
Download.com and Others Bundle Superfish-Style HTTPS Breaking Adware - jacquesm
http://www.howtogeek.com/210265/download.com-and-others-bundle-superfish-style-https-breaking-adware/
======
pdkl95
Lets say I ran a well-known business that sold a some sort of physical
product.

It could be a toy, a common household tool or appliance, or anything else that
is small and inexpensive. It more-or-less works as intended, but it also
included a small robot. The packaging and marketing would be designed so you
weren't supposed to notice the robot, but the packaging included the necessary
fine print and an explanation that this robot was just there to make sure you
got the _best experience_ possible for anybody that spotted this "extra
feature".

Unrelated to whatever it was that you bought, at night the robot would install
a device on your phone that re-routed all your phone calls through my office
(a MITM attack). The phone still works ok, except now calls to your favorite
pizza deliver restaurant seem seem to be re-routed to the competitor across
town. Some time later a neighbor complains that he can sometimes when he
checks his voicemail, he gets your phone conversations instead.

After finishing with the phone, the robot does the same thing to your cable
TV.

Some days, the robot would go through your (physical) mail and place stickers
with new advertisements into your magazines. Occasionally one of those
stickers would end up on your electric bill, obscuring important information.
The power company has a similar logo to one of the sticker-ads, so the robot
probably confused the two logos. Even if the robot didn't have any stickers to
place, it would still open your mail and leave it (opened) on the ground near
your mailbox for anybody to see.

If I rand a business that did this - possibly as my main (or only) product -
_how long would I be able to run this scam before someone threw me jail?_

\--

Intentionally breaking TLS with a MITM attack goes _way_ beyond the usual
scam/trojan. This isn't even the usual negligence that we see in the
"security" of a lot of products. Creating a certificate that lets you MITM any
domain is _very obviously_ a willful act.

~~~
Fundlab
Why hasnt companies like Download.com and CNET been dragged to court yet beats
me. People have had to pay hard cash just to have their systems purged many
have lost priced documents and information while attempting resets because of
this.

Is this some sort of favorable treat?

~~~
anexprogrammer
Or at a more simplistic level, why haven't Google, Firefox et al simply
blocked download.com as serving malware? Even something that simple happening
far more frequently, might mean sites carrying ads gained some ethics. Maybe
some of the ad networks would then be held responsible for the crap they
regularly carry.

...and sites whine at the unfairness of the growing number of adblocking
users. Right.

~~~
makecheck
If you install uBlock Origin at least, it _will_ flag the entire site by
default.

It is very easy to add new things to the list too (e.g. right-click an
offensive pop-up and "block element").

I even told it to block my ISP's ridiculous typo-redirector.

~~~
squeaky-clean
The sort of person who installs uBlock Origin is also generally the kind of
person that knows to avoid these websites. However, people like my mother
don't know how to install uBlock, and don't know to avoid download.com (I
mean, with a domain name like that, it has to be legit!).

This is what uBlock shows me when visiting a page on download.com [0]. It also
changes the URL to "chrome-extension://cjpalhdlnbpafiamejdnhcphjbkeiagm/...".
If my mother saw this, I'd get a phone call right away that some virus was
stopping her from downloading something. It looks scary, and the most visible
information is the most obtuse, while the most useful information is grayed
out on the page.

If the most prominent text was something like "We've blocked this page,
because it matches our list of 'Badware risks'." I'd feel better about
installing uBlock for a casual user. As it is now, I only install Adblock Plus
because it hides malicious ads and fake download buttons without also
presenting scary things to the user.

