Interesting question to consider: what if the MITM was benevolent to the user? I.e. Lenovo included a similar ad-blocking proxy in their default installation? Would the public response have been as negative, or would it be considered to be a helpful addition akin to how most browsers now include popup-blockers?
In other words, are people more repulsed by the purpose (advertising)? Because I certainly think MITM'ing connections locally to remove ads a good thing... and with some devices like "smart" TVs apparently now phoning home and showing ads, I have no qualms about putting their traffic through a proxy to strip that crap out.
The issue here isn't so much the ads as it is being able to authenticate that the remote party is who you think it is – if your browser trusts the MITMed certificate, you no longer have the guarantee that your banking website is actually your banking website and nothing nefarious, as the page has been intercepted (maliciously or not) in-flight.
if your browser trusts the MITMed certificate, you no longer have the guarantee that your banking website is actually your banking website and nothing nefarious, as the page has been intercepted (maliciously or not) in-flight.
The trust essentially moves from the browser to the proxy - while I don't know what Superfish does, Proxomitron definitely checks the certificate and pops up a warning dialog if there's something wrong.
why MITMing SSL at all without the user's explicit knowledge is bad
I think "without the user's explicit knowledge" is the key point here; if you install a security product then you somehow expect that it be able to inspect all your traffic for any maliciousness... as otherwise the "bad guys" will just make use of SSL to defeat that.
Presumably (hopefully!) when you installed Proxomitron, it generated a new unique private key for your own personal MITM.
Apparently Superfish ships from Lenovo with the same private key on every machine. So all a bad guy needs to do is extract that private key from one machine, and now they can MITM all the Superfish Lenovo machines from basically anywhere on the Internet.
It does come with its own certificate by default, with instructions for generating your own, but it doesn't trust that certificate for external connections; it uses a separate database of trusted roots which doesn't include the MITM certificate.
Has anyone confirmed the certificate validation behaviour in Superfish? I have a feeling it will be "none at all", which would be really bad...
It's all fine when it's you who is controlling the MITMing. In this case, Lenovo's malware does this without knowledge of the user and uses the same certificate on each machine, private key for which is embedded in said malware. That private key has probably already been extracted (or it will be very soon) - and at this point anyone can MITM your Lenovo machine by using that certificate.
http://en.wikipedia.org/wiki/Proxomitron
Interesting question to consider: what if the MITM was benevolent to the user? I.e. Lenovo included a similar ad-blocking proxy in their default installation? Would the public response have been as negative, or would it be considered to be a helpful addition akin to how most browsers now include popup-blockers?
In other words, are people more repulsed by the purpose (advertising)? Because I certainly think MITM'ing connections locally to remove ads a good thing... and with some devices like "smart" TVs apparently now phoning home and showing ads, I have no qualms about putting their traffic through a proxy to strip that crap out.