malicious intent, it would still have been in their best interests to do at least that, yet they didn't. Hence I assume it was incompetence.
It doesn't take a "security review" to spot a gaping security and privacy violation like this.
Any engineer with even the slightest clue of how a browser and "the internet" works would have called this out during the first "How does this product work?"-presentation.
(Which, possibly unfairly, is one reason I'm leaning more towards ansible than saltstack to this day -- I mean, if stuff like that got through... what else, in more complex areas of the system?)
The problem in Lenovo's situation is, calling it incompetence is the real stretch. You could call Charles Manson incompetent saying he just didn't know what he was doing was wrong, but everyone knows he was just evil.
Never falsely attribute to incompetence what is actually ascribable to malice. You can't come in here with a straight face and say that no one at Lenovo considered the security risk of including this software. If it was considered and they pushed ahead with it anyway, that's malice.
I don't think anyone there thought/realized that they were including a backdoor usable by any number of third parties (by virtue of installing a mitm-cert, and giving away the key). And this case is much worse than any other crapware-by-way-of-oem than I've heard of. But given the amount of nasty stuff most vendors seem to install on systems -- it appears to me that no one really looks at what is installed, or gives much thought to the consequences.
It's negligent, and in this case probably criminally so -- and that might constitute "an evil" -- but I don't think this is the result of someone's overt intentional evil act. I don't think anyone actually did consider the security risk of this particular piece of software. Maybe I'm naive, but if nothing else, the risk of lawsuits/backlash seems too great in this case.
I don't like ads and bloatware, but I think calling them "evil" is diluting what "evil" means.
I might be wrong, of course. But I don't think any of the big OEMs does any real review of the crap that is installed on computers -- and I think forgetting to generate an unique cert/key on post-install/first run is an error -- not intentional. Deciding to install this kind of crap strikes me as a very poor decision -- but I'm still not sure I'd consider it evil. Evil would be using the Intel management co-prosessor to do something similar -- presumably then a clean install wouldn't help.
But that argument means either that these companies do not have a security team (we know they do), that the security team signed off on this (we know they wouldn't), or the security team raised the risk and management chose to ignore it. There's absolutely no option that says "no one ever thought of this risk", at least not in the world we live in. I've worked in enterprise security and I still work in the security industry. There is just no way that this software got approved to be put in a default install and had no review from the security department.
That's what I meant by invoking the opposite of Hanlon's razor. Sure, never attribute to malice what can be explained by ignorance. But my point is, you can't explain this one with ignorance. There is just no way that Lenovo has hired a security team that would do a review of this and say it looks fine, and no way a company the size and stature of Lenovo would not have a competent security team. The only logical answer is that this was raised as a risk and management chose to accept the risk.
I'm not saying they're evil (I used that word to describe Charles Manson), nor that their end goal was for users to be compromised. Merely that they had to know this was a bad idea, and they chose to do it anyway.
You may be right. I'm inclined to believe the provisioning team in Lenovo is understaffed, and that they don't really do much security analysis at all. So I believe their negligent, and that their process is negligent. But I'm open to the idea that I might very well be wrong about that. Either way, it doesn't speak very highly of what kind of quality one can expect to get when shopping Lenovo products.
I generally agree, but this is a situation that can be explained by either an embarrassing level of incompetence or a pretty minor amount of malice (or even indifference). So I'll assume malice until I see them own up to that much incompetence.
Operations the size of Lenovo have a fairly intense vetting process before a product goes to market.
I find it very hard to believe that no red flags were raised by any of the engineers, managers and especially lawyers who must have screened this "feature" for problems.
It seems more plausible that the problem was known from the beginning (it is by design after all) and Lenovo decided to risk it.
My own experience makes me suspect the same thing. I used to work for a company that was, at the time, trying to develop a privacy-enhancing product (ironically enough...) which did something somewhat similar (although not on the size of this fuckup -- they'd be intercepting, but not tampering with, encrypted traffic, and storing encrypted private data).
Virtually everyone in the engineering team raised a flag when the imbec...uhm, the Product Manager came up with the idea. We pointed out that a) this burdens us with the responsibility of storing sensitive data which can, at least, have significant legal implications and that b) even if it's encrypted data, it may be a little hard to market a privacy device that works by uploading user data to our server as a first step without being transparent about the whole process. Oh, and c) that the data recovery mechanism he proposed (which involved storing the users' private keys on our servers as well, just in case they lost their precious little gimmick) was, in this case, entirely retarded.