[0] [http://i.imgur.com/DUdRCSc.png](http://i.imgur.com/DUdRCSc.png)

~~~
iopq
You're right, that's why you should install uBlock Origin for your grandmother

~~~
abiox
and everyone else's grandmother, i suppose

~~~
iopq
One grandmother at a time, we can cure malware

------
michaelmrose
If only Microsoft had run with the idea of package management and trusted
repos that has existed in open source for decades without restrictions that
inspire people NOT to use it. Example to release a debian repo to share your
software with your users you have the option to handle hosting/payment if any
yourself and keep 100% of the revenue not 70%.

Their position in the market is such that had they started pushing this around
the time apt-get started to be a thing they would have had near 100% adoption
and users would be used to installing everything that way and would be
naturally suspicious of manual installation.

Bad actors could end up on a blacklist that users would opt to enable. You
would even have multiple black list sources from people like antivirus vendors
etc.

~~~
CJefferson
Do you really want to live in that world? The world where I have to get past
Google's, Apple's (iOS and Mac app store), Debian's and Steam's arbitrary
rules about what is and isn't an acceptable app? Where a company/project's
current head gets to decide what it is, and isn't, acceptable to install?

One of the reasons Windows flourished was the openness of the platform.

~~~
libeclipse
Linux is a much more open platform than windows. It's only downside is that
most people think it's difficult to use.

I cannot think of any reasons why you'd think windows is open, especially when
comparing it to Linux. You were talking about installing, yet fail to realise
that pkg managers aren't the only way. I mean most Linux users regularly
compile binaries directly from the source. How is that not open? Perhaps you'd
like to elaborate.

~~~
cmdkeen
Because part of being open is being accessible.

"It was on display at the bottom of a locked filing cabinet stuck in a disused
lavatory with a sign on the door saying beware of the leopard."

Linux is difficult to use for the kind of person who is downloading software
from Download.com - "compiling binaries directly from the source" might as
well be Klingon to them. Frankly as a geek I'm much happier with my Mac and
Windows machine than I am with Linux. Even now things like the Linux Standard
Base not being utterly standard demonstrate that Linux is still aiming for a
different market.

There is a gulf between "my Mom is running Debian, she thinks it is Windows,
hehehe" and "able to manage a Linux box even remotely competently".

~~~
executesorder66
Downloading applications via a package manager is basically the same as
downloading applications on your phone via an "App Store" application.
(Especially if you are using a package manager with a GUI)

Millions of people use app stores everyday. And I'd say a huge percentage of
those people are the ones who would also download a program on their PC from
download.com

Which sounds more accessible:

    
    
      1) click package-manger program
      2) type the name of the program you want to install
      3) click install
    
      OR
    
      1) open web browser
      2) go to http://yahoo.com
      3) type google
      4) click the first link
      5) google "download program_i_want"
      6) click on link leading to "www.download.com/malware/viruses/tracking/program_i_want"
      7) stare at the dozen different DOWNLOAD! buttons, and wonder which one
      8) click the biggest flashiest one
      9) wait for it to finish downloading
        (if it doesn't automatically start and installer)
        a)open File explorer
        b)Go to Downloads folder
        c)wade through the hundreds of other downloads until you find kd457sfjgs_download_app_i_want_setup_INSTALLER.exe.EXE
      10)Once the installer is started click the NEXT button a dozen times, inadvertently installing extra malware each time

~~~
krapp
You're being a bit disingenuous in making the latter seem more complicated
than it actually is, though. It's only slightly more tedious than a repo, but
it's no less accessible.

~~~
anexprogrammer
No, I don't think he is. Not even a bit. Sure, for us techies there's little
difference. For your typical non tech user, each of those 10 steps can cause
issues. _This does not mean they are a moron, just they don 't grok IT._

So many will download the file again each time they run it, or spam click next
20x to install, reading nothing. Or just click the topmost, or largest
download GIF - which I pretty much guarantee is not the one they should use.
Or install loads over the course of the PC's life, but uninstall nothing,
leading to buying iPad or new PC basically because they have 4 printer drivers
(pointlessly huge things these days), software for their last 3 phones, 234
screensaver apps the child thought was fun, several anti virus (none from a
truly legit source).

For the truly non-techies nothing has changed since the days of a web full of
crap adsense 5 pagers. Click a link, click another. Main thing that's changed
in 15 years? The link probably isn't blue, or underlined.

The level of blind trust shown towards the web, and downloads is terrifying.
"It's on the internet, it must be true."

