Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Web browsers are also to blame for Lenovo's Superfish fiasco

Michael Horowitz | March 10, 2015
Lenovo pre-installing Superfish software was a security disaster. Whether Lenovo was evil, or, as they eventually claimed, merely incompetent, it's hard to trust them going forward. If nothing else, their initial denials that anything was wrong, leave a lasting impression. Of course, Superfish, along with the software that they bundled from Komodia, also deserve plenty of blame for breaking the security of HTTPS and SSL/TLS.

The companies that produce web browsers did not create this flawed system, but they aid it, by hiding it.

The time has come for web browsers to stop hiding the name of the Certificate Authority vouching for secure websites.

No doubt, Microsoft, Apple, Google and Mozilla will point out that the name of the vouching Certificate Authority is readily available. Technically, it is. Realistically, however, it is not, at least not for the non-techies that need it the most.

To see the name of the vouching Certificate Authority you need to know a secret handshake, a clickstream that's never explained to newbies. And, the handshake differs for each browser.

Limiting myself to just Windows, I found multiple paths to uncovering the name of the vouching CA.

With Firefox 36 (above), you need to click on the company name in green, just to the left of the website name in black on the address bar. In the window pops up, "Verified by" is the CA name.

In Chrome 41, the company name is dark green in a light green rectangle. You again need to click on the company name, then on the word "Connection". It is not immediately clear in the window that pops up that there are two tabs, one for Permissions, one for Connections. For whatever reason, the visual design of these tabs is totally different than the browser tabs right above it. In the Connection tab, the CA name is in the first sentence, after "has been verified by".

With Internet Explorer 11 you don't need to click, but you do need to shift your focus from the left side of the address bar to the right side. Hovering the mouse over the name of the company, produces a popup window with the CA name displayed after "Identified by".

Opera 27 starts off like Firefox, you need to click on the company name displayed in green next to the website name in black. Then, you need to click on the word "details". The name of the Certificate Authority is shown, but it is not identified as such.

Vivaldi technical preview 2 offers a secret handshake hint. If you hover the mouse over the company name displayed in green to the left of the website name, a pop-up window says "site info". Another clue that clicking here offers more goodies is the fact that the background color changes from light green to dark green. Clicking on the company name produces a window that looks exactly like Chrome, with a default Permissions tab and a Connections tab.

One operating system, five browsers, four different click trails to learn the name of the vouching Certificate Authority.

 

Previous Page  1  2  3  4  5  Next Page 

Sign up for Computerworld eNewsletters.