You can bet that if the NSA manages to use this to hoover up some tasty HTTPS, this scandal will be lauded as a big boost to "national security" behind the scenes, and nobody will be punished. For all we know NSA had a hand in engineering this.
Of course, if some government data is stolen as a result, then the whole thing will be thrown under the bus and deemed a threat to "national security".
I hope anyone who uses terms like "national security" does it in full awareness of what Orwell meant by newspeak and doublethink.
Impersonating a CA is not transparent and risks losing that CA if anyone finds out it's forging certs. They probably can do that, but it's a risky nuclear option.
This is a transparent dragnet that can easily be blamed away, which has been shown to be much more preferable in the NSA's M.O.
The sad thing is we don't need to invoke the big bad NSA here. There is absolutely positively nothing about this that suggests it is anything other than bog-standard SSL incompetence.
And to be clear, I mean, absolutely nothing. This isn't a slightly unlikely thing that still leaves room to wonder about "plausible deniability"... this is a thing that happens all the damned time and the NSA need at most sit back and passively reap the benefits, along with hackers and criminals.
Somebody somewhere wanted to get in on the advertising gig because it looks like free money. Their first attempt didn't work on HTTPS sites. Some techie was ordered to fix it. Said techie read a few things on a few sites and typed in the magic commands to "make it work" and probably literally didn't even know that they'd just annihilated security for all their users... they literally just knew that this made their software "work", and for them, pretty much the first time they clicked on to an HTTPS page and saw their own ads, the story ended. Ship it.
To a first approximation, nobody using SSL in some manner understands SSL.
It does seem like this is more of an amateur hour screw-up. It isn't beyond the NSA to plant developers that can insert backdoors on their behalf or set up front companies to sell vulnerable libraries but one would hope that they have enough sense not to leave cleartext passwords in a binary. Of course that could be an intentional misdirection so one never really knows.
I really don't agree. Every government has an official CA, and last time one was caught (France with fake Google certs IIRC), nothing happened at all. Most CAs are too big to fall anyway.
The employers that I know of who do government work require that all computers/phones work is performed on be of certain manufacturers which are US companies, an issue like this is the exact thing they cite as the reason for not using foreign companies as providers of such hardware. So the chance of government data being stolen is minimal, so the chance of the US government caring much is unlikely. So I doubt this will wind up under that bus.
Isn't superfish (or is it Phish?) a US/Israeli company?
Some of the code inserted is pretty strange, including functions to checks for lenevo, bestbuy.com and isPayingCountry() with a list of country identifiers:
The code you linked is nothing out of the ordinary as far as adware in Chrome plug-ins etc. go. For an example have a look at the source code[1] of "Awesome Screenshot"[2] which is used by ~1,4M users and also calls home to 7 different hosts[3]. This is just one of many many Chrome plug-ins that is injecting ads and Google encourages this[4]. It makes sense to limit injections to markets they can serve / are affiliates in.
You can bet that if the NSA manages to use this to hoover up some tasty HTTPS, this scandal will be lauded as a big boost to "national security" behind the scenes, and nobody will be punished. For all we know NSA had a hand in engineering this.
Of course, if some government data is stolen as a result, then the whole thing will be thrown under the bus and deemed a threat to "national security".
I hope anyone who uses terms like "national security" does it in full awareness of what Orwell meant by newspeak and doublethink.