~~~
cptskippy
> The level of blind

Is just as high if not higher for a nontechnical user to use Linux. Sure they
can look at the source code, but that doesn't mean they'll be able to make
sense of it.

What if they try to solve a problem themselves? Googling it will land them on
any number of blogs or forums where people post cryptic instructions or link
to bash scripts that might as well be black box binaries from their
perspective.

~~~
astazangasta
>Is just as high if not higher for a nontechnical user to use Linux. Sure they
can look at the source code, but that doesn't mean they'll be able to make
sense of it.

Except that there is no adware, malware, spyware, or anything else bundled
into a Linux repo. The end user may not know what is up, but Debian (and the
whole community of package managers) is doing a lot more to protect the end
user than CNet, Google or Apple is doing to protect the end user. It is de
rigueur that if I install an app from the app store, it will try to spy on me,
export my contacts, etc. This is far less likely with a Linux repo.

~~~
cptskippy
And when Dell ships a laptop running Debian, they've setup their own repos in
the package manager which is along the same lines as installing a trusted root
cert in Windows by Lenovo.

The trouble is that these systems are not easy to use and end users have to
put their trust somewhere to get a system that is functional for them.

------
mcv
How is this not extremely illegal? People have gone to prison for far less.
How is it possible that a company like Lenovo would get involved with this?

I recently found myself wondering if I should consider CNET a reliable source
of software. I guess this story answers that.

~~~
StavrosK
Protip: If a site wants you to download an installer, or has its own installer
for the software it provides, don't use it.

~~~
Houshalter
Almost all software comes with an installer. Might as well just not download
software over the internet, which makes it impossible to do anything.

~~~
StavrosK
Sorry, I meant a site installer, like those random "download.com installer"
software. Not the installer of the program itself.

Generally, if the installer is branded with the branding of the third-party
you downloaded a program from, stay away.

------
libeclipse
It's amazing watching a normal person install something. Most people I've seen
just spam the next button until the window disappears, until the software and
all its friends are happily installed. I think the first step is to educate
users. Or implement a package manager.

~~~
rmc
We decades down the line. Education users won't work. Regular people just
aren't gonna learn.

It's time for us techies to build better software, to get laws passed that
stop this sort of thing, to get websites like CNET download.com and
manufactors like Lenovo blacklisted.

~~~
testerooooooo
I love it when people tell me they don't want to learn to use a computer
because they don't need to. Then they come to me and ask me to solve their
inability to read instructions... Sometimes I get mad at them... If they want
to use computers they better learn to work with them. Or pay for the
maintenance. It seems they don't wish to do either.

~~~
thirdsun
I can relate. Creating a text document, registering for and installing
Spotify, ordering something from Amazon - those are tasks that target a very
general audience. Yet there's the reluctancy in some people to deal with any
of it since it's computer stuff. On the other hand you're generally expected
to be able to operate a car, or a washing machine. Just imagine that you'd
tell anyone that, "well, sorry, household chores aren't within my area of
expertise" \- that probably won't get your clothes clean.

~~~
rmc
Do you have to read many pages of dense legalise in order wash clothes or
drive a car, like you do with installing Spotify? Users are trained to just
click "Next" until the computer boxes have gone away.

There are schools and licences for driving a car. There is no EULA for washing
clothes.

If we want to train users to not click on "I Agree" to get rid of the legalese
then there should be no legalese for installing Spotify or buying from Amazon.
I can buy in a shop without needing to sign a 10 page document, so why not the
same with Amazon?

We, in tech, have trained users to click on the green buttons to make the
computer boxes go away.

~~~
thirdsun
Regarding the fine print in ecommerce: As a seller of goods in our own store
we are actually required to include boilerplate terms and conditions. We don't
like it, our customers don't read it and if they do they may not understand.
And yet it's quite dangerous to drift away from or simplify the ever growing
legalise language since we risk legal and financial consequences from business
and so-called customer interest groups that found a way to monetize the search
for shops that don't follow the boilerplate terms close enough or miss certain
parts.

