top | item 9084407

(no title)

jgwest | 11 years ago

I think it's interesting that this BADWARE install was found more or less accidentally... apparently by some tech dude noticing that his bank login presented a Silverfish-issued CA cert.

Shouldn't the possiblity have been forseen and addressed beforehand?

Perhaps by...

(1) Anti-virus / anti-malware makers. Does this software not notify the user when strange CA certs are put into a system's root certificate storage? I understand that certain businesses do this for traffic monitoring... so it might be legit... but still, no user notification?

(2) Microsoft. Do their license terms really allow OEMs to install MiTM proxies and screw around with the root certs? Microsoft could do a good thing here by disallowing this sort of malfeasance... or is there some problem I'm not seeing with such an action?

If this were done in, say, OS X (unrealistic, of course), it would be found out and the whole tech world would know about it in a jiffy. John Siracusa would be howling at the Internet moon within a couple of hours...

discuss

bigbugbag|11 years ago

I don't know where you got the idea that this got discovered accidentally by this one tech dude. Actually quite a bunch of people have been complaining online about this for months, then for some reason it blew up when the matter got the attention of the tech and sec communities.

see those for example: https://forums.lenovo.com/t5/Lenovo-P-Y-and-Z-series/Persona... http://www.thestudentroom.co.uk/showthread.php?t=3013039 https://forums.lenovo.com/t5/Lenovo-P-Y-and-Z-series/Lenovo-...

GauntletWizard|11 years ago

(3) Google; Chrome has a rather sophisticated mechanism for detecting MITM attacks, in that it's distributed with pinned certs for several Google properties, and phones home with reports of errors it receives. This is how the DigiNotar leak[1] was discovered.

Perhaps because it was persistent and on the TCP stack level the phonehomes never succeeded? The retry logic should be robust enough to try to deliver the fraud list anyway, even if it will only accept that it has been delivered after a secured connection is restored.

[1] http://en.wikipedia.org/wiki/DigiNotar#Issuance_of_fraudulen...

pilif|11 years ago

Chrome does not warn if the non-official root certificate is custom installed on the local machine. It needs to do this because of the various corporate web filters and anti virus tools that MITM connections too.

Maybe this is a practice that needs to stop. Malware scanners can scan on the local machine after the browser has decrypted the communication and web filtering, I think, is nothing but a sign of mistrust against the users.

josteink|11 years ago

> Chrome has a rather sophisticated mechanism for detecting MITM attacks

Which obviously didn't work here, as Chrome was one of the most affected targets.

Firefox on the other hand, was more or less absent altogether. I know which browser I will trust.

nothrabannosir|11 years ago

That list is public; if you are in the business of writing these proxies anyway, fetching that list and using it as do-not-mitm exceptions is not a stretch. Which, unfortunately, defeats this nice side-effect of certificate pinning. People could have learned from the Diginotar mistake (being: mitm'ing ssl-pinned certs).

AnthonyMouse|11 years ago

> (1) Anti-virus / anti-malware makers. Does this software not notify the user when strange CA certs are put into a system's root certificate storage? I understand that certain businesses do this for traffic monitoring... so it might be legit... but still, no user notification?

It was installed by the OEM. Doesn't really help if it only notifies the OEM.

> (2) Microsoft. Do their license terms really allow OEMs to install MiTM proxies and screw around with the root certs? Microsoft could do a good thing here by disallowing this sort of malfeasance... or is there some problem I'm not seeing with such an action?

The general solution to what you're talking about is to prohibit the OEMs from installing anything by default. The problem is the OEMs wouldn't like it and Microsoft has to keep the OEMs happy lest they get any bright ideas about offering their computers with Ubuntu for $50 less than Windows.

scholia|11 years ago

It's not just that the OEMs wouldn't like it. The US DoJ sued Microsoft (and tried to break it up) to prevent it from having any control over what they do. In fact, Microsoft doesn't know what OEMs are installing as "Windows" unless it goes out and buys one of their PCs.

Otherwise, some OEMs have tried installing versions of Linux, with negative financial results. A few are still trying. The real problems are selling and supporting them.

aragot|11 years ago

... or they could develop badware for Ubuntu.

Buge|11 years ago

I found it by myself several weeks before all this news came out.

I got my new Lenovo Y50, visited my own website with it and decided to see how my https cert looked. I got quite scared when I saw I was being MITMed but I googled it and there were already a ton of forum posts saying it's just stuff bundled with Lenovo. So I uninstalled it.

rst|11 years ago

Note that uninstalling the program doesn't completely undo the damage; you also need to get rid of the trusted certificate that it uses to make all of its forged certs look legitimate to the browsers. (The private key for that cert has been widely distributed, and at this point, anyone can use it to make a cert for your bank that will look legitimate to your machine so long as the Superfish root cert remains in place.)

Complete instructions here: http://www.pcworld.com/article/2886278/how-to-remove-the-dan...