Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Web browsers are also to blame for Lenovo's Superfish fiasco

Michael Horowitz | March 10, 2015
Lenovo pre-installing Superfish software was a security disaster. Whether Lenovo was evil, or, as they eventually claimed, merely incompetent, it's hard to trust them going forward. If nothing else, their initial denials that anything was wrong, leave a lasting impression. Of course, Superfish, along with the software that they bundled from Komodia, also deserve plenty of blame for breaking the security of HTTPS and SSL/TLS.

Lenovo pre-installing Superfish software was a security disaster. Whether Lenovo was evil, or, as they eventually claimed, merely incompetent, it's hard to trust them going forward. If nothing else, their initial denials that anything was wrong, leave a lasting impression. Of course, Superfish, along with the software that they bundled from Komodia, also deserve plenty of blame for breaking the security of HTTPS and SSL/TLS.

Taking a step back however, blame also falls on our web browsers.

Google (Chrome), Microsoft (Internet Explorer), Apple (Safari) and Mozilla (Firefox) enable the security hack that Superfish and others such as PrivDog and Gogo engage in. They do this by omission, not commission. 

Let me explain.

Secure (HTTPS) web pages are required to send the web browser a file called a digital certificate which serves, among other purposes, to insure that you are actually viewing the website you think you are viewing.

This is needed because the underlying design of the Internet makes scam websites possible. That is, you could be looking at somebankingsite.com and instead of it really being a bank, it could be a phony duplicate site designed to trick you in any number of ways.

One defense against this, is the digital certificate file. Just as a postmark proves where and when a letter was mailed, the certificate file is supposed to prove the identity of the website.

To run a secure HTTPS website, you first have to get a certificate file from any of the hundreds of companies in business to sell them. These trust-selling profit-making companies are called Certificate Authorities. They are supposed to check the identity of the person or company making the request.

Pass the identity check, pay a fee, and you get a certificate file vouched for by a Certificate Authority.

Techies refer to the certificate file as "certificate" or, more often, just as a "cert". An article about Gogo at Ars Technica referred to it as an "HTTPS certificate". A recent Bloomberg story about Hilary Clinton's private email system called it an "encryption certificate" referring to another of its purposes - being the basis for encrypting data in transit. Google, in their explanation of the topic below, calls it a "security certificate".

Verbiage like this probably sounds reassuring, to non-techies, but, the system is terribly flawed, so much so, it borders on being a scam.

One of the biggest flaws in the system is that any Certificate Authority (CA) can vouch for any website.

Add to this, the fact that there are hundreds of Certificate Authorities and each one has sub-contractors than can also issue certificates.

Plus, no one knows who these companies are. GeoTrust, Entrust, USERTrust, GTE CyberTrust, Starfield, CertPlus, DigiCert and Thawte are not exactly household names. Steve Gibson is fond of pointing out that the Hong Kong Post Office is a trusted Certificate Authority. Would you trust a website whose identity is certified by the Hong Kong Post Office? Our browsers do.

 

1  2  3  4  5  Next Page 

Sign up for Computerworld eNewsletters.