The whole thing didn't even make it to Legal, because everyone in the decision tree just thought that since there's no plaintext data being stored, there's no potential for a lawsuit (and when we told the PM about Lavabit, he came back two hours later saying he Googled it and that we're covered since we're not an e-mail provider). The bright heads in Marketing weren't exactly sure about the whole transparency thing. They thought we should keep it simple and just tell people that their data is safely encrypted and be done with it, because end-users don't need to know about tech mumbo-jumbo like encryption keys and all that.
I don't work there anymore (thank God) and they haven't launched in the meantime, but when I left, they were basically working on implementing this clusterfuck.
I'm sorry I can't be more specific than this (for obvious reasons, I hope). The point is, however, that decisions as complex as these (there's a stack of paperwork thicker than the Osbourne-1 involved in preloading anything on a laptop) are made through an elaborate process, not made "by mistake".
Someone knew there was a problem. The problem may have ended up misunderstood or washed out along the decision chain (although I find that fairly unlikely), but someone, at some point, decided this was ok.
Once one vendor in your space says "we filter HTTPS traffic for nasty viruses!", it becomes a marketing weapon, and lots of customers think "well, why should I go with A when B protects me better?"
> Operations the size of Lenovo have a fairly intense vetting process before a product goes to market.
How does that go along with a gigantic fuckup like this? Ipso facto there was no vetting, otherwise this wouldn't happen. What did they expect, that this wouldn't come out, that this wouldn't damage their brand even further? If it was done out of malice it is still poorly vetted and incompetent malice.
Just repeat, “Never ascribe to malice that which can adequately be explained by incompetence.”
They probably didn't figure out that anyone would have a problem with this. For them, it's just a cool gimmick to get some money. That it is a gaping security hole which makes about 0.42 % of user population mad, probably never occurred to them.
Unfortunately, for the 0.42 % (that is us, reading this site, and people of similar interests) it will be hard going to explain to the next 4.2 % why this is so bad. The remaining approximately 96 % of population will stay largely uninterested.
Yea, read again. I claim that even if there was malice there necessarily was an element of incompetence present in that case as well.
> it will be hard going to explain to the next 4.2 % why this is so bad
Why? People aren't interested in exact details, that's why they rely on 0.42%. You can illustrate the magnitudes of moronity required to design some of their products and lack of respect for security by explaining that they approach those that are needed to drive a car which has chainsaw strapped on its steering wheel. This isn't mere buffer-overflows due to bad coding, these are comatose levels of stupidity.
Hopefully we .42 will inform our fellow 4.2ers when they come to us for advice when buying a new laptop/anything Lenovo makes. I don't think it will be so hard to explain it to them. They already know what adware is. Just mention it comes installed ready to track you. Always listening while you're visiting bank.com.
I doubt the usual lawyer assigned to this understands SSL and certificates well enough to say anything about it. They worry mostly about contracts, and this is a technical thing.
I don't know, I've worked on some large government projects where things like this could have possibly slipped through because an engineer or two thought it was a clever way to workaround the issue. Granted they should have known and may have known but I'm not convinced they had to have known.
They probably tasked a junior programmer with working around SSL
I don't think I've seen a junior anything who was informed and insightful enough to write a network proxy, including SSL support, and the necessary certificate work.
Because you call it "enhanced functionality featuring cloud services", not a "man in the middle attack".
And calling it enhanced is not always an unreasonable interpretation. For instance, take the case of a cheap mobile phone with a very limited bandwidth. You can increase the end user satisfaction considerably if you move some of the functionality to a server layer so that when you browse, the things actually happen somewhere in a cloud and your phone is just displaying the result, without being the actual browser as seen by the site you visit.
Nokia did this with some of the cheaper devices, and I think it was quite OK. It comes down to how much you trust that party, of course, and how critical your communication is.
I think you give them too much credit. This was probably a decision made by a non-technical group without input from a technical group (e.g. Marketing goes and does something without even thinking of contacting Engineering), and whoever slipstreamed it into the factory image just followed instructions unquestioningly. This will likely result in an eventual retraction and apology, and internal process improvements being made to prevent such things from happening again. Such things will eventually happen again because large orgs are inefficient and individual employees are frustrated by inefficiency, so they'll work around the protocols. Rinse & repeat.
