I'm not going to provide a how-to guide on how to exploit users here. I have notified both Superfish and Lenovo of this issue and here's an example of the improper status pass through based on doing something that might be quite obvious to some:
This is what the browser should do when it encounters a self-signed cert delivered by an SSL/TLS MitM solution:
However, it's not doing this for this self-signed public cert:
Note both certs show "verify_fail." at the beginning and those who know how browser cryptography works will understand what has gone wrong with their implementation.
...Or am I looking at this in the wrong way?
The shocking thing is that the certificate name matching algorithm has been standardised for over 15 years and yet those who wrote the cert generation code weren't aware of how browsers implement it.
"DB3FFO11OLC004.mail.protection.outlook.com rejected your message to the following email addresses:
Something went wrong and your message couldn't be delivered. This could be a temporary issue. Try resending the message in a few minutes. If that doesn't work, forward this message to your email admin."
To put it bluntly, I'd still prefer to buy a system "infected" with Superfish but which lets me reinstall the OS and configure it however I choose, than one which is locked-down so much that, even if such malware was not present initially, if something similarly undesirable is eventually installed by default, it would be nearly impossible to remove. Of course buying an open system that has no malware/adware preinstalled is even better, but given the way things seem to be going with "smart TVs" adding ads and whatnot, it feels like that might not be an option in the future.
Swift on Security has argued - quite convincingly IMHO - that as long as we have this attitude that the user "can" fix their machine by "just remove a SSL cert" we are going to utterly fail the vast majority of ordinary people who now depend on having a machine connected to the internet.
"Maybe this isn’t her fault. Maybe computer security for the average person isn’t a series of easy steps and absolutes they discard from our golden mouths of wise truths to spite the nerd underclass.
Perhaps it’s the very design of General Purpose Computing. And who built this world of freedom, a world that has so well served 17-year-old Jessica? You did. We did."
Go into a room full of average computer users. Say what you just said here, and watch the blank stares and listen to the "what did he just say/what language is he speaking" comments.
You seem to forget this is on consumer laptops, not machines that will be bought by enterprise IT departments and wiped/reinstalled for company use. The affected laptops are ending up in Joe and Jane User's homes, where they will immediately begin visiting their banks, social networks, email providers, and any other sites people use daily, and will therefore be vulnerable out of the box. They won't know about a root certificate; they won't even know what a root certificate is!
THAT is why this is such a shitty thing for Lenovo and Superfish to do.
The future really scares me. And yes, backlash from Superfish fiasco will probably only make things worse.
If you asked anyone, would they not follow the line of reasoning that, if the manufacturer was releasing hardware in a default state of compromise, that we could not trust the default state of released hardware? Why would you conclude the opposite after this?
I can't see a way to construe this as "We need to ensure that machines must stay as the manufacturer ordained to protect us from security threats introduced by the manufacturer!"
I don't understand the rational here.
If the machine is locked down to prevent that, then the customers have no such option.
Do you know that you have to?
How do you, with no software skills at all, evaluate whether the second person you bring it to does have the skills?
I think that it is a very life altering precedent to say we ban adults from consenting to things because they don't know what they are consenting to. Maybe one that is needed, but it would be far reaching if consistently applied.
> I think that it is a very life altering precedent to say we ban adults from consenting to things because they don't know what they are consenting to.
We already have this in "informed consent" - the permission a patient gives for medical intervention. The consent has to be voluntary and made after being informed - in a way the patient can understand - about the risks and potential harms as well as the benefits.
We also (at least, in England) have regulated advertising ("legal, decent, honest, and truthful") and strict consumer protection laws.
Just going off your examples, I don't think it would be unreasonable to require both parties entering into a contract to understand what they are agreeing to. I'd say anything else is unethical, really.
Full contractual freedom is a B2B thing here.
And yes, having people sign that their communication will be monitored is an unreasonable thing in my opinion, cutting to the core of constitutional rights e.g. in Germany.
While we are at that, Germany has a constitutional right of privacy in your place of living - which is in an interesting juxtaposition to devices listening to what happens in your living room and sending it somewhere.
