Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Web browsers are also to blame for Lenovo's Superfish fiasco

Michael Horowitz | March 10, 2015
Lenovo pre-installing Superfish software was a security disaster. Whether Lenovo was evil, or, as they eventually claimed, merely incompetent, it's hard to trust them going forward. If nothing else, their initial denials that anything was wrong, leave a lasting impression. Of course, Superfish, along with the software that they bundled from Komodia, also deserve plenty of blame for breaking the security of HTTPS and SSL/TLS.

And it gets worse.

In the case of the Bank of America, nerds know that Symantec bought VeriSign, so the NSA was not playing tricks on me when I took these screen shots. The two are one and the same.

But, does the Bank of America really use VeriSign? Maybe they use DigiCert or GeoTrust or Thawte. How can we know? The only way to know is if your sister works for the bank.

Still think my earlier use of the term "scam" was too harsh?

With this as background, we can now fully understand how Superfish worked.

MAN-IN-THE-MIDDLE

Simply put, Superfish placed itself between the victim and the rest of the world.

When Lenovo customers thought they had a secure connection to somebankingsite.com they did not. They had a secure connection to Superfish software running on their Windows 8 PC.

Likewise, the bank was also fooled into thinking they were communicating directly with a customer. They were not, they were also talking to Superfish. It's a classic man-in-the-middle attack.

In the old days, only bad guys and spies carried out man-in-the-middle attacks. Now advertising companies do it too.

Classic man-in-the-middle attacks had an insecure HTTP connection between the web browser and the bad guy. If substituting HTTP for HTTPS did not give it away, then the missing lock icon should have. Things have progressed since then.

Superfish was able to hide its presence by providing the web browser with a certificate file. Not the real certificate file, of course, one that Superfish created on the fly. No matter what secure HTTPS website the Lenovo customer visited, Superfish dynamically created a certificate for it.

Another part of the attack involved getting the web browsers to trust certificates from Superfish. Normal computers do not.

Months went by without Lenovo customers noticing that Superfish was vouching for every secure website in the world. This tells me that finding the name of the vouching Certificate Authority is too hard. I'm sure that Gogo was issuing scam YouTube certificates well before a flying Google employee noticed it.

Web browsers need to clearly identify the vouching Certificate Authority in a prominent way. Make us click to remove the name rather than show it. Browsers need to shine a light on a system that functions in the dark.

The late retailer Sy Syms used to advertise that "an educated consumer is our best customer". Not so in the tech world. Keeping non-techies ignorant seems to be a goal.

If the Certificate Authority name was prominently displayed in the browser window, end users could benefit in multiple ways.

For one thing, financial firms might be motivated to publicize the Certificate Authority they use, making scams harder.

 

Previous Page  1  2  3  4  5  Next Page 

Sign up for Computerworld eNewsletters.