Hacker News new | past | comments | ask | show | jobs | submit login
Dell shipping laptop with rogue self-signed root CA (reddit.com)
400 points by cstross on Nov 23, 2015 | hide | past | web | favorite | 105 comments

Karmic. Straight from Dell's website:

Dell is serious about your privacy

Worried about Superfish? Dell limits its pre-loaded software to a small number of high-value applications on all of our computers. Each application we pre-load undergoes security, privacy and usability testing to ensure that our customers experience the best possible computing performance, faster set-up and reduced privacy and security concerns.

In case they think it wise to remove that blurb (it's on various product pages):


And in case they twiddle robots.txt to force the wayback machine to clear out: https://archive.is/IaIcl

Total horse shit. Family member bought a Dell not too long ago and it was filled to the brim with spyware.

Do you actually mean spyware, as in low-grade virus, or just preinstalled software? I'd be highly surprised if they bundled actual spyware with their machines.

This raises an interesting paradox to me. How would the people writing the marketing copy for any product that was supposedly Superfish-resilient actually know that it was?

Is the solution to simply not have marketing around such technical details? Is there a solution?

> This raises an interesting paradox to me. How would the people writing the marketing copy for any product that was supposedly Superfish-resilient actually know that it was?

A big difference is that Dell's inclusion of the private key appears to be a (major) screwup by someone with technical responsibility[0], whereas Superfish was downright intentional and involved people all over the company.

In that light, this doesn't really appear to be a paradox - no company should ever market themselves as being immune to mistakes and/or breaches. But it's pretty straightforward to live up to promises that you won't intentionally compromise all security whatsoever just to make a few ad dollars (which is what Lenovo did).

[0] As far as I can tell, there's no evidence that Dell benefits in any way from shipping the private key, so I'm going to invoke Hanlon's razor until we discover otherwise: https://en.wikipedia.org/wiki/Hanlon%27s_razor

But it would be a screw up in Dell's core activity. It's like Intel screwing up the design of the Xeon. I would be surprised if this didn't get approved by many people before going ahead.

At least on the consumer end, I'd say Dell's "core activity" is hardware, not software. This is more like Intel selling software that can screw up your computer: https://www.mcafee.com/

Hardware and the drivers associated.

> But it would be a screw up in Dell's core activity. It's like Intel screwing up the design of the Xeon. It's like Intel screwing up the design of the Xeon.

I'm not really sure I'd say that this is comparable to Intel screwing up the design of the Xeon.

But either way, there's a big difference between "we made a serious technical error, and nobody at the company caught this" and "we intentionally compromised our entire product because advertisers were willing to pay us, and nobody at the company stopped this".

Many hardware companies regard software as an afterthought, not a core activity; it's often outsourced.

This isnt marketing peoples job.

If you want a fun corporate PR check out Microsofts http://niewspierajhakera.pl/

This is a Polish anti piracy campaign equalling everyone who calls himself a Hacker to ISIS terrorist and pedophile :/ Thats right, they uploaded YT clips showing "hackers" in balaclavas collecting child porn. At the very same time Microsoft openly calls polish makers Hackers in another part of corporate portal.

You'd really think that was a parody website if it wasn't for the fact that the domain is indeed registered to Microsoft.

>How would the people writing the marketing copy for any product that was supposedly Superfish-resilient actually know that it was?

They just write whatever sells.

Seems like a way to bypass signed drivers. Sending drivers to Microsoft for signing takes a few weeks and costs money. I bet this certificate was used on prototypes, but was not removed from final version for some reason.

Source: I worked for hardware vendor and wrote windows drivers.

I have seen driver installers that just install their own CA. A particularly clever one generated a CA at install time, signed the driver, deleted the private key, then installed the driver, however this relied on internet access during install to timestamp the driver signature.

I wonder if this works for kernel mode drivers?

This is (a) hilarious and (b) a massive security hole in the whole concept of signed drivers.

Can you actually do that? I was under the impression that the kernel driver root certs aren't under user control, and you basically have to boot your Windows in debug mode to run an unsigned driver. Surely people would just self-sign instead if that was possible.

