
Superfish 2.0: Now Dell Is Breaking HTTPS - tdurden
https://www.eff.org/deeplinks/2015/11/superfish-20-now-dell-breaking-https
======
detaro
[https://news.ycombinator.com/item?id=10614837](https://news.ycombinator.com/item?id=10614837)

~~~
throwawayaway
I think an article from the eff is more notable than a reddit anecdote and
should be treated as such.

This is now gone off the main page, which is a shame.

~~~
dang
Perhaps the URL is better, but this cluster of stories has had so many major
discussions that the current submission is clearly a dupe by HN's standard.

[https://hn.algolia.com/?query=dell%20points%3E10&sort=byDate...](https://hn.algolia.com/?query=dell%20points%3E10&sort=byDate&dateRange=all&type=story&storyText=false&prefix&page=0)

We try to get the most substantive URL into the most prominent thread (and in
fact are working on a system for users to be able to drive that) but it
doesn't always work out.

~~~
tdurden
Thanks for the info.

------
INTPenis
And yet again I have to point out how this is an obvious case of Hanlon's
Razor, where stupidity is confused for malice.

To install the root key is in no way an attempt at spoofing people since it
would eventually be discovered and exploited by someone else. If Dell wanted
to use this pre-installed cert they would not have installed the private key.
And even then it would eventually be discovered much more easily than any
number of backdoor methods they could have pre-installed in the BIOS or the OS
when they control the entire deployment and shipping process.

~~~
acdha
The only malice that I can see being assumed is in your reading of that
report. The EFF page very clearly outlines the problem but said nothing about
Dell trying to abuse it, only that Dell's negligence left their users exposed
to attackers which is a simple statement of fact.

~~~
tedunangst
Read the other comments on this page?

------
FussyZeus
I really don't want to sound elitist, but my choice to go full Macbook and
keep my custom built PC at home has never looked better. How long until we
hear about other manufacturers also doing this?

~~~
throwawayaway
There's very little to be smug about:

[https://en.wikipedia.org/wiki/Spotlight_(software)#Privacy_c...](https://en.wikipedia.org/wiki/Spotlight_\(software\)#Privacy_concerns)

~~~
Retra
I've had a macbook for 2 years and I've never used spotlight beyond the
initial "what does this do?" moment. Besides, you can't really do search
without knowing what is searched for and from where it is being searched.

~~~
s_henry_paulson
Once you get used to cmd+space. It's so much easier to hit the key combo, type
the first letters of the program you want and hit enter than clicking through
a bunch of folders and scrolling around.. but after reading this wikipedia
article, I think I may have to find an alternative.

~~~
FussyZeus
Check out Alfred. I use the free version myself, you can un-assign command
space from Spotlight in OS X first, then assign Command Space to that. It does
basically the same thing minus the Internet connected stuff like location
searching and whatnot.

Alfred can be setup to index folders, contents of text files, pictures, etc.
and harder things like System Prefs screens too.

I myself keep Spotlight on Command Shift Space for the rare occasions when I
want to take advantage of the Internet connected stuff, but keep using Alfred
for everything else (less to do with privacy, more because Alfred is just
quicker.)

------
redbeard0x0a
As I was walking by a pile of Dell laptops for sale today, I just had to
wonder if the timing of this problem is just coincidence? Regardless, this
kind of thing really helps out the FBI/CIA/NSA/etc get around encryption when
targeting an individual. Malice intended or not.

~~~
pmx
I miss the days when I thought "Wow if this keep happening the law will surely
get involved and put a stop to it." \- Now I just think "I bet the government
LOVE this... they probably paid them to do it."

~~~
CamperBob2
True. After the Snowden relevations you don't even have to guess.

------
chipperyman573
"Dell included that [private] key on all the affected laptops as well."

Was there any reason other than plain negligence to include the private key on
every laptop?

~~~
jessaustin
Deniability? If the intention was to create a backdoor, and later it was found
that e.g. NoSuchAdversary had _used_ that backdoor, a really good "we didn't
_intend_ to create a backdoor and we especially didn't give the _key_ to that
backdoor to the Adversary" defense would be the fact that actually Dell gave
the key to everyone.

~~~
jacquesm
That's exactly my take on this whole thing. The incompetence you'd have to
defend for the alternative to be real would damage Dell even more than the
malice would.

------
adrianN
More and more it looks like it's time to go full Stallman in your computing
environment:

[https://stallman.org/stallman-computing.html](https://stallman.org/stallman-
computing.html)

------
mschuster91
I wonder how much similar (or worse) errors exist in the metric shitload of
device drivers distributed by the ODMs, OEMs and the white-labelers.

Everyone adds their crap onto the device and then wraps it up for sale, with
no one having real responsibility on what actually ends up being on the
device.

Given common code quality I really wonder what nasties are hidden in stuff
like Embedded Controller firmware, the drivers for stuff like "special
keyboard hotkeys" and similar. All places to hide a nice kernel level exploit
in (or in case of the EC, _full_ HW backdoor).

~~~
matt4077
I have no idea how the dysfunctional wasteland that is the windows consumer
ecosystem can survive. Microsoft has actually cleaned up it's act quite well
and seems to be producing quality software compared to, says, the Win 98 days.
But OEMs and their crapware...? I recently used someones new Lenovo notebook
and you couldn't get work done for ten minutes without some sort of popup
breaking your concentration. Not even the same, possibly important one,
repeated over and over. No, there were 15 third-party items in the system tray
vying for my attention with updates, warnings, status informations etc.

I seriously wonder how people can work for these companies. Not that they're
terribly evil (b/c, after all, this rant is pretty much the definition of a
First World Problem). But in that I couldn't spend the majority of my waking
hours for an organization that has so little taste.

~~~
FussyZeus
Speaking as one in the trenches, it survives by the sheer will and
determination of the enthusiasts, and the slavishly hard work of various IT
departments, as well as the Linux community by and large being arrogant and
rude, and the fact that Mac's are expensive.

------
nnutter
It annoys me that this is being so directly compared to Superfish. Yes the
technical aspect is similar but the intent is very different. Intent matters.

~~~
jacquesm
I haven't seen anything that really showed the intent of Dell, just a bunch of
woolly corp-speak about improved customer service.

~~~
s_henry_paulson
The intent is in the certificate. Superfish could create and sign any
certificate, meaning it could impersonate websites. This certificate cannot
sign other certificates, meaning it can't be used in the same way as
superfish. Thus the logical intent seems to be bloatware, backdoors, etc.. not
snooping on HTTPS connections.

This is the distinction the person you are replying to is trying to make,
because although similar to superfish, it is not quite the same.

~~~
tedunangst
If the dell cert can't be used to impersonate websites, what's with all the
test websites people set up to demonstrate it?

~~~
nnutter
I think the problem is the private key is accessible AND machines were already
setup to trust it (because of the cert). So what s_henry_paulson said is
technically correct but it's conceptually wrong.

------
itburnswheniit
I share the opinion of a friend of mine which is this will eventually come to
all major hardware manufacturers.