------
userbinator
_The bottom line is that you can no longer trust that green lock icon in your
browser’s address bar. And that’s a scary, scary thing._

What's even scarier? Not being able to inspect the traffic your own machine
sends or receives because the powers that be have decided that, due to
Superfish and all this other unwanted MITM'ing software, to "improve
security", certificate stores will be locked down so well that only the
"trusted authorities" (i.e., they) can modify them.

As long as users (and by extension, the software they run) can modify the
certificate store this "problem" will exist, but as this article shows, it's
not hard to add and remove certificates, and thus effectively "choose who you
trust". The alternative, to have no choice in who you trust, is far worse. I
just hope that the security community realises this, but if things continue
moving in the direction they currently are, I'm not so optimistic.

Incidentally, I also use a local MITM proxy, but to _remove_ ads and other
crap.

~~~
TeMPOraL
There's a tradeoff that seems to be missed in security discussions quite often
- the more secure something gets, the less useful it is. At the extreme end, a
perfectly secure system is also perfectly useless.

I personally also dislike the direction where things are going. I get that
maybe most people don't actually need general-purpose computers, they want
glorified web browsers instead. But I'm afraid, given how the market behaves,
that this will mean there won't be _any_ non-locked computers available at
all, or even if, they won't be able to interoperate with their "dumber"
counterparts for general population.

~~~
riprowan
> the more secure something gets, the less useful it is. At the extreme end, a
> perfectly secure system is also perfectly useless.

That's a pretty profound statement. On the one hand it totally rings true, but
on the other, I wonder is there any sort of argumentation or research to back
this up? I would love to be able to reuse.

~~~
mikeash
I'd say it's true at the extreme end but not really true in the middle. For
real-world systems, there are often security improvements which don't impact
usefulness, or even improve it. For an example, imagine something like gmail
that uses plain HTTP. Upgrade it to HTTPS, did it become less useful? If
anything, it became more useful, because you can now use it on public WiFi
networks without worrying about being hijacked. If the backend is also secure
then you can use it to exchange private information you wouldn't transmit in
the open.

The major conflict right now isn't because there's an _inherent_ tradeoff
between security and usefulness, it's because _if your users are idiots_ then
"secure" becomes problematic. For a smart and knowledgeable user, "secure" can
be considered to be roughly synonymous with "do what the user wants, and only
that." With idiot users (most of them), security requires protecting them from
themselves. For example, with knowledgeable users, protection against malware
can be accomplished by signing apps to show who made them and running them in
a sandbox where the user controls what permissions the app has. With idiots,
none of this does any good, because they'll click Accept when Blofeld's Stealy
App requests permission to withdraw money from the user's bank account, if
there's a slick gem-matching game attached. And idiots can't be trusted to
know that they're idiots (because they're idiots) so having an "advanced mode"
doesn't really solve the problem.

So really, the problem is deciding what "security" means. Does it mean your
computer can't be subverted by outsiders? Or does it mean your computer can't
be subverted by _you?_ Increasing the former kind of security tends to improve
usefulness, but increasing the latter kind harms usefulness.

------
nikcub
The solution to this is Certificate Transparency[0], a distributed public log
of certificate timestamps that are submitted by CA's and checked by browsers.

CT has been required for EV certificates in Chrome for a year now[1], and
eventually will be required for all certificates otherwise they will error out
on connection.

A certificate signed by a root cert that is not the original CA will not
validate.

[0] [https://www.certificate-transparency.org/](https://www.certificate-
transparency.org/)

[1] [https://blog.digicert.com/certificate-transparency-
required-...](https://blog.digicert.com/certificate-transparency-required-ev-
certificates-show-green-address-bar-chrome/)

~~~
michaelt
Unfortunately, Chrome's current policy is to disable certificate transparency
and HPKP when a certificate appears to have been manually installed, to
support MITM proxies [1].