Someone has posted the actual script elsewhere in this thread [1].
Of particular interest is line 194:
if (location.protocol === 'https:' && queryString.search(/dlsource=hdrykzc/i) !== -1) // Patch for Lenovo - do not run on https sites
So yes, it seems someone at Lenovo was security-aware enough to demand an exception for HTTPS. Unfortunately the fine folks at Superfish either didn't understand or didn't care.
No, this is an example of the Lenovo sales / marketing people making distribution deals with dodgy third-party companies. The people who design the machines don't make the decision to ship MITM proxies on them.
I honestly don't know why Lenovo (and others) still make these third party deals. Just ship the machine with a blank OS, or install a vetted selection of open-source software (7zip, VLC, LibreOffice if they want). Just don't install crapware for the mediocre kickback it generates!
For low-end machines these bundling deals likely form a sizeable chunk of the profit margin. (I've heard eyebrow-raising numbers for e.g. the default browser spot.)
Yep. The other chunk results from the OEM's refusal to stick to any long term consistency in the components they spec in consumer lines of devices. In business lines, you will likely get a 6-12 month guarantee with a 6-24mo forecast showing exactly what is shipping with what (CPUs, GPUs, screens, hard drives, etc). With consumer lines, they change components & suppliers any time, for any reason.
It's awful even ignoring the security implications.
> To be clear, Superfish comes with Lenovo consumer products only and is a technology that helps users find and discover products visually. The technology instantly analyzes images on the web and presents identical and similar product offers that may have lower prices, helping users search for images without knowing exactly what an item is called or how to describe it in a typical text-based search engine.
"When using Superfish for the first time, the user is presented the Terms of User and Privacy Policy, and has option not to accept these terms, i.e., Superfish is then disabled."
Brilliant! It is behind a "Terms of User and Privacy Policy" text.
Interesting this appears to only be on the consumer grade laptops. I know at first glance I saw nothing relating to it on my W540 that I bought in November.
Remaining questions: Does the superfish proxy itself check the certificate of the site it's connecting to? One would hope, but that's also a pretty easy thing to screw up.
If it does, does it trust its own cert? Probably (certainly?), but if not, that would leave one in the curious (perverse?) position of being safer by using the proxy. superfish can mitm your connection, but nobody else with the key could.
It's most likely not hard-failing on cert errors, otherwise any website with a self-signed or expired cert would be unaccessible. So that means you just lose warnings (and thus the ability to detect another MitM) in your browser.
Wow, there are tons of images on twitter about this [1]. There is one where they MITM https://www.bankofamerica.com/ too [2]. Why the hell would they do this. Brutal.
Jumping at short-term profit over the people who trusted you is malice, in my book. Profit-uber-alles is not some thing that appears out of the ether--somebody has to do it.
While it is akin to playing whack-a-mole, it's nice to see them seriously considering blocking this cert so users who get a theoretical update in Firefox would have it simply be removed. Granted Superfish could update and get around it but that would require effort and considering the PR nightmare Lenovo is going to be fielding I doubt they would do so.
The password to the key must be in the binary - either in clear or encoded form and at some point it needs to be in memory in decoded form. Otherwise the binary could not decode the key itself. You could drop the passphrase immediately after decoding the key to make it harder for the attacker, but fundamentally all info to decode the key must be somewhere on the machine itself.
Trying all strings from the binary if any of them matches is a cheap and easy operation, so try it first, if it doesn't work use a more elaborate approach.
He didn't find the password in the clear, he found the private key in the clear. He brute-forced the password.
I assume his reasoning for looking for the private key was similar to: this program creates a new certificate authority and installs it on this computer. In order to do this, it must have all necessary tools for doing so, including the private key it uses to create those certificates, in memory somewhere. Even if that private key is stored encrypted somewhere, it has to exist unencrypted in memory at some point to be used.