And finally, there is a non-negligible part of the population that cannot grasp those contracts - expecting them to keep track of all the things they signed in their life is an extreme burden.
Many new systems now don't even come with original software disks requiring you to backup the machine using preinstalled crapware to create a backup DVD.
This was the case with a couple of laptops I purchased in the past three years; one of which was a Toshiba.
Years ago, when you purchased a machine, you got driver disk separately and even now I'm seeing a trend where that's becoming less the case.
At least this has been my experience.
What about hard-disk firmware being re-flashed by the "Equation Group" ? No easy possibility to detect if you are infected, nor what it is actually doing, not even to reinstall. Hard-disk firmware is software too.
Fortunately, enough other users did so that the comment was killed.
Is comment flagging hidden from the main page to prevent accidental clicks, or its use as a "super downvote"?
Since the feature is non-obvious, I post descriptions like the above semi-regularly in the hope of getting the word out.
But the "regular" users won't. It's not that they _can't_. It's just that for them Internet-connected computers are just tools. Tools to get to information and services... or to get their jobs done. They don't want to mess around with systems - they just want to order something online or communicate with family and friends.
And they are buying laptops like these because they are inexpensive and seem to fit their needs. They just want a tool they can use.
They are _trusting_ Lenovo and other manufacturers. And that trust is being betrayed.
It used to be relatively easy to do a full reformat+install of the OS and drivers; not sure whether that's gotten easier or harder now.
For technical people of course, it is no big deal to install the OS yourself, but I have to say it was nice getting my last HP notebook without a single thing I had to uninstall.
Remove the pre-installed crap. (Using MCPR or NRT to remove bundled AV.)
Ensure MSE or Windows Defender is up and running.
Install the usual software - VLC, LibreOffice (or MS Office if they have bought it), Classic Start if Win 8 and wanted, Chrome with AdBlock (although may soon switch to uBlock), etc. Ninite does most of the heavy lifting on that.
Set up local user accounts (after discussing Microsoft accounts.)
Transfer the user folder (and email if client-based, Thunderbird and Mozbackup usually does most of the work.)
Join the machine onto the broadband.
If necessary, go through the basics of Windows 8.1, web security, backups etc.
It's closer to $99 for businesses, but they usually have slightly more complex requirements.
We used to make restore disks, but nowadays we generally don't bother as it's faster to clean install from a Windows install that already has the updates on it.
I may very well start clean-installing the machines instead. One irritating thing I've come across is that "8.1 with Bing" wouldn't install from a standard Windows 8.1 disk. That may scupper the clean-install plan for home users with cheap machines.
I can tell several stories of trying to set things up for my parents, only to have to call them/wait until I fly home next to fix something. Lessons have been learned the hard way on dumb email chains/anti-virus software, but trying to give them a list of browser settings (among other things) to do is getting to be too much.
So, now what?
We're at an impasse now too where my mom wants a new laptop. She doesn't want to learn anything new (Mac OS) and both she and I don't want to deal with Windows 8+. I'm skeptical about just installing Windows 7 on a newer laptop (...driver/hardware support).
If I could get her to switch to Mac (she's in her 70s), I could set her up with a non-admin user account and set it up easily so that I can securely do remote support. The funny thing is that she would probably do it if not for my brother, who does support for a living and doesn't want to learn to fix Macs...smh
And something like TeamViewer does the remote support nicely.
I'm all for Linux otherwise, but in this use case I'd let old people use whatever keeps them going.
She always makes a mess of Windows machines. If her first instinct weren't always to call my older brother for help, I'd have gotten her the Mac ages ago.
I worked full time for 5 of the last 6 years on Windows malware research. Windows is a swiss-cheese joke of an operating system that won't progress because of a(n at this point pathological) need for 20 years of backwards compatibility. Microsoft: make use of that XP mode VM and extend that trend forwards, you fools.
Another option would be to put her regular use to a VM that you control (remotely) and can restore to a clean state at any time...
