
Windows SSL Interception Gone Wild - mkjones
https://www.facebook.com/notes/protect-the-graph/windows-ssl-interception-gone-wild/1570074729899339
======
jgwest
I think it's interesting that this BADWARE install was found more or less
accidentally... apparently by some tech dude noticing that his bank login
presented a Silverfish-issued CA cert.

Shouldn't the possiblity have been forseen and addressed beforehand?

Perhaps by...

(1) Anti-virus / anti-malware makers. Does this software not notify the user
when strange CA certs are put into a system's root certificate storage? I
understand that certain businesses do this for traffic monitoring... so it
might be legit... but still, no user notification?

(2) Microsoft. Do their license terms really allow OEMs to install MiTM
proxies and screw around with the root certs? Microsoft could do a good thing
here by disallowing this sort of malfeasance... or is there some problem I'm
not seeing with such an action?

If this were done in, say, OS X (unrealistic, of course), it would be found
out and the whole tech world would know about it in a jiffy. John Siracusa
would be howling at the Internet moon within a couple of hours...

~~~
GauntletWizard
(3) Google; Chrome has a rather sophisticated mechanism for detecting MITM
attacks, in that it's distributed with pinned certs for several Google
properties, and phones home with reports of errors it receives. This is how
the DigiNotar leak[1] was discovered.

Perhaps because it was persistent and on the TCP stack level the phonehomes
never succeeded? The retry logic should be robust enough to try to deliver the
fraud list anyway, even if it will only accept that it has been delivered
after a secured connection is restored.

[1]
[http://en.wikipedia.org/wiki/DigiNotar#Issuance_of_fraudulen...](http://en.wikipedia.org/wiki/DigiNotar#Issuance_of_fraudulent_certificates)

~~~
pilif
Chrome does not warn if the non-official root certificate is custom installed
on the local machine. It needs to do this because of the various corporate web
filters and anti virus tools that MITM connections too.

Maybe this is a practice that needs to stop. Malware scanners can scan on the
local machine after the browser has decrypted the communication and web
filtering, I think, is nothing but a sign of mistrust against the users.

~~~
AnthonyMouse
> Maybe this is a practice that needs to stop. Malware scanners can scan on
> the local machine after the browser has decrypted the communication and web
> filtering, I think, is nothing but a sign of mistrust against the users.

It's really kind of a giant security vulnerability. If an attacker can
compromise the machine doing the MITM on all the _encrypted_ connections then
they get every password and credit card number for every user in your company
for every website.

~~~
harryjo
Sure, but once you allow _local administrator access_ to your machine, the
"guest" can modify your data and software however it wants, so you've already
lost.

------
ademarre
Is it just me, or is the Superfish fiasco being covered disproportionately
against the other big security story this week, the NSA/GCHQ SIM heist?

[https://news.ycombinator.com/item?id=9076351](https://news.ycombinator.com/item?id=9076351)

~~~
dredmorbius
Frankly, it's hard to keep up with all the security fail news these days
(including surveillance).

If it wasn't for the SIM story, I'd have missed the Five Eyes legal restraints
dodge:

[https://plus.google.com/104092656004159577193/posts/2ncBEdPV...](https://plus.google.com/104092656004159577193/posts/2ncBEdPVrHX)

Via:
[https://news.ycombinator.com/item?id=9077061](https://news.ycombinator.com/item?id=9077061)

~~~
maxerickson
It wasn't exactly news by the time Snowden did his dance:

[http://en.wikipedia.org/wiki/ECHELON](http://en.wikipedia.org/wiki/ECHELON)

~~~
dredmorbius
Knowing of UKUSA and Five Eyes, knowing that they share _intelligence on
parties OUTSIDE the member states_ , and knowing that _they are providing one
another with intelligence on each other 's citizens and residents_ are
different things.

Your Wikipedia article link doesn't directly address this. It points to
several other documents though:

A 2000 ZDNet article by Duncan Campbell:

[http://www.zdnet.com/article/echelon-world-under-watch-an-
in...](http://www.zdnet.com/article/echelon-world-under-watch-an-
introduction/)

"Under a secret agreement signed in 1947, called UKUSA, the English-speaking
countries agreed to share responsibility for overseeing surveillance in
different parts of the world."

That doesn't tell much. But this does:

"On 6 September 1960, two NSA defectors held a press conference and revealed
the worldwide scope of NSA's activities:"

"'We know from working at NSA [that] the United States reads the secret
communications of more than forty nations, including its own allies... Both
enciphered and plain text communications are monitored from almost every
nation in the world, including the nations on whose soil the intercept bases
are located.'"

It also discusses the Church Commission hearings (1975).

I'm not sure how I'd classify this, but I see _general_ awareness as being
vastly greater. And as someone who's been paying attention to this story for a
long time (15+ years), it's news to me.