Read it again, he found the password in cleartext in the memory dump. From the blogpost:
> I tried the small dictionary john.dict that comes with John-the-Ripper, and it didn't find anything. But of course, I don't need a real dictionary. The password is probably also in the clear in the memory dump. I could just use the file super.txt as my dictionary! I tried this, but it was taking a long time, with 150k unique lines of text. It'd take many hours to complete. To speed things up, I filtered the list for just lower-case words
So, just a hunch that it would be a company name or something else that might be in the dump? There's no technical reason for the actual password itself to somehow end up there? A serious security flaw or something?
What's funny is that they have three apps for photo-based matching of products...and pets. They really are a "visual search" company, a CA start-up of 80-200 people according to LinkedIn... They just seem to have forgotten the "don't be evil" parts of their business model...
Anyway to see if that certificate is on a Lenovo computer? Anyway to remove it? I bought a Lenovo laptop recently, and I was appalled at the amount of crapware that was installed. It's a wonderful laptop at a great price, just too bad about the software.
> It's a wonderful laptop at a great price, just too bad about the software.
Lenovo's hardware support for Linux is great so unless there's something keeping you on Windows switching to a good Linux distro usually works fine on these laptops.
So what? At least with the software part you remove a large portion of the risks. It's better to go half way than doing nothing about it, and hardware tampering for a company could be more risky since they would have to do mass recall if discovered.
It should show up in the system certificates list as "Superfish, Inc.". I haven't seen it myself but search for #superfish on Twitter to see a lot of screenshots and such.
Interesting question to consider: what if the MITM was benevolent to the user? I.e. Lenovo included a similar ad-blocking proxy in their default installation? Would the public response have been as negative, or would it be considered to be a helpful addition akin to how most browsers now include popup-blockers?
In other words, are people more repulsed by the purpose (advertising)? Because I certainly think MITM'ing connections locally to remove ads a good thing... and with some devices like "smart" TVs apparently now phoning home and showing ads, I have no qualms about putting their traffic through a proxy to strip that crap out.
The issue here isn't so much the ads as it is being able to authenticate that the remote party is who you think it is – if your browser trusts the MITMed certificate, you no longer have the guarantee that your banking website is actually your banking website and nothing nefarious, as the page has been intercepted (maliciously or not) in-flight.
if your browser trusts the MITMed certificate, you no longer have the guarantee that your banking website is actually your banking website and nothing nefarious, as the page has been intercepted (maliciously or not) in-flight.
The trust essentially moves from the browser to the proxy - while I don't know what Superfish does, Proxomitron definitely checks the certificate and pops up a warning dialog if there's something wrong.
why MITMing SSL at all without the user's explicit knowledge is bad
I think "without the user's explicit knowledge" is the key point here; if you install a security product then you somehow expect that it be able to inspect all your traffic for any maliciousness... as otherwise the "bad guys" will just make use of SSL to defeat that.
Presumably (hopefully!) when you installed Proxomitron, it generated a new unique private key for your own personal MITM.
Apparently Superfish ships from Lenovo with the same private key on every machine. So all a bad guy needs to do is extract that private key from one machine, and now they can MITM all the Superfish Lenovo machines from basically anywhere on the Internet.
It does come with its own certificate by default, with instructions for generating your own, but it doesn't trust that certificate for external connections; it uses a separate database of trusted roots which doesn't include the MITM certificate.
Has anyone confirmed the certificate validation behaviour in Superfish? I have a feeling it will be "none at all", which would be really bad...
It's all fine when it's you who is controlling the MITMing. In this case, Lenovo's malware does this without knowledge of the user and uses the same certificate on each machine, private key for which is embedded in said malware. That private key has probably already been extracted (or it will be very soon) - and at this point anyone can MITM your Lenovo machine by using that certificate.
Imagine if the person you bought your house from told you "I've disabled all the locks on your doors and windows so that I can pop in from time to time and leave a fruit basket on your dining room table."
I thought that Chrome checks and reports that google.com certificate is a google issued certificate. How did this mitm attack not pop up massive warnings in chrome?
But doesn't that defeat the purpose? If a trusted Chinese certificate authority issues some certificate on google.com for China to perform MITM attack, and Chrome ignores anything signed by a valid root certificate, it will never report this attack. I thought the point of certificate pinning is precisely that only a single authority can sign a certificate for a website.
No, the purpose of pinning is to stop a compromised CA from issuing their own www.google.com cert.
If someone installs a CA, Chrome will trust it. There's not much way around this: if someone has the capability to install a CA on your computer, they'd have the capability to modify chrome.exe to force acceptance of it.