I'd like to get everything he needs installed and lock out modifications. Needs cookies obviously, but not much else.
Somehow he manages to have video player issues in every single browser that I can't figure out. He has to watch youtube in chrome, live streams in firefox, etc. It's really dumb. Buying him a chromecast improved it some, though, by avoiding it.
(Myself, I find that model complex and unintuitive, being used to the Unix way, but everything has its learning curve.)
Or, introduce them to more stable OSses, like Ubuntu instead of Windows. That worked for my neighbours ;-)
Remote maintenance is probably something I should look more into.
Though I admit I am starting to worry about the program itself as it's now warning about "missing antivirus" and such, but it's not gone over the deep end just yet.
For maintaining your mother-in-law's computer it's perfect.
(PDFs can be malware, too.)
Everything else is not acceptable.
(There are some people in the industry who call for this. I am not one of them.)
So my explanation wasn't very technical, but I feel as though the part of the process where you also remove the certificate from Firefox had been left out, and I wanted to share it in case it helps out another person.
This news took me by surprise, as I just received a brand new Lenovo Yoga 2 for work last week, and it had this vulnerability.
So any removal instructions which don't include clearing out Firefox's certificates are incomplete. This includes Lenovo's published instructions.
 - https://twitter.com/FiloSottile/status/568600661534875648
The website you're referring to, is https://canibesuperphished.com/
Are there other options besides installing my own root certificate?
Assuming I want to write software that legitimately MITMs all HTTP and HTTPS traffic (parental control, ad blocker, anti-virus scan for webpages...). I want it to be browser independent and work with browsers that don't support extensions.
The Kernel protection watchdog is used to protect Komodia’s Redirector files from being deleted/modified, lsp from being uninstalled and also protects the main process will not be stopped.
But when you do so, you assume big responsibilities. You have to do all the stuff the browser does, and even lots of security people, if you sat them down and told them to write everything a browser does, would probably forget a few important things. (The browser security folks are exceptions.)
The top post on this page ('patcheudor) is from a researcher who reports that Superfish wasn't doing proper validation of certs, meaning we didn't even need to extract the private key from the binary to forge www.paypal.com.
If I spun up a stupid fake cert for www.paypal.com last week, with no knowledge of Superfish whatsoever, someone from a Lenovo computer would not get certificate warnings.
The more people look at this, the worse it gets. It's a fractal of bad security.
They have the choice of having HTTPS effectively useless (by leaving the certificate there), or making HTTPS not work (by removing it, thus prompting action from the user to fix it -- perhaps by calling their tech savvy nephew).
Browser vendors should (and usually do) err on the side of security.
Probably not a proxy; probably low-level socket interception in Windows.
So there isn't much the browsers can do to help the user.
At least the technical side of Lenovo's response is all the way to "We are writing a program to remove the certificates", which is probably the thing that is going to impact the most people.
But recalling already-sold inventory? Even disregarding the difficulty and inconvenience, this would be a terrible idea. In order for them to be able to remove this, they'd need to be able to log in to your computer, and change the security settings, as well as modify the recovery partition. I doubt I need to explain why giving your login credentials to Lenovo is a terrible idea!
In reality then they've done the only reasonable thing they could do - post a statement with clear removal instructions. They didn't have a lot of choice admittedly, so I'm not particularly lauding them for this - once you've made enough of a mistake to appear in mainstream media (the story was on the BBC website, and there was a fairly large article in my newspaper this morning), you can't really get away with doing nothing if you'd like to continue selling laptops.
They could offer to re-image the hard drive with a non-infected image.
But unlike a car manufacturer, I doubt any governments will compel them either... since this kind of thing is exactly what a government would want.
> WSJ: What are you doing now to ensure the security of people who bought Lenovo laptops with the Superfish app?
> Hortensius: As soon as the programmer is finished, we will provide a tool that removes all traces of the app from people’s laptops; this goes further than simply uninstalling the app. Once the app-wiping software is finished tonight or tomorrow, we’ll issue a press release with information on how to get it.
❝WSJ: Isn’t the best prevention tool to simply stop pre-loading any software on Lenovo computers?
