
Browser Vulnerability to Superfish: A Fact-Finding Trip to Best Buy [pdf] - ndesaulniers
https://bug1134506.bugzilla.mozilla.org/attachment.cgi?id=8566794
======
patcheudor
I went to Best Buy as well today and picked up a laptop to look into this
further. The Superfish software is not properly passing the validation state
of the public cert when it connects to a website like Bank of America as an
example. There's no need to export their private and use it in a MitM
transparent proxy. The software is simply not triggering appropriate warnings
when provided an obviously fake certificate that has been generated in a way
to bypass browser warnings. It's also not properly validating revoked certs.
Both of these situations are very bad. Allowing any self-signed cert would
lead me to believe that this could have easily been exploited in the wild
without prior knowledge of this vulnerability.

I'm not going to provide a how-to guide on how to exploit users here. I have
notified both Superfish and Lenovo of this issue and here's an example of the
improper status pass through based on doing something that might be quite
obvious to some:

This is what the browser should do when it encounters a self-signed cert
delivered by an SSL/TLS MitM solution:

[http://defaultstore.com/six.png](http://defaultstore.com/six.png)

However, it's not doing this for this self-signed public cert:

[http://defaultstore.com/four.png](http://defaultstore.com/four.png)

Note both certs show "verify_fail." at the beginning and those who know how
browser cryptography works will understand what has gone wrong with their
implementation.

~~~
userbinator
I suppose they were relying on the prepending of "verify_fail" to the hostname
(with an invalid character - '_') to cause the browser to fail the certificate
name check, so Superfish is doing certificate checking? Shouldn't the browser
then complain with a "certificate's hostname does not match the site's"
warning?

...Or am I looking at this in the wrong way?

~~~
patcheudor
You're close. I'm not in the business of telling people how to exploit this
and am assuming those who already know were already doing it based on what
would be a "best practice" (for a bad guy that is) when it comes to generating
a self-signed cert.

~~~
ryan-c
...is it blindly copying _any_ x509v3 attributes present on the certificate,
or just the one that you seem to be carefully not mentioning? Can you email me
(one is listed in my HN profile)? I just thought of a pretty horrible exploit.
2199399413f2e63e6291a3f3e60f3475518aaf88215434222c65d6bc6fe41f34

~~~
userbinator
After a little more thought, it seems obvious to me now what the problem is.
:-)

The shocking thing is that the certificate name matching algorithm has been
standardised for over 15 years and yet those who wrote the cert generation
code weren't aware of how browsers implement it.

~~~
patcheudor
Ding, ding, ding. ;-)

~~~
mattlong
This is bumming me out. I'm really curious about what the exploit is but
cannot quite put the pieces together...

~~~
jasonyan
Looks like someone already wrote a post about it:
[https://blog.filippo.io/komodia-superfish-ssl-validation-
is-...](https://blog.filippo.io/komodia-superfish-ssl-validation-is-broken/)

------
userbinator
While this whole Superfish/Lenovo thing is certainly quite scary, let's not
forget the very important fact that, currently, the user ultimately still has
the ability to modify the software on the machines he/she owns, which includes
among other things (un)installing software like Superfish, and also
adding/removing trusted certificates. There will be those who advocate locking
down the certificate stores and other areas of the OS (e.g. only "approved"
software can be installed) in an effort to prevent companies from doing things
like this, but I think that could lead to an even worse situation - imagine if
this was preinstalled on a locked-down system that made it nearly impossible
to remove (or perhaps even discover!)

To put it bluntly, I'd still prefer to buy a system "infected" with Superfish
but which lets me reinstall the OS and configure it however I choose, than one
which is locked-down so much that, even if such malware was not present
initially, if something similarly undesirable is eventually installed by
default, it would be nearly impossible to remove. Of course buying an open
system that has no malware/adware preinstalled is even better, but given the
way things seem to be going with "smart TVs" adding ads and whatnot, it feels
like that might not be an option in the future.

~~~
TeMPOraL
Welcome to the War over General-Purpose Computing.