I thought you could get a code signing cert from MS, but the WHQL qualification is what involves the latter phase?

I am not sure about that, we were a small shop. Dell is bigger, but maybe has subcontractors.

That doesn't explain why the private key was on the prototype itself.

Here's a test website from Kenn White:


What does the test site do?

it's got a certificate signed by the bogus certificate authority that dell bundled. So if your browser accepts the certificate (eg shows a green https instead of preventing the page from loading and displaying a warning) then the CA is installed and trusted on your machine

It is signed by the eDellRoot certificate, if you visit the page and you don’t see any certificate warning, then your machine probably has the eDellRoot certificate installed.

If you don't get a big + scary "Invalid Cert, unsafe!, unsafe!" warning - you have the dell CA installed and trusted...

Uses a cert signed by eDellRoot

On Android I only buy and recommend Nexus devices because of crapware, privacy and security concerns. It might be a good time for Microsoft users to switch to that same strategy and only buy Microsoft devices, since the introduction of Microsoft's own laptop makes it possible. It's also pretty much the Apple model.

All computers sold via the Microsoft Store are "Signature Edition" devices, sort of like the old "Google Play Edition" program: https://www.microsoftstore.com/store/msusa/en_US/cat/Signatu...

For example, the XPS 15: https://www.microsoftstore.com/store/msusa/en_US/pdp/Dell-XP...

Microsoft sells laptops from different manufacturers with Signature Edition. Those laptops don't have any junk.

> Those laptops don't have any junk

I bought a Signature Edition Thinkpad Yoga S1 from Microsoft and it didn't have any junk on it, except in the registry. I think all they do is open the machine, uninstall all the non-Microsoft stuff, then ship the machine. A clean install wouldn't have registry keys for Evernote (for example).

I think I would only buy a Microsoft Surface machine at this point. The hardware is very good and they aren't junked up.

do they remain junk-free when you install manufacturer software updates? Was wondering if manufacturers are mandated to keep the signature laptops clean or if the first time you install your "control center / driver center" update it will automatically pull in things you'd rather not

can you explain to me how an i5-6300HQ/8GB memory/256GB SSD worth 1'700$ ?

For that price I'd buy a gamer laptop and just do a clean install.

An interesting thing I realized on Android while doing some development was that if you install a custom root cert, Android actually persists a notification that says something along the lines of "other people may be able to intercept your communication".

Noticed this while I was installing the MITM cert for CharlesProxy.

Which is really annoying if you actually want to import a different CA (like CAcert.org).

Buying devices only from Google or Microsoft is a little better as it might remove one layer of involuntary data sharing but it would still be better wiping off Android and replacing it with something else that is more privacy oriented...

Are there any "somethings" that are more privacy oriented and can be flashed onto existing android hardware without destroying all functionality due to missing / poor drivers?

Why? Surface Book costs more than a Macbook. Windows laptops sell because they're cheap.

I am not sure that buying an Android phone is helping much from a privacy point of view. There is a reason Android is free...

Probably not many people have read (for example) Torproject ...

Mission Impossible: Hardening Android for Security and Privacy


I have a Dell M3800 that was purchased in March and has this cert. I am not well versed in this area. What do I do? Can I just delete it from the "Certificates" snap-in in MMC? (And should I?)

I'm replying to my own comment, because I can no longer edit it. This is a response that I received from reddit [0]. I haven't attempted it yet, but I wanted to include it here for completeness (and opinions):

> You can safely delete it from both the root and personal certificate stores. You will also need to remove the eDell plugin entirely otherwise the certificate will simply be reinstalled. If you have "Dell Foundation Services" listed in your programs you can uninstall it, otherwise you'll need to look for "Dell.Foundation.Agent.Plugins.eDell.dll" and delete it.

[0] https://www.reddit.com/r/tech/comments/3tzwuv/dell_does_a_su...

Here's the removal process from dell (PDF): https://dellupdater.dell.com/Downloads/APP009/eDellRootCerti...

Take a look at the screenshot of the certificate store. Why are expired certs from 1999 in there? What's that "NO LIABILITY ACCEPTED" cert? Do you really have the private key for the self-signed cert?