~~~
maxerickson
This article linked from Wikipedia has a Canadian stating that the Brits asked
them to monitor British citizens and US lawmakers worrying that it was being
used to spy on US citizens:

[http://www.nytimes.com/library/tech/99/05/cyber/articles/27n...](http://www.nytimes.com/library/tech/99/05/cyber/articles/27network.html)

I guess widespread speculation that avoiding domestic surveillance laws is one
of the things done with the system isn't the same as knowing that it is going
on, but my point was that the widespread speculation had proceeded Snowden by
quite some time.

~~~
dredmorbius
Fair point. And I do appreciate the additional information and links.

From your NY Times article (published May 27, 1999):

 _Until last Sunday, no government or intelligence agency from the member
states had openly admitted to the existence of the UKUSA Agreement or
Echelon._

The mutual surveillance / legal evasion possibility appears to be _suspected_
but not _demonstrated_. Again as with much else, what Snowden's done is to
_specifically document_ such activity. Which is of and by itself a material
distinction.

 _European Parliament officials have also expressed concern about the use of
Echelon to gather economic intelligence for participating nations._

And:

 _While few dispute the necessity of a system like Echelon to apprehend
foreign spies, drug traffickers and terrorists, many are concerned that the
system COULD be abused to collect economic and political information._

(All-caps emphasis added -- minimal HN formatting options have their
drawbacks.)

So, I'll maintain that the _documentation_ of such abuse is a New Thing.

------
logn
Browser plugins can read SSL pages no problem. So why did Superfish not just
present itself like a browser plugin? Then it's just normal bloatware and
probably pulls in the same profit. Some people might uninstall it is the only
reason I can think why they didn't go this route. They could have pre-bundled
Chrome and FF to avoid having users ok the plugin installation.

~~~
practicalpants
> So why did Superfish not just present itself like a browser plugin

They did this for years, actually. They paid add-on developers to bundle their
shopping app with the developer's app. I remember this going on ~2010/2011 at
least.

People were not happy about it to say the least.

~~~
chinathrow
And VCs gave them money for this shit. What a fucked up investor world this
is.

[https://www.crunchbase.com/organization/superfish](https://www.crunchbase.com/organization/superfish)

~~~
TeMPOraL
Here they are:

[https://www.crunchbase.com/organization/superfish/investors](https://www.crunchbase.com/organization/superfish/investors)

I'd love to see people put money where their mouth is and refuse to be funded
by those investors... but I'm pretty sure it's not going to happen.

------
nissehulth
"We've observed more than a dozen other software applications using the
Komodia library" is the scary part.

~~~
whytry
How about MS's continued use of winsock?

~~~
Intermernet
Please elaborate? What about it? (Seriously, I'd like to know what the current
perceived issues with winsock are, I'm a bit out of date with Windows
security)

------
reedloden
Ah, so this is why Facebook tries to load Flash on almost every page... Allows
them to gather data like this. Always wondered why Flash was "needed".

(another reason to put Flash behind click-to-play and/or push for HTML5 video)

~~~
timothya
Side note: click-to-play is a usability feature, not a security feature. It's
still possible for Flash code to run before the user "clicks to play".

~~~
mbrubeck
Click-to-play in Firefox at least is a security feature. It's enabled
automatically for known-insecure plugins like old versions of Java and Flash.
You can enable it manually by setting a plugin to "Ask to activate" in the
Firefox add-on manager: [https://blog.mozilla.org/security/2012/10/11/click-
to-play-p...](https://blog.mozilla.org/security/2012/10/11/click-to-play-
plugins-blocklist-style/)

Click-to-play prevents Firefox from running any plugin code without explicit
user action. I am 99% certain this is also the case for Chromium-based
browsers. Source: I am a Firefox developer and I have worked on the click-to-
play code, e.g. [http://bugzil.la/899347](http://bugzil.la/899347)

~~~
anon1385
>Click-to-play prevents Firefox from running any plugin code without explicit
user action. I am 99% certain this is also the case for Chromium-based
browsers.

Wrong:
[https://code.google.com/p/chromium/issues/detail?id=174963](https://code.google.com/p/chromium/issues/detail?id=174963)

------
wslh
But this problem is not only about CA certs. If the application sits in the
same computer it can intercept the SSL libs used in the application (wininet
for IE, and the Firefox and Chrome used libs) to watch and modify SSL
connections.

This can be done without any proxy or certificate installation.

------
robbintt
I recently bought one of these and didn't even boot it into windows before
ripping out the drive and tossing in a linux installation on my SSD. Never
been more grateful to be technologically competent. Also, I am wiping that
drive.

~~~
SixSigma
You're the Chuck Norris of HN

~~~
romanovcode
Too edgy for me :)

~~~
SixSigma
Come up with your own comments

------
robbintt
Holy shit, I bought a lenovo Z50-70, ripped out my drive, and put in a linux
drive. I've never been happier to have some semblance of control over these
things.

~~~
romanovcode
You do realize.. ..that you can just re-format your drive as it is.

