Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Web browsers are also to blame for Lenovo's Superfish fiasco

Michael Horowitz | March 10, 2015
Lenovo pre-installing Superfish software was a security disaster. Whether Lenovo was evil, or, as they eventually claimed, merely incompetent, it's hard to trust them going forward. If nothing else, their initial denials that anything was wrong, leave a lasting impression. Of course, Superfish, along with the software that they bundled from Komodia, also deserve plenty of blame for breaking the security of HTTPS and SSL/TLS.

And, over time, we will inevitably learn something about the various companies in the business of selling trust.

We'll see the Certificate Authorities used by major companies and come to trust them more than a company whose name we have never seen before. We will know who is supposed to be vouching for the secure sites we frequent. As things stand, the identity of a CA means nothing to almost everyone using the Internet.

Spy agencies would hate educated consumers.

The current system serves them well. They can offer up a scam copy of a website and vouch for it with a certificate from a compromised Certificate Authority. Compromising a single CA, lets them vouch for any website, as long as the CA name is hidden. If we could see that Harveys Certificate Authority was vouching for the Bank of America, the scam wouldn't work.

So, lets see it Google, Apple, Mozilla and Microsoft. I dare you to prominently tell your users the Certificate Authority vouching for the identity of supposedly secure websites.

Certificate Authority identities matter.

 

Previous Page  1  2  3  4  5 

Sign up for Computerworld eNewsletters.