Needless to say, this makes HPKP and certificate transparency worthless when
the client has been compromised by adware or viruses.

[1] [https://www.chromium.org/Home/chromium-security/security-
faq...](https://www.chromium.org/Home/chromium-security/security-faq#TOC-How-
does-key-pinning-interact-with-local-proxies-and-filters-)

~~~
kuschku
And then you set a Group Policy to ban Chrome and instead enable a browser
with more reasonable settings for this case, like Firefox.

~~~
magicalist
Firefox accepts local certs over pinned ones by default as well (superfish
affected it too).

I believe there is an about:config setting that can be changed to have it
reject local certificates in the face of a pinned site, but if malware is
putting certificates in Firefox's cert store, they can just as easily flip
that setting as well.

------
AndrewUnmuted
I work for CBS Corporation, which owns CNET/Downloads.com.

I have sent an email to our security team with this story, and will report
back if I hear anything from them.

~~~
acveilleux
It would be hilarious if the response was that it was banned for use by CBS
employees and therefore nothing to worry about.

~~~
AndrewUnmuted
Hilarious for everyone except me - apparently the only person among 35,000 who
gives a heck about network security.

The outcome I expected is the outcome I've witnessed thus far - total and
complete silence.

------
svenfaw
It is not immediately clear but the article was published in February 2015.

~~~
ultra2d
And they posted a nice follow-up a month ago:
[http://www.howtogeek.com/238765/how-to-check-for-
dangerous-r...](http://www.howtogeek.com/238765/how-to-check-for-dangerous-
root-certificates-on-your-windows-pc/)

------
sparky_
I honestly wonder if there should be some sort of signature or approval
process on the OS vendor's part before any cert can serve as a root.

I'm not sure what that would look like and I do realize there are some 'walled
garden' implications here. But honestly, I don't get how or why a userland
application has any right to touch the OS' trusted CA roots. Perhaps some
model similar to driver/kext signing would make sense - self signed and/or
untrusted could be loaded when the system is booted with some development mode
flag, but on a general user system, the only path to get your cert trusted as
a root COULD be via update/push from the OS vendor.

~~~
taspeotis
A lot of big enterprises run their own, internal, CA infrastructure.

[https://technet.microsoft.com/en-
us/windowsserver/dd448615.a...](https://technet.microsoft.com/en-
us/windowsserver/dd448615.aspx)

In these instances, the fact that you can add a root certificate (your own) is
a feature that facilitates security.

~~~
chinathrow
"feature that facilitates security."

That is debatable. The device/system then doing the MITM is a prime target for
attacking/exfiltration of data since everything is de- and re-encrypted there.
A huge single point of failure in my opinion.

~~~
taspeotis
There are plenty of legitimate uses for your own PKI that don't involve
MITM'ing your users.

[https://technet.microsoft.com/en-
us/library/a8f53a9b-f3f6-4b...](https://technet.microsoft.com/en-
us/library/a8f53a9b-f3f6-4b13-8253-dbf183a5aa62.aspx)

> Organizations can use AD CS to enhance security by binding the identity of a
> person, device, or service to a corresponding private key. AD CS gives
> organizations a cost-effective, efficient, and secure way to manage the
> distribution and use of certificates.

> Applications supported by AD CS include Secure/Multipurpose Internet Mail
> Extensions (S/MIME), secure wireless networks, virtual private network
> (VPN), Internet Protocol security (IPsec), Encrypting File System (EFS),
> smart card logon, Secure Socket Layer/Transport Layer Security (SSL/TLS),
> and digital signatures.

~~~
michaelt
What is there in that list that you couldn't do with a legitimate CA?

~~~
taspeotis
Issue certificates for free and have complete control over them?

Imagine if you had all your infrastructure authenticating with DigiNotar
issued certificates (that you paid for) only for them to be invalidated in one
day.