[http://boingboing.net/2012/08/23/civilwar.html](http://boingboing.net/2012/08/23/civilwar.html)

[http://boingboing.net/2012/01/10/lockdown.html](http://boingboing.net/2012/01/10/lockdown.html)

The future really scares me. And yes, backlash from Superfish fiasco will
probably only make things worse.

~~~
GhotiFish
I don't understand how this would be the conclusion reached. If you asked a
person on the street, would they not think that Lenovo is a entity of
authority? That they were the ones dictating the computers configuration? That
they were any more or less fallible/malicious than Sony or Microsoft or HP?

If you asked anyone, would they not follow the line of reasoning that, if the
manufacturer was releasing hardware in a default state of compromise, that we
could not trust the default state of released hardware? Why would you conclude
the opposite after this?

I can't see a way to construe this as "We need to ensure that machines must
stay as the manufacturer ordained to protect us from security threats
introduced by the manufacturer!"

I don't understand the rational here.

------
emehrkay
Computing is genuinely becoming scary. If I didn't browse tech sites or spend
my days on HackerNews, I probably wouldn't know about these things. I'm
getting older and more disinterested in the constant maintenance -- I just
want the shit to work. It sucks the most for those who learned "don't install
anything fishy, run a virus scan, don't open attachments, and you'll be fine."
They bought a computer and followed the rules and are still being fucked over.
I've seen a high number of comments that say "oh man, I never trust OEM
software, clean installs only for me." So it looks like there is another rule
for the pleb/peasant/uninitiated computer users to follow. I can barely keep
up, I wonder how nontechnical people do.

~~~
remarkEon
This.

I can tell several stories of trying to set things up for my parents, only to
have to call them/wait until I fly home next to fix something. Lessons have
been learned the hard way on dumb email chains/anti-virus software, but trying
to give them a list of browser settings (among other things) to do is getting
to be too much.

So, now what?

~~~
busterarm
I'm in this situation too.

We're at an impasse now too where my mom wants a new laptop. She doesn't want
to learn anything new (Mac OS) and both she and I don't want to deal with
Windows 8+. I'm skeptical about just installing Windows 7 on a newer laptop
(...driver/hardware support).

If I could get her to switch to Mac (she's in her 70s), I could set her up
with a non-admin user account and set it up easily so that I can securely do
remote support. The funny thing is that she would probably do it if not for my
brother, who does support for a living and doesn't want to learn to fix
Macs...smh

~~~
ptaipale
Windows 7 is going to be absolutely fine. If it's what she's used to, and you
have the license and media, just go ahead.

And something like TeamViewer does the remote support nicely.

I'm all for Linux otherwise, but in this use case I'd let old people use
whatever keeps them going.

~~~
busterarm
Yeah, it's just an insecure mess.

She always makes a mess of Windows machines. If her first instinct weren't
always to call my older brother for help, I'd have gotten her the Mac ages
ago.

~~~
ptaipale
Well, perhaps it would be good to give her a non-admin account to Windows? The
same approach you'd do with a Mac, but leaving her with a familiar UI.

~~~
busterarm
Privilege escalation, even with UAC at its strictest, is trivial on Windows
with the malware that's floating around these days.

I worked full time for 5 of the last 6 years on Windows malware research.
Windows is a swiss-cheese joke of an operating system that won't progress
because of a(n at this point pathological) need for 20 years of backwards
compatibility. Microsoft: make use of that XP mode VM and extend that trend
forwards, you fools.

~~~
ptaipale
Perhaps so, but at least it would keep _some_ of the malware out.

Another option would be to put her regular use to a VM that you control
(remotely) and can restore to a clean state at any time...

~~~
mod
I'd like to see some kind of way to lock the system for older folks. I'm tired
of troubleshooting my dad's computer. He doesn't even do so much as adding
bookmarks, his machine exclusively browses the web.

I'd like to get everything he needs installed and lock out modifications.
Needs cookies obviously, but not much else.

Somehow he manages to have video player issues in every single browser that I
can't figure out. He has to watch youtube in chrome, live streams in firefox,
etc. It's really dumb. Buying him a chromecast improved it some, though, by
avoiding it.

~~~
ptaipale
Such limitations are of course possible. Perhaps you should look up what you
can achieve by running secpol.msc.

(Myself, I find that model complex and unintuitive, being used to the Unix
way, but everything has its learning curve.)

------
somerandomone
I originally discovered this issue a month ago when debugging my friend's
Lenovo laptop. Neither chrome nor IE can render battle.net correctly because
the HTML injection is not properly escaped. Since the problem persists after a
fresh recovery, I guess it's from some pre-installed software. I almost
reported it to FBI.

~~~
sitkack
Shouldn't Lenovo be guilty of hacking and illegal wiretaps?

