
Getting Superfish Out of Firefox - cpeterso
https://blog.mozilla.org/security/2015/02/27/getting-superfish-out-of-firefox/
======
ChuckMcM
This is a great move, but given my history I found this quote funny:

 _" Finally, a word to software authors who might be considering SSL
interception: If you want to add features to the Web, don’t intercept, make an
extension. All of the major browsers offer extension frameworks (see these
links for Firefox, Chrome, IE, Safari, and Opera)."_

It's funny because the whole intercept thing is an escalation between ad
networks and browser writers.

Basically if you can simulate a search engine, and get someone to put ads on
those pages, you can make a bit of money. Back in the day it was all about
creating a toolbar that had some features, and oh by the way changed your
default search engine. Didn't matter whether those results came from Google,
Bing, Blekko, or more recently Yandex. The money was made when the person
clicked an ad. (and yes the search provider got some form of remuneration,
either for returning the results or as a share of the advertising revenue (or
both in some cases).

But given the abuse of the extension eco-system all of the browsers now have
really strong protections against switching your search choice, and if you
don't do that the toolbar is pretty worthless. So to continue in their
business of providing ads when they were not wanted, the folks in "Download
Valley"[1] switched to trying to get between you and your search engine of
choice and then "helping" it with a few more ads.

[1] Hat tip to Matt Cutts who clued me into that particular name for the
cluster of folks who build all this adWare.

~~~
tmzt
I would say the entire mechanism for extensions that can interact with pages
is broken.

First, taking Chrome as an example, extensions are given the permission to
see, track and interact with all pages loaded in the browser. Essentially,
they can inject code, but they can also directly pull data from fill-in forms
and other places.

Of course, these are the things that people use extensions for, so the ability
to modify pages makes sense. Take one of the original extensions that was was
used to modify pages at runtime, Greasemonkey. It was designed to attach a
user.css to the page, or to run a transform on the page and inject specific
DOM elements. Of course, there was nothing stopping an injected piece of
script for posting data to a third party, but a cursory examination of the
particular Greasemonkey customization would show that immediately, and the
script could be flagged and removed from the collection.

Now we have extensions that do much more than these user scripts did in
Greasemonkey and are self contained and harder to break apart and study. Two
examples, Feedly which is my chosen replacement for Reader, has an extension
which places a Feedly icon on every page. It doesn't add it to the browser
chrome but actually adds it to the DOM of every single page that loads. As
similar example is a Chrome extension for managing cookies, but which had a
donation function that placed links on pages to donate to the project or
something of the sort. Either of these could be accomplished with a small
installable transform, and neither required the extension itself to have
access to the DOM, the transform script could have handled the limited
functionality of enumerating RSS/ATOM links or whatever the other extension
did. But both of those extensions requested the amorphous permission of
modifying every page you access.

In Firefox, at least until recently, unsigned extensions could execute native
code in the form of XPCOM libraries, they could modify the entire chrome and
run with the same permissions as the browser itself. They could intercept not
only DOM calls but low level calls in browser js files which also ran with
chrome permissions.

By reading a configuration file for a unique string, or, in some cases,
guessing, you could find a path where placing a zip file or directory was
enough to install an extension, so these extensions rode alongside installers
for applications, BHOs in Internet Explorer that also installed themselves
into Firefox, and other places that would have a chance of destroying a users
experience and perception of Firefox.

~~~
TeMPOraL
That's why browsers suck as a platform - as a (power) user what I want is
_more_ powerful extensions. Security limitations seriously hinder usefulness
of things - but we need them because Internet is a hostile place, full of
criminals and assholes (like companies we're talking about here and their ilk)
looking to take your hard-earned money from you.

------
baby
People are getting mad at Lenovo for making people's laptop vulnerable to MITM
attacks. But what I don't get is why people are not even more mad that Lenovo
is injecting ads on their private computers.

Since when is it a thing that some laptop brands would put advertisements on
your softwares? How come people still buy Lenovo if they do that?

~~~
mwfunk
Why would they be even more mad about the ads? Injecting ads is sleazy and
deceptive, enabling MITM attacks is actually dangerous. You're right though,
the ad injection by itself is still pretty sleazy even if it were perfectly
safe. I think it just got overshadowed by the security concerns.

Heck, it's insane to me that most PC manufacturers slap a bunch of big ugly
stickers on most of their laptops so they can make some absurdly small amount
of extra revenue on a product that costs hundreds if not thousands of dollars.
Willfully endangering users for a similarly marginal profit boost is so much
worse. I have no idea why anyone would buy stuff from such a company.