This is worth a vulnerability report to US-CERT, and more publicity.

Those weird trusted root CA's are preloaded by Microsoft https://support.microsoft.com/en-us/kb/293781

[1] suggests that this can be used for code signing, but not to MITM network requests, which makes it bad in a different way to superfish.

[1] https://np.reddit.com/r/technology/comments/3twmfv/dell_ship...

Right, but the private key is also included(!), so anyone can now sign code that will be trusted by these computers.

Edit: Confirmed can issue ssl certs. https://mobile.twitter.com/_xpn_/status/668745489823768576

Why in the world did Dell ship the private key?

So that a program could use this Cert + Key to create arbitrary signed certs for google.com, facebook.com, etc. etc.

This is what the Superfish software did.

That person was mistaken. Keep reading the thread. Several people have already created website certificates that validate in browsers using the private key provided.

So should it not have been tagged solely for code-signing? x509 has a field for intended usage.

This particular certificate has no constraints, so if my understanding of x.509 is correct then it can be used for everything.

Of course if they had known better they probably would not have shipped it with the private key protected by such a obvious and weak password.

One should always do a clean install of Windows with a OEM disc when buy a new PC. You can avoid a lot of issues that way...

Lenovo uses Microsoft Windows Platform Binary Table to install bloatware, which gets around any kind of clean install/reset.

Clean install for Windows means nothing when you have shady vendors utilizing this mechanism.

I would change that last part to say "means nothing when you have shady OS makers building this mechanism."

I mean, come on, Microsoft, what were you thinking? Vendors gonna vend, so you had to know how this "feature" was going to be used.

Microsoft created the feature so you'd actually have driver support when doing the reset. I'm sure we all love resetting a touch screen only machine to find out it has no touch support for the install.

Perhaps this would encourage vendors to actually follow standards for their input devices so they didn't require custom drivers. Win-win!

They could have just put the drivers on the CD like every linux distro ever.

You mean the CD recovery image disk which would ostensibly have all the same bloat/spyware as the PC itself?

No, I mean the official Windows CD (technically two DVD set now). New Windows versions are shipping frequently enough now that it would actually be possible.

Microsoft could maintain specific install mediums for each device, including the drivers necessary, but without allowing vendors to load crapware

What about installing an intermediate linux system?


  1. start with window pre-installed
  2. install any linux distro, fully overwriting the OEM
  3. re-install windows, from microsoft 
I'd say just stop at step 2 ;) but I can understand that not everybody can do this (eg: work computer) but want a clean OS.

will this method work to remove such bloatware?

This won't work because the firmware will write a file to your hard drive with the bloatware. It's scary that firmware will modify my filesystem - lots of damage could happen here.

Also, instead of step 2, it would make more sense to boot linux on a usb stick and use dd to erase the hard drive -- this is more complete than installing another OS... but still useless if the firmware is working against you.

In this case Windows will write to your filesystem, not the firmware. Of course there is nothing stopping a firmware from writing to the disk before it loads any OS, but that is true with any OS not just Windows.

It won't work unless you manage to flash the UEFI firmware.

Or buy "Signature Edition" from Microsoft


So buy it twice to get a good copy?

Microsoft really needs to reel in the bad behaviour on the part of the OEMs.

No no, sorry. Signature edition is buying the computer itself, not rebuying the OS. They're computers from Dell/Toshiba/Acer/etc. sold directly by Microsoft without any garbageware. Saves you the hassle of having to do a clean install after you buy it.

Do you have a link that explains what this is? The previous one dumped me on some random Microsoft Store page.

Hm, link works for me. Maybe MS is doing a location based redirect or something? Try google cache: http://webcache.googleusercontent.com/search?q=cache%3Ahttp%...

The US government launched a massive anti-trust case against Microsoft to enable OEMs to do whatever they wanted.

It cost Microsoft many billions of dollars, almost had the company broken up, and put them under close Department of Justice supervision for a decade. I don't think Microsoft will risk anything like that again....

Microsoft didn't get sued for trying to make installing Windows easier. It got sued for making changes in Windows designed to damage competitors (specifically Netscape, Sun, Borland, and Apple) and publicly and repeatedly lying about it.