Hortensius: In general, we get pretty good feedback from users on what software we pre-install on computers.❞
Probably it would be a good idea, if this is really what the company things is true, that upon first boot a menu is opened asking for the particular programs to install?
Thanks for buying a Lenovo product. To get the most out of
your new high-performance mobile workstation, the following
software products can be installed free of charge by ticking the
check-box and clicking 'Next'.
[x] Superfish Ad-Injector, making your web-browsing experience
miserable and yourself vulnerable to Man-in-the-Middle-Attacks
when doing facebook and online banking.
[x] Limited trial of Super-High-Security-Internet-
Security-Anti-Vius which will constantly nag you about paying
for the full product
• The Superfish proxy accepts its own certificate, so now that the private key has been leaked, an attacker can mimic an arbitrary site in Chrome and IE
I thought there might be a chance that despite all the other idiocy here, they might have refused external certificates from their own CA, mitigating the risks somewhat. But no suck luck for Lenovo customers!
(It might just accept all CAs locally-configured, and it's accepting its own because they didn't special-case a rejection.)
Chrome does not perform pin validation when the certificate chain chains up to a private trust anchor.
A key result of this policy is that private trust anchors can be used to proxy (or MITM) connections, even to pinned sites.
'Data loss prevention' appliances, firewalls, content filters, and malware can use this feature to defeat the protections of key pinning.
"We deem this acceptable because the proxy or MITM can only be effective if the client machine has already been configured to trust the proxy’s issuing certificate"
I think that's fair, or at least it has traditionally been a fair assumption for most users.
The issue here is that your hardware vendor has compromised your machine, so that is no longer a fair assumption.
Of course, Chrome could give some indication like a lock+eyeball or something, and hope the interception vendors are too lazy to bother modifying the code. They could also only disable warnings if the machine is connected to a domain or other management system.
On Mozilla, you can configure it to never bypass pining (security.cert_pinning.enforcement_level set to 2, see https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinn... ); I don't know how to do it on Chrome.
This has the unfortunate side effect that all internet traffic must go through a proxy, they have to MiTM SSL traffic.
I just use my smartphone's data for any personal internet browsing.
Use personal devices for personal computing.
The line between what computing should be done on what device is blurry in both directions -- it's not just "people do personal computing on corporate devices". It'd be a bit strange to hear a boss tell me to never browse Amazon or Hacker News during lunch.
I use my work laptop all the time for a variety of things, but I do so under the assumption that the company may be snooping on me. (No idea if they are or not.)
I guess I should look into the Chromium source to disable this MITM "feature"... I'm really too busy so if anyone else does this I'd much appreciate a patch.
Edit: I think that's the case. AGL's original announcement of pinning said:
"There are a number of cases where HTTPS connections are intercepted by using local, ephemeral certificates. These certificates are signed by a root certificate that has to be manually installed on the client. Corporate MITM proxies may do this, several anti-virus/parental control products do this and debugging tools like Fiddler can also do this. Since we cannot break in these situations, user installed root CAs are given the authority to override pins. We don't believe that there will be any incompatibility issues."
If Chrome thinks that this was a "user installed root CA", it would have been allowed to override the pin. (Disclaimer: I haven't checked that this is right, I'm just using my recollection of how this could work according to AGL's account.)
"openly"? Why doesn't the user see that a fake certificate is being used then? There is no excuse for not showing a big fat warning.
This only shows which side Google is really on when it's evil corporations vs. you, the user.
So the IT department-installed or OEM-installed cert is treated as "user-installed" by the pinning logic, and the user never actually gets warned.
I got a Lenovo Y50 a couple weeks ago, and when I downloaded Firefox and looked at the certificate, it was Superfish.
I've since uninstalled Superfish and deleted the keys (I exported them first though). I know I probably should reinstall Windows but I'm too lazy.
But why take actually photographs of the computer screen instead of just using native screen capture? The lights and reflections are super distracting. A minor nit, yes but still...
Didn't Hacker News used to mark PDFs?