[https://en.m.wikipedia.org/wiki/DigiNotar](https://en.m.wikipedia.org/wiki/DigiNotar)

~~~
fulafel
It's much more likely that your IT staff will bungle things managing your own
CA. And less likely that you will notice it and successfully manage the
revocation process.

There's a lot of fun to be had when someone steals your root CA private keys
undetected, and a lot of time & money to be spent ensuring it doesn't happen
despite Murphy's law...

------
nugget
Hate to say it but I'd rather focus on user education than concentrate more
centralized compliance control with Microsoft. I am old enough to remember how
Microsoft wielded that type of control in the past. Malwarebytes alone
could/should fix 90% of this problem.

~~~
sjwright
Perhaps, but for the majority of users, the iOS security model happens to be
extraordinarily effective. I'm not saying Microsoft should force this down
everyone's throats, but I for one wouldn't see it as a bad thing if something
along these lines was the _default_ on retail purchased PCs.

I say this as the "free" family tech support officer.

I've moved about half of my extended family onto iPads and my life is much
better.

~~~
nugget
I understand where you're coming from but it's a little like saying that North
Korea enjoys a low crime rate.

Do we want one company to have that much control? How do you think personal
computing would have evolved if Microsoft had controlled Windows applications
the way that Apple controls iOS applications?

One of the best things that ever happened was Windows and the web both
flourishing as massive market share, mostly-open development platforms for
almost two decades.

~~~
sjwright
I don't disagree, but let's not blur the lines here between people who use
computers professionally and people who use computers as an appliance.

We could have had an iOS-like security model on Windows for the majority of
unassuming retail customers and I don't think it would have made a single jot
of difference to wider flourishing.

(In fact, for various reasons, I would wager that we'd have a _more_ mature
technology sector. Don't underestimate the damage caused by malware to
consumer trust.)

~~~
pjc50
Web development as we know it would not exist. Microsoft would have banned
competing browser engines (as is the case on iOS) and IE6 would have had 90%
market share. The preferred way of doing active content would be ActiveX.

~~~
sjwright
I'm only saying it could be a _default_ on retail purchased PCs. Not on self-
built PCs and a simple choice on (re)install of Windows.

~~~
pjc50
That's still a huge majority of PCs. The self-built PC has always been a bit
of a market anomaly; people don't have self-built Macs and self-built cars are
a truly tiny number.

And I'm working on the assumption that this would have applied decades ago,
when there weren't quite so many viable alternatives to the PC and Microsoft
was the terrifying market monopolist.

~~~
sjwright
You should also work on the assumption that a majority of people would have
disabled this sandbox.

Maybe instead of thinking about it as iOS-like, think about it like a "not
logged in as Administrator" mode which actually worked.

~~~
pjc50
OK, but if the user disables the sandbox they're vulnerable to malware, and
we're back at square 1.

(The goalposts seem to be very mobile here...)

------
fdb
The Badfish page at [https://filippo.io/Badfish/](https://filippo.io/Badfish/)
seems to be down. Any other place where I can direct people to check for
invalid security certificates?

~~~
ultra2d
I have not looked for an online tool, but you can download sigcheck [1] and
run `sigcheck -tv` which will display "valid certificates not rooted to the
Microsoft Certificate Trust List".

[1] [https://technet.microsoft.com/en-
us/sysinternals/bb897441](https://technet.microsoft.com/en-
us/sysinternals/bb897441)

------
forgotAgain
I'm really surprised that CBS hasn't been called out for the behavior of
download.com. They're a major news corporation that needs to maintain their
reputation. I've never seen any news story questioning senior management as to
the disreputable activities of CBS Interactive and it's subsidiaries like CNET
and download.com.

------
Semaphor
> Make sure […] your […] anti-virus stays updated

Or don't use them considering how many reports of them actually making your
system less safe there are.

------
slipstream-
I've been investigating PUPs for the last month or so.

