Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Web browsers are also to blame for Lenovo's Superfish fiasco

Michael Horowitz | March 10, 2015
Lenovo pre-installing Superfish software was a security disaster. Whether Lenovo was evil, or, as they eventually claimed, merely incompetent, it's hard to trust them going forward. If nothing else, their initial denials that anything was wrong, leave a lasting impression. Of course, Superfish, along with the software that they bundled from Komodia, also deserve plenty of blame for breaking the security of HTTPS and SSL/TLS.

Stepping away from Windows, Safari on OS X does not let you click on the company name, you have to instead click on the much smaller green lock to left of the company name.

Two iOS 8 browsers function like Jekyll and Hyde. Chrome does not show the company name, only the URL. In total contrast, Safari only shows the company name and hides the URL.

The worst thing about Safari on iOS 8 is that no matter where you click, press or hover, it won't rat out the Certificate Authority vouching for secure websites. Heck, it doesn't even show full URLs. Then too, Chrome running on Android is also incapable of identifying the Certificate Authority vouching for a secure website.

Strange co-incidence that the most popular browsers on iOS and Android are both missing an important security feature. 

You may have also noticed in the screen shots above that the Certificate Authority is never identified as such. Nerds designed the user interface so they assume everyone on the planet is, like them, already familiar with the system. I guess they don't have mothers.

On Windows, Firefox, Chrome and Vivaldi use "verified by", Internet Explorer uses "identified by" and Opera just puts the name out there without a label.

The best explanation I have seen is Safari on OS X which says, in effect: company x has identified website y as being owned by company z. Fairly straightforward. But even this explanation does not identify the Certificate Authority as a Certificate Authority, making it that much harder for non-techies to get with the program.

Adding to the confusion is the name of the Certificate Authorities. In the Bank of America examples above, we saw four different names: VeriSign Inc, VeriSign (without the Inc), Symantec Corporation and my personal favorite: Symantec Class 3 EV SSL CA - G3.

How does one Certificate Authority end up with four names?

In part it comes from the certificate file having multiple embedded names for each CA. Chrome displays the "common name" while Firefox displays the "Organization name". None of the browsers displayed the "Organizational Unit" name, which, in this case, was "Symantec Trust Network".

Multiple names also stem from the use of sub-contractors (not the term nerds use, but one that better represents the concept) by Certificate Authorities.

These sub-contractors, in turn, can have their own sub-contractors. In reality, a single CA never vouches for an individual website, the lowest sub-contractor does. So, what name should the browser show? That of the lowest sub-contractor, an intermediate sub-contractor or the highest level Certificate Authority>

In the Bank of America examples shown earlier, the browsers reporting that VeriSign vouched for the website, got the name from either the mid-level sub-contractor CA or the original contractor CA (known to techies as the root CA). 

 

Previous Page  1  2  3  4  5  Next Page 

Sign up for Computerworld eNewsletters.