
Response to Concerns Regarding eDellroot Certificate - fastest963
http://en.community.dell.com/dell-blogs/direct2dell/b/direct2dell/archive/2015/11/23/response-to-concerns-regarding-edellroot-certificate
======
jacquesm
"We thank customers such as Hanno Böck, Joe Nord and Kevin Hicks, aka
rotorcowboy, who brought this to our attention. If you ever find a potential
security vulnerability in any Dell product or software, we encourage you to
visit this site to contact us immediately."

That's something a lot of companies could learn from. But besides that the
whole reason why they did it seems a bit thin, as if it needs a root
certificate to get to a device tag.

~~~
SyneRyder
Doesn't seem like even Dell has learned from it. Hanno posted a few tweets
that seem connected to today's Dell statement:

"Dell has a publicly reachable security team. They just didn't answer when I
contacted them about the eDellRoot."
[https://twitter.com/hanno/status/668856347455324160](https://twitter.com/hanno/status/668856347455324160)

"I should repeat that: I contacted Dell's media team on 1st Nov and security
team on 9th Nov about eDellRoot. No answer."
[https://twitter.com/hanno/status/668857466076180480](https://twitter.com/hanno/status/668857466076180480)

~~~
jacquesm
Why would he contact the media team first?

~~~
hannob
I can just answer that myself.

At first I didn't find a security contact on the Dell webpage. As I'm a
journalist and as I investigated this issue to write an article (for
Golem.de), the media contact was my logical next point to contact.

Around a week later without a reply I saw that hackerone had a list of
security contacts for large companies and found that there was a contact
address for Dell there.

~~~
jacquesm
It's the 9th link when searching for 'dell security contact', but it is not on
'dell.com' so I can see how you missed that.

There is a dell.com/security page but it lists all kinds of stuff and does not
provide a security contact.

Maybe every company should have a /security page with a contact?

Or even a 'security.x.com' website as a first point of contact?

Dell should probably instruct their personnel to forward any and all mail
relating to potential security issues to the right department, but at the same
time I don't feel that contacting their marketing department counts as the day
the issue was properly reported.

------
Animats
_" It was intended to provide the system service tag to Dell online support
allowing us to quickly identify the computer model, making it easier and
faster to service our customers."_

Yeah, right. There's no other way to identify the model other than loading a
root certificate with the power to certify any site as any domain. They expect
people to believe that? Are they incompetent or corrupt?

~~~
sanxiyn
Evidences (for example, leaving the private key) suggest that they are
incompetent.

~~~
Mchl
My experience as an empolyee of a huge manufacturer of consumer electronics
says the same.

------
pheroden
I worked for Dell a few years ago, and this is a complete bullshit response.
The service tag takes all of 3 seconds to obtain. The full system specs are
revealed once it's entered. At no point is bypassing the customers security a
requirement of getting your service tag.

~~~
INTPenis
If you worked for customer support then you know how much longer calls can
take when people are looking for the service tag.

They were speaking for online support, where no support agent is available to
guide the customer through finding the service tag.

I believe they had good intentions but it was very poorly executed.

~~~
junto
I'm an ex-Dell Support site web developer. This used to work using
Java/ActiveX if memory serves me right. Since browsers have started to
downgrade the whole Java experience, it appears that Dell now want you to
download an EXE which you then have to install.

I really don't understand why they would need to install a root cert to make
requests from a client's machine when you already have installed an EXE on the
client's machine (which can basically do anything it wants).

Can anyone think of any genuine reason why an installed executable would need
a CA root cert?

~~~
INTPenis
When it comes to leaving the private key on the client systems then I would
have to refer to Hanlon's razor.

It could simply be a stupid mistake, social media make stupid mistakes into
big deals but they're not a new phenomenon.

------
0x0
It gets better: they also shipped the private key material for signing
arbitrary windows kernel drivers with a Verisign-issued certificate:
[https://www.duosecurity.com/blog/dude-you-got-dell-d-
publish...](https://www.duosecurity.com/blog/dude-you-got-dell-d-publishing-
your-privates)

------
viraptor
I was wondering why they did it... Now I think I'd prefer not knowing. Not
only was it a terrible idea, apparently there was nobody to tell the
programmer it's a terrible idea, and even QA (if they have it) didn't do their
job.

Basically all the way from the idea to release, they had no person who knows
what root certificates are.

~~~
Gibbon1
Sometimes I wonder if this stuff gets added initially because of the need for
manufacturing testing. And then some nitwit VP of engineering, decides having
it installed in production would be super for some deranged reason. And no one
can tell him no because the management culture prevents pens from throwing
sh*t back upwards.

~~~
Coincoin
I had my fair share of being forced by higher management to commit insecure
code, obfuscations and encryption security theater despite vehemently
protesting. They seriously don't give a single shit. For them it's acceptable
risk.

~~~
Gibbon1
Acceptable because if it blows up they'll just toss you or one of your
coworkers under the bus. Watch what happens at Volkswagen, you'll see.

------
jaimehrubiks
I don't think it was installed with malicious intentions. It wouldn't make
sense to leave the private key inside anyway

------
NickHaflinger
With this root cert anyone could decode SSL traffic between you and a supposed
secure web server. These kind of accidental security blunders seem to be a
regular occurrence. Are people that incompetent or is there a more sinister
reason.

~~~
simonh
Is that true? I may be off base with this, but as I understand it if the
encrypted traffic you're trying to crack was encrypted using a certificate
chain not descended from this root certificate I wouldn't have thought having
this root CA would help.

As I understand it the vulnerability is that anyone who can obtain this root
CA from a Dell machine can sign their encrypted traffic to appear to be
trusted and secure, even if it's not, to other Dell machines with the same
root CA. You can pretend to be someone you're not to those other Dell
machines, but it doesn't give you a backdoor into chains of trust that don't
descend from the same root CA.

I suppose this might allow you to do a MITM attack, but not decode traffic
you've passively snooped. Otherwise this root CA would have just totally
compromised all internet security.

------
LeoPanthera
A bad situation, but a good (and timely) response.

~~~
sneak
A response full of lies and spin now qualifies as "good"? Are you kidding?

~~~
LeoPanthera
Which parts do you think are lies?

~~~
sneak
The fact that they installed the certificate unintentionally. It wouldn't be
there without intention. They're just stupid.

------
HappyTypist
I'm beginning to think that Microsoft should automatically block unrecognized
root CAs unless it is added through a group policy.

------
uidguiudfg34859
> Customer security and privacy is a top concern and priority for Dell;

Come on!

The author says right there that the certificates were "intended to make it
faster and easier for our customers to service their system."

Statements completely contradicting each other.

------
aquine
> This certificate is not being used to collect personal customer information.

That's a very strong statement, which a sizeable percentage of Hacker News
readers could probably disprove in minutes.

~~~
eitland
Let's see if that happens. I guess a few hundred people are already looking
for something, either as a claim to fame or just because they are bored.

Personally I but my $0.1 bet on incompetence. Which is of course bad enough
but not superfish-league.

~~~
simonh
Good point. A lot of parallels are being drawn with Superfish, but the Dell
issue appears at first look to be just incompetence. Further investigation
might finger Dell for more than that, but it's clear that Lenovo/Superfish was
intentional subversion of customer privacy and security in full knowledge of
exactly what they were doing and what the consequences were for customers.