These kind of bundlers now drop not only adware (browser extensions, or those
that drop MITM proxies that break TLS), but also winlockers and fakealert
trojans of Indian origin ("CALL OUR [FAKE] TECH SUPPORT TO RESOLVE THE
ISSUE").

------
CM30
Probably a silly question here (and I've asked it before), but why exactly do
we only have dodgy download sites for Windows programs anyway?

I mean, other platforms have decent stores and download repositories. And
games on Windows... well, you've got a lot of good sites and services there.
Everything from Steam to Good Old Games to the average game mod or ROM hack
download site is moderated and mostly kept free of adware and other crap.

Is there really no one interested in providing a site or service that
explicitly disallows bundling and ad supported crap (or that outright removes
it from anything submitted to them)? Does no one with any ethics exist in this
space?

------
cm2187
I'd be willing to pay a modest fee to have a repository of common software,
always up to date, free of adware, and that can be updated automatically. A
sort of commercial chocolatey with more choice and more up to date packages.

~~~
pbhjpbhj
[https://ninite.com/](https://ninite.com/) is along those lines for MS
Windows.

~~~
cm2187
Yeah, I looked at it. The problem I have with ninite is their limited number
of apps. Even with Chocolatey there are some key apps (to me) missing, like
Spybot Anti Beacon.

Ideally you would want something popular enough that developers would be
rushing to submit packages for their apps and so even relatively small
softwares would be available. If customers are paying (and the cost should be
fairly modest anyway), it would be an efficient way for developers to
distribute their binaries.

The most popular package on chocolatey has 700,000 downloads right now. A
typical user of chocolatey would have multiple machines and must download
multiple version so at best you must have 100,000 people using it in the world
(most likely far less). That's a negligible fraction of the windows user base.

------
joesmo
How the fuck is this not illegal? Oh wait, it is and someone should prosecute
CNET. They're gaining elevated access to your computer without your
permission. For once, can't the CFAA be used for good?

------
slartibardfast0
I wish Microsoft would crackdown hard on this, perhaps by make non-trusted
root certs an Enterprise/Pro feature guarded by a group policy entry.

I can't understand Google's reasoning in disabling Cert pinning for non-
enterprise users either! How do common or garden home users of Chrome benefit
from this feature?

------
SimeVidas
Google Safe Search, please block the entire download.com domain. That would be
hilarious!

------
voltagex_
How are they adding a trusted cert without Windows popping up a warning?

~~~
pilif
because eventually, somewhere in the API there must be a way to actually add
that cert. The API that's being called from windows internally when you press
the "OK" button on the warning that's normally shown.

And even if there was no API or if you do not manage to find its location: At
some point, the certificate needs to be stored somewhere. So you just put it
there and be done with it.

You can try and fight this using stuff like OSX' new rootless mode, by making
a second class of binaries who are more trusted than others, but even then
there will always be ways around it and the backlash would be considerable too
(there were some very nasty comments about the introduction of the OSX
rootless mode, even though it's turnoff-able).

The only way to prevent this from ever happening is to pre-approve every
single app you want running on your platform, but, honestly, that's not a
platform I would want to use (not that I want to use Windows anyways)

~~~
dclowd9901
The rootless mood was only a huge pain in the ass because everyone was used to
pathing usr/local/bin and brew, probably one of the most popular package
managers, relies on a rootful env. Brew was definitely playing with fire and
even though it was tricky getting shit to work again, I for one am glad they
opted to go rootless at the behest of user convenience. Sometimes foul
medicine is the best kind.

------
chris_wot
Is there any way of resetting the list of root certificates?

~~~
theandrewbailey
Probably System Restore would, if you have an old enough restore point.

------
ck2
install this
[https://www.malwarebytes.org/antiexploit/](https://www.malwarebytes.org/antiexploit/)

download instead from [http://www.howtogeek.com/201354/ninite-is-the-only-
safe-plac...](http://www.howtogeek.com/201354/ninite-is-the-only-safe-place-
to-get-windows-freeware/)

------
titel
This article is one year old.