Also, sometimes MITM'ing is desired. I'm doing it right now with Firefox and BurpSuite.
Chrome could display a notice reminding users that it's an executable that can be compromised by other programs. But those other programs could also delete that notice.
This situation is quite common in enterprise deployments [1], where HTTPS traffic is MITM-proxied through a central server to e.g. check for malicious content or other filtering.
If Chrome were to block unknown roots for pinned sites, these sites would become inaccessible because the MITM proxy is still active. That's certainly not desirable in a controlled enterprise environment, but the same would occur when blocking this 'Lenovo root'.
More precisely, Chrome doesn't enforce certificate pinning if the certificate is signed by an unknown root (like one installed by your system administrator, or apparently your laptop manufacturer).
"Someone will extract the private key in the next few hours, and then HTTPS will be basically completely broken for all Lenovo users -- anyone will be able to spoof any site to them."
Do you mean the proxy is remote? That is not the impression I have (otherwise having the private key locally makes no sense).
If it's local, then even with the private key extracted, and considering a lot of website force https nowadays, we should still have standard crypto between the lenovo computer and the website. EDIT: As long as the adware checks the website certificate AND doesn't trust it's own self-signed certificate in the store... yeah... a lot of ifs...
Anyway, thanks for the additional details, more helpful than "[...] the certificate allows the software to decrypt secure requests[...]", found in the article...
> we should still have standard crypto between the lenovo computer and the website
Standard crypto using that website's certificate. Which could be legit. Or could be an attacker's certificate, signed with this Lenovo root certificate.
Not if the proxy checks the certificate of the site it's connecting to and doesn't trust it's own self-signed cert (there is no point in doing so if it's pure adware). But yeah... I have no idea what it does...
I honestly doubt that someone who was clueless and lazy enough to use the same self-signed certificate on all machines would put in the extra effort not to trust that certificate. Besides, the certificate is left behind after the software's uninstalled and no longer proxying connections.
Komodia, the company behind the tech contracted by the maker of SuperFish, actually (tries) to makes sure invalid and self-signed certificate do generates a warning in the browser. And then they password protect the private key with... the name of their company?!?
"Also the module tries to verify that the certificate is indeed signed by an approved signer, it will use the CA store of the browser used to verify that (for Internet Explorer the Windows store will be used, and for Firefox the NSS store will be used), if the certificate isn't legit, the created certificate will be created in a way it would raise an alert to protect the user."
Sure, but I assume Mozilla doesn't recognize the Lenovo adware, so if all the web traffic is being routed through this proxy, shouldn't firefox have squawked?
Mozilla has its own proxy settings as well, independent of Windows Control Panel configuration, so a Firefox user appears not to be impacted by the whole thing at all.
It's not clear to me. Just a few minutes ago (and after your post) this appeared on mozilla discussion forum given by [1] above (will come back to credit this- didn't copy and don't remember (and can't see!)).
When taking Firefox into use, it imports the OS proxy settings, though. You get a warning but I guess about 99 % of people don't care about what that means.
>They install a web proxy which MITMs all web connections, including HTTPS by means of a pre-installed trusted root certificate.
That's the odd part of this. Browser plugins can modify the DOM (insert ads, change search results, etc) without proxying anything. So why do it? I wonder if they were fishing for an NSA contract to further monetize the installs.
Browser plugins are easy to wipe out. When dealing with a rather persistent malware a few months ago, it had inserted a legacy policy for a proxy in the Windows registry in a place not commonly checked by malware scanners. You turn off the proxy settings, but at every reboot it would come back and nothing seemed to catch it at the time. Malware can inject things in to the local group policy and other places that are not commonly checked, such as the root cert store, making them very likely to be missed by tech support.
The root certificate is the same across all installs, and the private key is present on the machine (necessarily, to operate the proxy): https://twitter.com/fugueish/status/568258997578371072
Someone will extract the private key in the next few hours, and then HTTPS will be basically completely broken for all Lenovo users -- anyone will be able to spoof any site to them.
Uninstalling the app does NOT remove the certificate: https://twitter.com/metsfan/status/568265468173107200
On the bright side, Firefox does not use the system certificates (it has its own list) and Chrome will no doubt push an update to block the certificate promptly.