~~~
themartorana
Probably because the MITM vulnerability is horrible sloppiness, but the ad
serving is done with the malicious intent of continuing to extract revenue
from users that just ponied up a couple thousand dollars for the laptop to
begin with.

I've read people saying there's no way developers didn't know what they were
doing WRT the MITM vulnerability. To them I say "you've never worked for a
giant corporation." Security holes are second in volume only to spent Keurig
pods.

However, the choice to turn someone's entire computer in to an adware
mechanism was explicit and just really sleazy.

~~~
Rapzid
I believe the possibility that a developer capable of understanding and
creating this local MITM not being aware of the wider security implications is
near zero. That would be like a scientist understanding nuclear fission and
bomb making not knowing that detonating it in the middle of a city would cause
a lot of deaths...

~~~
vertex-four
The MITM framework was created by a separate company from the company that
developed the specific piece of software. Just like you don't actually have to
have a clue how a web server works to write a Rails app, the Superfish
developers bought an off-the-shelf MITM framework and used it, which doesn't
require much thought.

------
kijin
Is there a way to check if _any_ non-standard root CAs have been added to my
browser, without going through them one by one and comparing them to a fresh
install? If not, is there at least a button to reset the list to a blessed-by-
Mozilla default?

Because it's not just Superfish we need to be worried about. It's too easy for
arbitrary programs to add root CAs to browsers, even if they aren't pre-
installed by the hardware manufacturer. A while ago, I installed Avast!
Antivirus on a Windows PC and found that it did exactly the same thing:
injecting its own root CA into every browser (including Firefox) so that it
could MITM all https connections.

Corporate IT with their own root CA is a special case that has nothing to do
with the vast majority of Firefox users. For the rest of us, it would be very
helpful if Firefox shipped with an independent certificate verification
feature by default. Corporate IT can feel free to disable it at their own
risk.

~~~
SixSigma
There are 176 certs in Firefox

[https://wiki.mozilla.org/CA:IncludedCAs](https://wiki.mozilla.org/CA:IncludedCAs)

So you could just count them, that would be a start :)

direct link to Google spreadsheet :

[https://docs.google.com/spreadsheet/ccc?key=0Ah-
tHXMAwqU3dGx...](https://docs.google.com/spreadsheet/ccc?key=0Ah-
tHXMAwqU3dGx0cGFObG9QM192NFM4UWNBMlBaekE&usp=sharing#gid=0)

EDIT: I tried it myself, exporting all the X509.crts from FF36.0 and got 253 !

sigh

------
KayEss
What we really want is some way to be able to check the fingerprints to make
sure that the cert that's being used is the expected one. This unfortunately
doesn't seem possible without some out-of-band communications system.

Here in Thailand the junta promises to MITM all TLS traffic. I doubt it can be
stopped, but it would be good to at least be able to see when they do it. I
don't see sites publish their certificate fingerprints anywhere which would at
least allow some form of manual check.

It might be enough to be able to get the browser to tell us when a certificate
changes -- this would need to be opt in of course.

~~~
rakoo
> I don't see sites publish their certificate fingerprints anywhere which
> would at least allow some form of manual check.

That's exactly what Google and the likes are building in Certificate
Transparency ([http://www.certificate-
transparency.org/](http://www.certificate-transparency.org/)). It's basically
a log of all modifications on any certificate chain that can be monitored by
anyone who is interested so that misissuance can be detected.

There's also the old Perspectives project which idea was forked into
Convergence
([https://en.wikipedia.org/wiki/Convergence_%28SSL%29](https://en.wikipedia.org/wiki/Convergence_%28SSL%29))
by good ol' moxie. The idea: any number of independent entities run notary
servers, and when you get the certificate for a domain you also ask the
certificate for the same domain to those notaries; if they have the same
certificate, it means you all have the same "view" of the domain, so
everything is probably ok. If they differ, maybe you (or they) were MiTM'ed.

~~~
rakoo
Oh, and of course "publishing certificate fingerprints [somewhere]" is
basically the idea behind DANE. So the idea is hardly, new. The
_implementation_ , now ...

------
dendory
Why dont browser makers add a function where the browser would tell you if
your SSL connection is being intercepted? It's trivially easy to check, all
you need is a known good site to sign a message with the cert of a specific
CA, and if the browser sees it's signed by anything else, it would throw a
warning. Chrome already does something similar with cert pinning.