~~~
lern_too_spel
To be guilty of wire fraud, Lenovo must have intent to defraud the user out of
money. It will be tricky to prosecutte.

~~~
bo1024
Placing their ads on a site where the user believes they are something else
(e.g. Google search ads) has to qualify.

------
jedanbik
Not only did I have to remove the certificate from my root authority in the
control panel, I also had to remove it from my list of certificates in
Firefox. This was after uninstalling Superfish. Once I did all of these
things, and cleared my history and cache and all that, the website that folks
have been linking said that it didn't detect Superfish (sorry, I'm typing this
from a phone).

So my explanation wasn't very technical, but I feel as though the part of the
process where you also remove the certificate from Firefox had been left out,
and I wanted to share it in case it helps out another person.

This news took me by surprise, as I just received a brand new Lenovo Yoga 2
for work last week, and it had this vulnerability.

~~~
Luyt
_the website that folks have been linking said that it didn 't detect
Superfish (sorry, I'm typing this from a phone)_

The website you're referring to, is
[https://canibesuperphished.com/​](https://canibesuperphished.com/​)

~~~
arthurfm
Another useful website is:
[https://filippo.io/Badfish/](https://filippo.io/Badfish/)

~~~
jedanbik
This is the one I was thinking about and implicitly referring to. Thanks for
posting.

------
tveita
This is a PDF attached to this issue, requesting blacklisting of the Superfish
certificate:

[https://bugzilla.mozilla.org/show_bug.cgi?id=1134506](https://bugzilla.mozilla.org/show_bug.cgi?id=1134506)

~~~
gluxon
From what I understand of Superfish, Mozilla (and other browser vendors) can't
just blacklist the certificate. That would make all HTTPS connections error
out. A message notifying users of the issue is all they can do.

~~~
beagle3
They definitely can blacklist the certificate.

They have the choice of having HTTPS effectively useless (by leaving the
certificate there), or making HTTPS not work (by removing it, thus prompting
action from the user to fix it -- perhaps by calling their tech savvy nephew).

Browser vendors should (and usually do) err on the side of security.

~~~
Xylakant
Or the users just switch to a browser that works. IE or Chrome :(

~~~
beagle3
Most Firefox users switched away from those (or didn't switch to them) because
it works better for them - including security wise. I suspect that won't be
their first course of action.

------
guelo
Shouldn't Lenovo be issuing a recall and pulling all the inventory in their
distribution channel? In other words, Best Buy shouldn't be selling these
things!

~~~
nandhp
I believe Lenovo's official statement previously said "We have thoroughly
investigated this technology and do not find any evidence to substantiate
security concerns." However, it now has a link to LEN-2015-010, a high-
severity security vulnerability.

[http://news.lenovo.com/article_display.cfm?article_id=1929](http://news.lenovo.com/article_display.cfm?article_id=1929)
[https://news.ycombinator.com/item?id=9074676](https://news.ycombinator.com/item?id=9074676)
[http://support.lenovo.com/us/en/product_security/superfish](http://support.lenovo.com/us/en/product_security/superfish)

~~~
orblivion
They didn't even close all their parentheses.

------
gojomo
Bullet point 4 is what I'd been wondering about:

 _• The Superfish proxy accepts its own certificate, so now that the private
key has been leaked, an attacker can mimic an arbitrary site in Chrome and IE_

I thought there might be a chance that despite all the other idiocy here, they
might have refused external certificates from their own CA, mitigating the
risks somewhat. But no suck luck for Lenovo customers!

~~~
TazeTSchnitzel
The Superfish proxy accepts _any_ certificate. If you're being MITMed (before
Superfish MITMs you), Superfish will _help_ them by replacing their
certificate with Superfish's.

~~~
gojomo
I don't believe that's true, but if so – for example if it replaces self-
signed certs, or certs from any untrusted CA, with its own (force-trusted)
cert – then that would be worthy of another scary explicit bullet point.

(It might just accept all CAs locally-configured, and it's accepting its own
because they didn't special-case a rejection.)

~~~
TazeTSchnitzel
It is true. I can't remember where I read it, but I remember seeing it either
here on HN or on Twitter.