~~~
mschuster91
One week ago the HDD firmware manipulation by NSA/GCHQ was revealed. So, if
the snoops intercept the parcel with the laptop, it's better when you go into
a computer parts store and buy a random HDD...

------
aosmith
And this is why I run linux...

~~~
scrollaway
The superfish issue is why you run linux? You could've given the world a bit
of a heads up on it, don't you think?

~~~
aosmith
No, if you wipe the hd and reinstall it's not an issue. I run linux because I
like it. Stuff like this doesn't happen with mainstream distros.

~~~
guelo
I know at least Mint does DNS and browser plugin ad injection.

~~~
swhipple
Is this documented somewhere? I tried searching for a couple combinations of
"linux mint dns ad injection", but couldn't find anything relevant.

~~~
guelo
I was referring to their use of OpenDNS
[http://forums.linuxmint.com/viewtopic.php?f=90&t=128529](http://forums.linuxmint.com/viewtopic.php?f=90&t=128529)

And hijacking Google search on Firefox,
[http://blog.linuxmint.com/?p=142](http://blog.linuxmint.com/?p=142)

~~~
vertex-four
OpenDNS hasn't done ad pages for non-existent domains in _ages_. As for
"hijacking" Google search, that's simply setting a different default - you can
change it and nothing tries to stop you, and OS upgrades won't change it back
(I believe).

------
larvaetron
> Superfish uses a third party library from a company named Komodia to modify
> the Windows networking stack

This is the second article I've read that states this - Superfish does no such
thing.

~~~
maxerickson
My (not very studied) understanding is that it used SSL Digestor:

[https://web.archive.org/web/20150220003144/http://www.komodi...](https://web.archive.org/web/20150220003144/http://www.komodia.com/products/komodias-
ssl-decoderdigestor)

installed as a LSP:

[http://en.wikipedia.org/wiki/Layered_Service_Provider](http://en.wikipedia.org/wiki/Layered_Service_Provider)

"modify the windows networking stack" is not an absurd description of that.

------
ams6110
_we see several reasons to be concerned about this practice in the case of
Superfish and others. Chief among those is privacy—the Superfish software can
see all of the computer user 's activity, including banking, email and
Facebook traffic._

Never mind that Facebook sees all the computer user's Facebook traffic, and
cross-indexes it with every other bit of data gleaned from their vast graph
and uses it for profit.

~~~
zevyoura
Yes, and they do all that with the user's consent.

~~~
dredmorbius
Um, really? How informed is that consent?

What of sites that unilaterally change rules retroactively? Or fail to provide
reasonable alternatives?

Facebook does all of the above.

To an extent that I don't trust it, and don't use it.

But there are plenty of other services which wave the "but you consented!"
flag. Google comes to mind, and I've had my set of issues with them as well.

~~~
ptaipale
Umm, if you're using Facebook, it should be fairly obvious that you are giving
your information to Facebook. Yes, I call that an informed consent.

~~~
Ded7xSEoPKYNsDd
And when you're browsing a web site with a Facebook Like button (that you
don't click on), you're giving information about your browsing habits to
Facebook and it's totally non-obvious.

~~~
ptaipale
Sorry, I don't understand. What does it mean that I am browsing a web site
with a Facebook Like button that I don't click on?

~~~
wampus
If the button image is hosted on Facebook's servers (and it commonly is), they
have a log of your request for it, including the page it was on (from the
"Referer" header). This request is sent when you load the page, without the
need to click on the button. Every site you visit that includes a Facebook
resource gives them the ability to collect data about you and your habits.
These are often part of a site's template, included without regard to the page
it might appear on. You'd be surprised what a Referer URL can reveal about
you.

~~~
TazeTSchnitzel
It's not just an image, either. It's typically a widget that may even show you
if your friends also liked the page.

~~~
ptaipale
And, in fact, one should not trust that even if a page _says_ my friends liked
the page, they actually did.

------
nugget
Just to be clear, Facebook and Google hate any software that allows users to
modify content within their walled gardens (whether that's an adblock, ad
injector, or other). These companies want a totally controllable user
experience in order to maximize their own user metrics and monetization.

My fear is that these companies will use this Superfish debacle to attack and
restrict the ability for users to download legitimate software which leverages
these technologies. As users and developers, we want to retain this ability.

Adware sucks, and there are dozens of anti-virus companies who should be all
over anyone who tries to pull this crap. The problem here is not with MITM,
SSL packet inspection or modification. The problem here is that Lenovo allowed
themselves to be turned into a distribution channel for a poorly implemented,
spammy piece of adware for a few extra pennies.

~~~
mentat
I'm not sure why a normal user would ever need to add CAs to their root store.
Can you clarify?

~~~
RDeckard
Realizing an adblock mechanism, for one. (Similar to InterMute in late 90s,
and admucher.com now.)

~~~
duskwuff
That's a really intrusive, dangerous way of implementing ad blocking, though.
Much better to have that functionality live in the browser itself (or an
extension).