The heart of the case was whether OEMs could install Netscape and/or remove IE. One direct result was that Microsoft could not insist on its preferred installation of Windows.

Microsoft was also prevented from charging the major OEMs different prices, which was its main way of rewarding OEMs for doing installations the way Microsoft wanted.

This is true -- but again Microsoft got caught lying about how IE's functionality was "intrinsic" to Windows (which was why it prevented IE from being uninstalled). It was also forcing PC manufacturers to pay a royalty for every PC sold, whether or not it was bundled with DOS or Windows (which damaged rivals like Digital Research -- the company Microsoft essentially stole DOS from, but that's another story).

> how IE's functionality was "intrinsic" to Windows

Microsoft had been forced to sign a consent decree in 1995, which prevented it from tying new products to the OS but specifically allowed it to add new features to the OS. It therefore didn't have much choice about its arguments, though (like every other OS supplier) it obviously wanted to include a browser. Equally obviously, delivering a free browser as part of the OS was good for consumers, which is why Microsoft won the browser bundling case on appeal.

Microsoft had also componentized the browser so that different functions could be used by other programs, which to some extent, did make it part of the OS. (Much of the anti-trust case argument on that topic was phenomenally stupid.)

>It was also forcing PC manufacturers to pay a royalty for every PC sold, whether or not it was bundled with DOS or Windows

Don't think so. That was a deal offered to some OEMs, but as far as I know, it was never forced on anybody. In any case, the US Justice Department banned the idea in 1994. I tend to think 21+ years is a bit of long time to hold a grudge about something that was killed before it took off.

> Digital Research -- the company Microsoft essentially stole DOS from, but that's another story

Well, DR screwed up massively by refusing to sign a deal with IBM, then by charging too much for DR DOS, and then Apple screwed it in a court case over the UI in DR GEM. Either way, DR was dead long before the Microsoft anti-trust suit.

> "it was never forced on anybody"

Depends on what you mean by "forced", right? If a PC manufacturer's choice is between not selling PCs with Windows pre-installed and having to pay a per-PC license for Windows whether Windows is installed or not, then effectively it's forced. And this was likely in play for years, but covered by commercial in confidence.

> DR screwed up massively by refusing to sign a deal with IBM

Sure but that's a different issue entirely.

As a result of the litigation over 86-DOS/QDOS (which MS licensed from Seattle Computer Products) Seattle Computer Products, DR-DOS, IBM, and Microsoft ended up with the right to ship DOS. Microsoft acquired SCP's license for chump change via a dubious legal maneuver whereby it was forced to sell its license to MS rather than to anyone else for whatever they wanted to pay (I forget the detail, it's documented in one of the Gates biographies). DR and IBM continued to sell technically superior versions of DOS, but IBM's was bundled with IBM-branded hardware and DR was crippled by Microsoft's licensing contracts which became particularly effective once Windows 3.x came out.

> 21+ years is a bit of long time to hold a grudge

This is only the tip of the iceberg of things MS's anti-competitive behaviors. Probably its most pernicious behavior was "dumping" on rivals (cross-subsidizing products such as Access until rivals went out of business) and actively sabotaging third party software (e.g. -- allegedly -- deliberately breaking Lotus 1-2-3 on DOS 2.x and -- well-documented -- breaking Borland compilers in the Windows 95 betas (which might well have continued into the release version had it not been caught red-handed).

At this point, the price "advantage" for Windows PCs vs. a Mac is tenuous at best... especially since a lot of folks buy on some "30% off this week" deal with Dell/Lenovo/etc.

Yeah, so that may not be possible.

I have a HP laptop with a Windows 7 license key under the battery and I can only install Windows 7 from HP recovery disks.

Of course, I opted to say "fuck you" and torrented a Win7 installation disk and activator, but that is not an option most of the time.

Related: how to control the SSL CAs your browser trusts, on nearly every device (except iOS 9).


Regardless of why this is here, negligence or cost cutting, this is pretty bad and leaves the systems pretty open.

I love the Dell response: "We have top men working on it."

The response I see is better: http://en.community.dell.com/dell-blogs/direct2dell/b/direct...