~~~
geofft
Because the next Superfish will just let that one site through and intercept
the rest. (If you don't believe me, take a look at the arms race around
captive portal detection, and captive portals don't even have the convenience
of running on the same computer and being able to add SSL root certs.)

Alternatively, the next Superfish could just patch that check out.

~~~
hackmiester
What arms race is there with captive portal detection? Don't they want to be
detected so that the user can log in?

~~~
geofft
Many captive portals don't want to be detected _in a separate flow_. OS X,
iOS, Android, Chrome, Windows 8, etc. all notice if you're running a captive
portal, and pop up a separate browsing window: as soon as you can reach the
portal, they kill the window and let you get back to your work.

But if the portal was going to redirect you to some ads or other "value-added"
content, then they may not want that window to be killed. My former local
Barnes and Noble would explicitly whitelist Windows' detection URL, so that
they could redirect you to the BN home page instead of to the page you were
trying to visit.

Cisco has explicit documentation on whitelisting Apple's URLs... and in turn,
Apple has switched from testing a single URL at apple.com to "as many as 200
websites". [https://supportforums.cisco.com/document/11934456/captive-
po...](https://supportforums.cisco.com/document/11934456/captive-portal-
ios7-public)

~~~
TeMPOraL
Indeed.

And seriously, let's admit it - the "value added" thing is bullshit, and
captive portals are mostly either useless (TOS that no one reads anyway) or
evil ("value added"). And as I see a few of my cow-orkers working on a captive
portal right now, I can't help but think that marketers indeed live inside a
strong reality distortion bubble, not realizing that the product they want is
making everyone's life worse.

------
tedunangst
I've read a lot of conflicting information about this. One source says Firefox
doesn't use the windows store, so it's not affected. Then this says it is
affected. But how? Are Lenovo laptops coming preloaded with Firefox? Is it
happening after the fact?

~~~
TazeTSchnitzel
Firefox doesn't use the Windows certificate store. The Superfish installer
will add its certificate to Firefox's store if Firefox is already installed,
but it isn't on Lenovo laptops.

------
easytiger
For a trial of something on an even worse level, British (previously monopoly)
ISP BT deployed something called Phorm[1].

I'd love to see the internal Lenovo emails that led to Superfish being part of
their OEM build. No way they didn't know exactly what they were doing.

I was just hovering over the new Dell or the Carbon X1 as my next purchase.
Decision made.

[1][http://en.wikipedia.org/wiki/Phorm](http://en.wikipedia.org/wiki/Phorm)

------
coherentpony
>In order to be able to inject content into secure connections, it adds a
trusted root certificate to the Windows and Firefox root stores.

I'm really not an expert. Can someone please explain what this means? How is
Lenovo able to modify firefox to intercept web connections? If Lenovo can do
this, can anyone? How can I check firefox hasn't been tampered with before I
download it?

~~~
ewzimm
|||->Options->Advanced->View Certificates

SSL works by verifying a certificate against an authority, so if there is
anyone you don't trust on your list, you can't trust site you are visiting.
Superfish distributed their private signing key everywhere, protected only by
the simple 'komodia' password. Now anyone can pretend to be them. Operating
systems install their own list of authorities, but Firefox maintains its own.
Other Komodia products are also vulnerable.

~~~
Dylan16807
I feel like it's better to not mention the password on the key. It could have
been the best password in the world and it wouldn't matter. Local signing
means the key can be extracted. Talking about the minor obfuscation of storing
a passworded key in the same file as the password is a red herring that gives
the wrong impression.

In short: It wasn't protected by the password. It was protected by nothing.

~~~
ewzimm
Good point. The important part is that it illustrates just how vulnerable
Komodia products are. That password will likely get people access to other
things as well.

------
sjwright
> "We do not remove the root certificate if the Superfish software is still
> installed, since that would prevent the user from accessing any HTTPS
> websites."

I would have thought that breaking HTTPS for these users is a superior outcome
to allowing the continued use of broken HTTPS. If I were a n00b and it were my
Lenovo laptop, I'd rather have my internet browsing fail.

------
cryptophreak
Why take a system you know is compromised, shift a few things around, and hope
for the best?

Format the drive and install a fresh, non-malicious OS image.

------
wodenokoto
Can't they remove it via a software update? I know they've removed add-one
before.

~~~
dahdum
It's added as a root certificate in Windows, not directly in Firefox, so a bit
different.

~~~
0x0
Firefox uses its own certificate store through its bundled NSS libraries,
which was also targeted.

~~~
dahdum
Thanks, my mistake, I think it would make sense to remove automatically in the
case.