~~~
takluyver
Komodia's own info says that it will generate an invalid certificate if the
real certificate was invalid or untrusted "so it will not cause a security
problem". They may be lying, but that page is fairly open about the way it
works:

[http://www.komodia.com/wiki/index.php?title=SSL_Digestor#Cer...](http://www.komodia.com/wiki/index.php?title=SSL_Digestor#Cert_creation)

~~~
patcheudor
I wouldn't go as far as say lying, they just failed to consider the SAN.
Unfortunately they pulled the doc, possibly due to what they claim to be a
DDOS but it's still in Google cache:

[http://webcache.googleusercontent.com/search?q=cache:XUbVSX8...](http://webcache.googleusercontent.com/search?q=cache:XUbVSX81n_YJ:www.komodia.com/wiki/index.php%3Ftitle%3DSSL_Digestor+&cd=1&hl=en&ct=clnk&gl=us)

~~~
gojomo
'SAN'?

~~~
mryan
[http://en.wikipedia.org/wiki/SubjectAltName](http://en.wikipedia.org/wiki/SubjectAltName)

------
edohyiez
I find it a bit weird that it can MITM
[https://www.google.com/](https://www.google.com/) on Chrome. I thought Chrome
did CA-pinning for Google-domains.

~~~
semenko
Chrome does do pinning, but ignores pins when the cert parent is a privately
installed cert (because this is a "feature" used by many enterprises).

"""

Chrome does not perform pin validation when the certificate chain chains up to
a private trust anchor.

A key result of this policy is that private trust anchors can be used to proxy
(or MITM) connections, even to pinned sites.

'Data loss prevention' appliances, firewalls, content filters, and malware can
use this feature to defeat the protections of key pinning.

"""

See: [http://www.chromium.org/Home/chromium-security/security-
faq#...](http://www.chromium.org/Home/chromium-security/security-faq#TOC-How-
does-key-pinning-interact-with-local-proxies-and-filters-)

~~~
sitkack
TIL Google is ok if you get backdoored by your boss.

~~~
vpeters25
The company I work for has a strict policy of no direct outbound connections
from the corporate network. This is to prevent (or just make harder) for
compromised machines from "phoning home".

This has the unfortunate side effect that all internet traffic must go through
a proxy, they have to MiTM SSL traffic.

I just use my smartphone's data for any personal internet browsing.

~~~
skuhn
Well you don't have to MITM SSL in order to proxy it, it can be done in other
ways. They probably choose to do so in order to see the details of the
request.

~~~
vpeters25
Correct, the firewall intercepts all traffic looking for potential compromises
and blocks it. Given all these corporations getting hacked, such measures seem
necessary.

~~~
lmm
Conclusion does not follow from premise. Once an attacker's code is running on
machines that have access to sensitive data, you've already lost - there's no
way to prevent it smuggling the data out in legitimate-looking requests. The
right way is to stop the bad stuff getting in in the first place.

~~~
ent
Not all attacks are perfect. It's true that an attacker can potentially do
anything once in control of machines with sensitive data, but it doesn't mean
that all hope is lost. If an intrusion detection system catches some x% of
potential threats, it can easily be worth it.

------
Buge
This isn't right though.

I got a Lenovo Y50 a couple weeks ago, and when I downloaded Firefox and
looked at the certificate, it was Superfish.

I've since uninstalled Superfish and deleted the keys (I exported them first
though). I know I probably should reinstall Windows but I'm too lazy.

------
iLoch
I will never again consider buying a Lenovo neither for myself, nor any
company I am with. I'll also make sure to recommend another brand to anyone
who asks my opinion. What an absurdly stupid business decision.

------
masswerk
Shouldn't the content providers strike back, in order to stop such things as a
business? E.g., a class action against those vendors who pre-install said
software. Determine the average share of traffic of these machines, use
average Adsense-earnings to determine the damage ... Globally, this might add
up to something that would be suitable to take even a major corporation out of
business ...

------
ZanyProgrammer
It would be interesting to try any of the Lenovos at a Microsoft Store (say at
San Francisco Center) and see if they also contain this malware.

------
bamura
Lenovo too smart in laying down the removal instructions under their security
advisors today!!

------
thefreeman
Any idea why it doesn't affect Firefox?

~~~
syntheticcdo
Firefox has it's own certificate store. Both IE and Chrome utilize the Windows
store.

~~~
rockdoe
But as pointed out in other comments, it looks like SuperFish does install the
extra cert in Firefox's database too, but only after a restart.

------
billyhoffman
Great research and I like the level of detail

But why take actually photographs of the computer screen instead of just using
native screen capture? The lights and reflections are super distracting. A
minor nit, yes but still...

------
cbd1984
This article crashed my browser.

------
cbd1984
PDF

~~~
cbd1984
Article is a PDF

------
cbd1984
PDF

Didn't Hacker News used to mark PDFs?

~~~
robin_reala
It marks PDFs if the URL ends in .pdf.

------
cbd1984
Flagged for being unmarked PDF.

