
Superfish 2.0: Dell ships laptops, PCs with huge internet security hole - ColinWright
http://www.theregister.co.uk/2015/11/23/dude_youre_getting_pwned/
======
junto
Another (busier) discussion is here:
[https://news.ycombinator.com/item?id=10619336](https://news.ycombinator.com/item?id=10619336)

As an ex-Dell support website developer (in other words I've worked with the
service tag lookup feature) I don't understand why a root CA certificate is
required for this.

I do remember that the previous incarnation needed Java/ActiveX support, which
is admittedly now getting harder to run, so the new site now asks the user to
download and run an executable.

Assuming the EXE is an installed application (I didn't investigate any
further), this would give Dell full access to the user's PC anyway. Hence, I
don't understand why a CA root cert enables Dell to do anything extra in order
to locate the service tag from the system.

Whilst people do want to give Dell the benefit of the doubt, and think that
the CA root was left on the build imaging system by accident, the real
question is why it was there in the first place!

What purposes would a CA root certificate give Dell (even on their own test
builds)?

