Bonneau and Gillula were careful in their conclusions, but decided that at least some of the 1,600 certificates they found were the result of in-the-wild attacks.
"While it's likely that some of these domains had legitimately invalid certificates, due to configuration errors or other routine issues, it seems unlikely that all of them did," the pair wrote. "Thus it's possible that Komodia's software enabled real MITM attacks which gave attackers access to people's email, search histories, social media accounts, e-commerce accounts, bank accounts, and even the ability to install malicious software that could permanently compromise a user's browser or read their encryption keys."
Bonneau and Gillula also tallied thousands of certificates linked to PrivDog, adware with ties to certificate-issuing security vendor Comodo. Like the Komodia proxy used in Superfish and other software, PrivDog blithely accepts rogue certificates that would normally trigger browser warnings.
"The Decentralized SSL Observatory has collected over 17,000 different certificates from PrivDog users, any one of which could be from an attack. Unfortunately, there's no way to know for sure," said Bonneau and Gillula.
Previously, security experts had called on Lenovo and other PC makers to halt the practice of factory-installing third-party programs — called everything from "bloatware" to "crapware" — because of potential security and privacy holes.
Bonneau and Gillula went a step further, urging computer buyers to reformat the machine's storage space and reinstall an OS from scratch. They also demanded that software developers stop intercepting encrypted HTTPS traffic, even for purportedly legitimate reasons.
"Taking certificate validation outside of the browser and attempting to design any piece of cryptographic software from scratch without painstaking security audits is a recipe for disaster," they argued.
Sign up for Computerworld eNewsletters.