> We have posted instructions to permanently remove the certificate from your system here. We will also push a software update starting on November 24 that will check for the certificate, and if detected remove it. Commercial customers who reimaged their systems without Dell Foundation Services are not affected by this issue. Additionally, the certificate will be removed from all Dell systems moving forward.

> Your trust is important to us and we are actively working to address this issue. We thank customers such as Hanno Böck, Joe Nord and Kevin Hicks, aka rotorcowboy, who brought this to our attention. If you ever find a potential security vulnerability in any Dell product or software, we encourage you to visit this site to contact us immediately.

"Who are they?"

"Top. Men."

Can you link to where you see this? I don't see that quote in TFA.

I think the mods changed the link. The original was a blog post, and one of the comments was from Dell and essentially said "We are Dell and we like security. Our experts are furiously working on security. We'll let you know what they come up with."


They are being asked about this over-and-over again, and they just spit back the same nothing response every time that is essentially what the person you replied to said.

Whenever I see an announcement to that effect, I'm reminded of this classic The Far Side cartoon: https://www.pinterest.com/pin/509399407824121060/

Alas, no new ones for over 20 years.

Just like Xerox response to news that their copiers randomly swap numbers.

This should be the NSA's job, keeping us safe from all the corporate and foreign government cyber espionage that is completely out of control. In reality they don't give a shit because they like to free ride on top of all the other backdoors as well as the ones they create.

The NSA's job does entail keeping government communications secret and secure. So whole buildings of people do "give a shit" about stuff like this.

Since Dell holds a ton of government contracts and a good amount of government computers are Dell, you can guarantee they most DEFINITELY "give a shit" about this.

One thing to note is, if you have your own Windows disks (some organizations might have) or if you use Linux this might not really matter to you. I wish laptops and desktops were sold without Operating Systems by the major companies, outside of server space.

There are quite a few low end laptops available in India without any pre-installed OS. Most people who buy these end up using some pirated copy of windows which is either left unpatched and vulnerable or it comes with some form of malware already installed. It hasn't been great for security or privacy sadly. No one I know uses linux on them or forks out any money for a Windows license which they deem to be too costly.

It's hard for me to imagine a company as big as Dell making such a bone-headed blunder.

It shouldn't be. If anything, being as big as Dell makes me wonder why it hasn't happened already.

I work at an Enterprise software company a few orders of magnitude smaller than Dell. The number of people we have who don't even begin to understand how SSL works beyond 'its encrypted now' is frustrating.

Dell can probably recruit better people than we can, but I don't know if they can recruit better people at volume, top to bottom. It only takes a couple of people to not understand what they are doing and 'just get it done' for this to happen.

Volkswagen made a much bigger blunder, as you might have heard. Sometimes companies fail to comprehend the consequences of their actions.

In that particular case, it's likely less "fail to comprehend the consequences of their actions" and more "underestimate the chances of being caught"...

The bigger a company is, the more places there are for bone-headed blunders to go unnoticed.

Off topic: I dont reddit that much, so this is a first time I see this banner (specifically crafted to not be copyable!)

> You have been linked to a read-only version of this subreddit. Please respect the community by not voting. Please do not vote or comment when you come from external subreddits.


When you add the np subdomain prefix to a reddit domain, it links to a non-participation version of the page. The idea is that it helps to reduce "brigading", as in if a thread is linked to by an external party or another subreddit, the thread is not so easily derailed from its original context and audience. Of course if you actually want to participate in the thread, its not difficult to simply remove the prefix. But it might make some people think twice. NP links are mainly used by inter-subreddit references, as "brigading" is against the reddit rules, and can result in a subreddit being banned. I can see why it all seems a bit ridiculous.

Thank you for the explanation. It does look very tinfoil hat for the outsider with no knowledge of what it is.

It's non-copyable because it's added with CSS and not an element on the page. It's done this way because CSS is the only way for a subreddit's moderators to add a message like this. (Reddit allows moderators to customize CSS, but not otherwise alter pages.)

Test for eDellRoot certificate ..


The self-signed certificate is probably something a developer at Dell was using for testing and forgot to delete.

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact