Hacker News new | past | comments | ask | show | jobs | submit login
Browser Vulnerability to Superfish: A Fact-Finding Trip to Best Buy [pdf] (bugzilla.mozilla.org)
494 points by ndesaulniers on Feb 20, 2015 | hide | past | favorite | 174 comments



I went to Best Buy as well today and picked up a laptop to look into this further. The Superfish software is not properly passing the validation state of the public cert when it connects to a website like Bank of America as an example. There's no need to export their private and use it in a MitM transparent proxy. The software is simply not triggering appropriate warnings when provided an obviously fake certificate that has been generated in a way to bypass browser warnings. It's also not properly validating revoked certs. Both of these situations are very bad. Allowing any self-signed cert would lead me to believe that this could have easily been exploited in the wild without prior knowledge of this vulnerability.

I'm not going to provide a how-to guide on how to exploit users here. I have notified both Superfish and Lenovo of this issue and here's an example of the improper status pass through based on doing something that might be quite obvious to some:

This is what the browser should do when it encounters a self-signed cert delivered by an SSL/TLS MitM solution:

http://defaultstore.com/six.png

However, it's not doing this for this self-signed public cert:

http://defaultstore.com/four.png

Note both certs show "verify_fail." at the beginning and those who know how browser cryptography works will understand what has gone wrong with their implementation.


I suppose they were relying on the prepending of "verify_fail" to the hostname (with an invalid character - '_') to cause the browser to fail the certificate name check, so Superfish is doing certificate checking? Shouldn't the browser then complain with a "certificate's hostname does not match the site's" warning?

...Or am I looking at this in the wrong way?


You're close. I'm not in the business of telling people how to exploit this and am assuming those who already know were already doing it based on what would be a "best practice" (for a bad guy that is) when it comes to generating a self-signed cert.


...is it blindly copying any x509v3 attributes present on the certificate, or just the one that you seem to be carefully not mentioning? Can you email me (one is listed in my HN profile)? I just thought of a pretty horrible exploit. 2199399413f2e63e6291a3f3e60f3475518aaf88215434222c65d6bc6fe41f34


After a little more thought, it seems obvious to me now what the problem is. :-)

The shocking thing is that the certificate name matching algorithm has been standardised for over 15 years and yet those who wrote the cert generation code weren't aware of how browsers implement it.


Ding, ding, ding. ;-)


This is bumming me out. I'm really curious about what the exploit is but cannot quite put the pieces together...


Looks like someone already wrote a post about it: https://blog.filippo.io/komodia-superfish-ssl-validation-is-...


I hope to have a write-up at some point in the near future. I'm working with the vendor now to fix the vulnerability and hope they will be agreeable to a co-authored write-up once they've issued patches.


I'm really just curious & not malicious - is that string at the end of your post a hash of a key or of an exploit code?


Its probably the hash of their explanation of the exploit.


correct


Then it must be a simple to phrase exploit with only one obvious way of stating it.


The purpose of a publicized hash is that you can produce the content later and assert that you had authored it prior to the time you publicized the hash. This is proof to the extent that generating text to hit a given hash is really hard.


Does anyone have a security contact at Superfish? It looks like they don't have a security@ mailbox:

"DB3FFO11OLC004.mail.protection.outlook.com rejected your message to the following email addresses:

security@superfish.com Something went wrong and your message couldn't be delivered. This could be a temporary issue. Try resending the message in a few minutes. If that doesn't work, forward this message to your email admin."


Try abuse or postmaster or one of these:

http://whois.domaintools.com/superfish.com


info@superfish.com went through and I'd imagine that they must be reading this thread by now and can go check that mailbox to reach out to me.


Article is unmarked PDF


PDF


While this whole Superfish/Lenovo thing is certainly quite scary, let's not forget the very important fact that, currently, the user ultimately still has the ability to modify the software on the machines he/she owns, which includes among other things (un)installing software like Superfish, and also adding/removing trusted certificates. There will be those who advocate locking down the certificate stores and other areas of the OS (e.g. only "approved" software can be installed) in an effort to prevent companies from doing things like this, but I think that could lead to an even worse situation - imagine if this was preinstalled on a locked-down system that made it nearly impossible to remove (or perhaps even discover!)

To put it bluntly, I'd still prefer to buy a system "infected" with Superfish but which lets me reinstall the OS and configure it however I choose, than one which is locked-down so much that, even if such malware was not present initially, if something similarly undesirable is eventually installed by default, it would be nearly impossible to remove. Of course buying an open system that has no malware/adware preinstalled is even better, but given the way things seem to be going with "smart TVs" adding ads and whatnot, it feels like that might not be an option in the future.


> let's not forget the very important fact that, currently, the user ultimately still has the ability to modify the software on the machines he/she owns

Swift on Security has argued - quite convincingly IMHO - that as long as we have this attitude that the user "can" fix their machine by "just remove a SSL cert" we are going to utterly fail the vast majority of ordinary people who now depend on having a machine connected to the internet.

http://swiftonsecurity.tumblr.com/post/98675308034/a-story-a...

"Maybe this isn’t her fault. Maybe computer security for the average person isn’t a series of easy steps and absolutes they discard from our golden mouths of wise truths to spite the nerd underclass.

Perhaps it’s the very design of General Purpose Computing. And who built this world of freedom, a world that has so well served 17-year-old Jessica? You did. We did."


> While this whole Superfish/Lenovo thing is certainly quite scary, let's not forget the very important fact that, currently, the user ultimately still has the ability to modify the software on the machines he/she owns, which includes among other things (un)installing software like Superfish, and also adding/removing trusted certificates.

Go into a room full of average computer users. Say what you just said here, and watch the blank stares and listen to the "what did he just say/what language is he speaking" comments.

You seem to forget this is on consumer laptops, not machines that will be bought by enterprise IT departments and wiped/reinstalled for company use. The affected laptops are ending up in Joe and Jane User's homes, where they will immediately begin visiting their banks, social networks, email providers, and any other sites people use daily, and will therefore be vulnerable out of the box. They won't know about a root certificate; they won't even know what a root certificate is!

THAT is why this is such a shitty thing for Lenovo and Superfish to do.


Welcome to the War over General-Purpose Computing.

http://boingboing.net/2012/08/23/civilwar.html

http://boingboing.net/2012/01/10/lockdown.html

The future really scares me. And yes, backlash from Superfish fiasco will probably only make things worse.


I don't understand how this would be the conclusion reached. If you asked a person on the street, would they not think that Lenovo is a entity of authority? That they were the ones dictating the computers configuration? That they were any more or less fallible/malicious than Sony or Microsoft or HP?

If you asked anyone, would they not follow the line of reasoning that, if the manufacturer was releasing hardware in a default state of compromise, that we could not trust the default state of released hardware? Why would you conclude the opposite after this?

I can't see a way to construe this as "We need to ensure that machines must stay as the manufacturer ordained to protect us from security threats introduced by the manufacturer!"

I don't understand the rational here.


This is exactly what I thought (I spammed many of my friends with the link to the talk). I bet you that this (which is a step in the wrong direction) will trigger a something worse (a leap in the wrong direction to 'protect' consumers).


I'm very hesitant to use this word, but this is a very privileged position. Many customers don't have the skills to even see the technical problem while expecting that not to happen. The same goes for reinstalling the machine (or they don't trust in their skills).


Perhaps not, but such customers CAN purchase software written by someone who DOES have the skills, that will perform the actions on their behalf.

If the machine is locked down to prevent that, then the customers have no such option.


If you buy a new car, are you okay to have to bring it to another shop immediately? If yes, did you factor in that cost?

Do you know that you have to?

How do you, with no software skills at all, evaluate whether the second person you bring it to does have the skills?


Grandma just bought her laptop from the fine folks at Best Buy. They obviously know best, and why would the sell her a computer in less the pristine condition? It's fine as is, she doesn't know to or have to pay someone to fix something that should be ok.


Do we stop allowing home loans because the majority of those signing them honestly don't most of those clauses? Do we ban cell phone contracts because only 1 in 100 even read what they are signing?

I think that it is a very life altering precedent to say we ban adults from consenting to things because they don't know what they are consenting to. Maybe one that is needed, but it would be far reaching if consistently applied.


In EU we do have laws that make unreasonable contracts unlawful. This sits with "buyer beware". A buyer should take efforts to learn about the contract they're entering into, but supplier can't hide onerous terms deep in a complex contract and say that they warned the buyer.

> I think that it is a very life altering precedent to say we ban adults from consenting to things because they don't know what they are consenting to.

We already have this in "informed consent" - the permission a patient gives for medical intervention. The consent has to be voluntary and made after being informed - in a way the patient can understand - about the risks and potential harms as well as the benefits.

We also (at least, in England) have regulated advertising ("legal, decent, honest, and truthful") and strict consumer protection laws.


> I think that it is a very life altering precedent to say we ban adults from consenting to things because they don't know what they are consenting to.

Just going off your examples, I don't think it would be unreasonable to require both parties entering into a contract to understand what they are agreeing to. I'd say anything else is unethical, really.


This is standard in the EU and I think that is a good thing.

Full contractual freedom is a B2B thing here.

And yes, having people sign that their communication will be monitored is an unreasonable thing in my opinion, cutting to the core of constitutional rights e.g. in Germany.

While we are at that, Germany has a constitutional right of privacy in your place of living - which is in an interesting juxtaposition to devices listening to what happens in your living room and sending it somewhere.

And finally, there is a non-negligible part of the population that cannot grasp those contracts - expecting them to keep track of all the things they signed in their life is an extreme burden.


The problem with whiping a brand new computer and installing your own will not necessarily void warranty but if you have a problem like something is not working, technical support will tell you to restore the system.

Many new systems now don't even come with original software disks requiring you to backup the machine using preinstalled crapware to create a backup DVD.

This was the case with a couple of laptops I purchased in the past three years; one of which was a Toshiba.

Years ago, when you purchased a machine, you got driver disk separately and even now I'm seeing a trend where that's becoming less the case.

At least this has been my experience.


> let's not forget the very important fact that, currently, the user ultimately still has the ability to modify the software on the machines he/she owns

What about hard-disk firmware being re-flashed by the "Equation Group" [0]? No easy possibility to detect if you are infected, nor what it is actually doing, not even to reinstall. Hard-disk firmware is software too.

[0]: https://news.ycombinator.com/item?id=9058701


[flagged]


Way to completely disregard the rest of the parent's comment, which makes a fantastic point, and instead blindly call him an idiot.


You're right. Still, it would be better to just say nothing, so as not to dilute the thread further. The right tool here is flagging. You can flag an inappropriate comment by clicking on its timestamp to go to its page, then clicking on "flag".

Fortunately, enough other users did so that the comment was killed.


I had no idea that was even an option, and I've been here for a few years now. I thought only threads could be flagged.

Is comment flagging hidden from the main page to prevent accidental clicks, or its use as a "super downvote"?


It is an intentional speed-bump to cut down on reflexive flagging.

Since the feature is non-obvious, I post descriptions like the above semi-regularly in the hope of getting the word out.


+1, I also had no idea this was an option until you pointed it out, I'll make sure to use it in the future. It might be helpful to perhaps add it to the HN FAQ, or some other help page that has information on "hidden" features like this one.


Computing is genuinely becoming scary. If I didn't browse tech sites or spend my days on HackerNews, I probably wouldn't know about these things. I'm getting older and more disinterested in the constant maintenance -- I just want the shit to work. It sucks the most for those who learned "don't install anything fishy, run a virus scan, don't open attachments, and you'll be fine." They bought a computer and followed the rules and are still being fucked over. I've seen a high number of comments that say "oh man, I never trust OEM software, clean installs only for me." So it looks like there is another rule for the pleb/peasant/uninitiated computer users to follow. I can barely keep up, I wonder how nontechnical people do.


Yes, this is a huge issue. We in the technical community will take the extra steps. We will reformat a system and install a new o/s. We will go through the steps to remove malware/adware. We will install our own web browsers and additional security software. We'll use VPNs. We'll use PGP keys. We'll use Tor.

But the "regular" users won't. It's not that they _can't_. It's just that for them Internet-connected computers are just tools. Tools to get to information and services... or to get their jobs done. They don't want to mess around with systems - they just want to order something online or communicate with family and friends.

And they are buying laptops like these because they are inexpensive and seem to fit their needs. They just want a tool they can use.

They are _trusting_ Lenovo and other manufacturers. And that trust is being betrayed.


I've convinced many people to do clean installs on new computers - my reasoning usually goes like "the software it comes with is suitable for demos in the store; when you start using it, you should clean that out and install your own."

It used to be relatively easy to do a full reformat+install of the OS and drivers; not sure whether that's gotten easier or harder now.


If you buy a computer from the Microsoft Store it is guaranteed to have no crapware, trialware or any other junk on it. If you buy a computer from somewhere else and take it to the Microsoft Store they will place a clean operating system on it for $99.

For technical people of course, it is no big deal to install the OS yourself, but I have to say it was nice getting my last HP notebook without a single thing I had to uninstall.


There was a time I would have balked at the idea of paying Microsoft $99 to ensure there was no crape are on a PC. Now it sounds like a decent value.


To set up a new machine for a client I charge about $75 to:

Remove the pre-installed crap. (Using MCPR or NRT to remove bundled AV.)

Ensure MSE or Windows Defender is up and running.

Install the usual software - VLC, LibreOffice (or MS Office if they have bought it), Classic Start if Win 8 and wanted, Chrome with AdBlock (although may soon switch to uBlock), etc. Ninite does most of the heavy lifting on that.

Setup printer.

Set up local user accounts (after discussing Microsoft accounts.)

Transfer the user folder (and email if client-based, Thunderbird and Mozbackup usually does most of the work.)

Join the machine onto the broadband.

If necessary, go through the basics of Windows 8.1, web security, backups etc.

It's closer to $99 for businesses, but they usually have slightly more complex requirements.

---

We used to make restore disks, but nowadays we generally don't bother as it's faster to clean install from a Windows install that already has the updates on it.

I may very well start clean-installing the machines instead. One irritating thing I've come across is that "8.1 with Bing" wouldn't install from a standard Windows 8.1 disk. That may scupper the clean-install plan for home users with cheap machines.


FWIW that's the "Signature Edition" of Windows. You can find them on Amazon too.


This.

I can tell several stories of trying to set things up for my parents, only to have to call them/wait until I fly home next to fix something. Lessons have been learned the hard way on dumb email chains/anti-virus software, but trying to give them a list of browser settings (among other things) to do is getting to be too much.

So, now what?


I'm in this situation too.

We're at an impasse now too where my mom wants a new laptop. She doesn't want to learn anything new (Mac OS) and both she and I don't want to deal with Windows 8+. I'm skeptical about just installing Windows 7 on a newer laptop (...driver/hardware support).

If I could get her to switch to Mac (she's in her 70s), I could set her up with a non-admin user account and set it up easily so that I can securely do remote support. The funny thing is that she would probably do it if not for my brother, who does support for a living and doesn't want to learn to fix Macs...smh


Windows 7 is going to be absolutely fine. If it's what she's used to, and you have the license and media, just go ahead.

And something like TeamViewer does the remote support nicely.

I'm all for Linux otherwise, but in this use case I'd let old people use whatever keeps them going.


Yeah, it's just an insecure mess.

She always makes a mess of Windows machines. If her first instinct weren't always to call my older brother for help, I'd have gotten her the Mac ages ago.


Well, perhaps it would be good to give her a non-admin account to Windows? The same approach you'd do with a Mac, but leaving her with a familiar UI.


Privilege escalation, even with UAC at its strictest, is trivial on Windows with the malware that's floating around these days.

I worked full time for 5 of the last 6 years on Windows malware research. Windows is a swiss-cheese joke of an operating system that won't progress because of a(n at this point pathological) need for 20 years of backwards compatibility. Microsoft: make use of that XP mode VM and extend that trend forwards, you fools.


Perhaps so, but at least it would keep some of the malware out.

Another option would be to put her regular use to a VM that you control (remotely) and can restore to a clean state at any time...


I'd like to see some kind of way to lock the system for older folks. I'm tired of troubleshooting my dad's computer. He doesn't even do so much as adding bookmarks, his machine exclusively browses the web.

I'd like to get everything he needs installed and lock out modifications. Needs cookies obviously, but not much else.

Somehow he manages to have video player issues in every single browser that I can't figure out. He has to watch youtube in chrome, live streams in firefox, etc. It's really dumb. Buying him a chromecast improved it some, though, by avoiding it.


Such limitations are of course possible. Perhaps you should look up what you can achieve by running secpol.msc.

(Myself, I find that model complex and unintuitive, being used to the Unix way, but everything has its learning curve.)


I bought my mom a Chromebook under similar circumstances. She absolutely loves it, and had zero difficulty switching, whereas she was previously even uncomfortable turning laptops on or off.


same situation here. I convinced my mother to just get an Android based tablet and ditch the laptop. This seems to be working better for her & me :)


Use some software with which you can do remote maintenance on your parents' computer(s).

Or, introduce them to more stable OSses, like Ubuntu instead of Windows. That worked for my neighbours ;-)


I've thought about Ubuntu...but it's a comfort thing. I'm afraid that telling my parents "hey so this new thing is more stable...." and it'll just trail off after that. For now, I'm afraid, I'll just keep fighting the good fight.

Remote maintenance is probably something I should look more into.


TeamViewer is a godsend for remote assistance. Free for personal use, paid for business.

Though I admit I am starting to worry about the program itself as it's now warning about "missing antivirus" and such, but it's not gone over the deep end just yet.


Agreed, but on the other hand, TeamViewer is a man-in-the-middle by definition, and a definite no-no for the seriously security-conscious.

For maintaining your mother-in-law's computer it's perfect.


Personal experience: my mother runs a Thinkpad T400 with Lubuntu and manages just fine. For many people, the look of the operating system doesn't matter much. As long as she knows where to open the browser and the email client, she's good.


Oh no, I'd say this is still mildly scary. Wait until cars get the same computing capabilities. Then you should fear it - fear for your life even.


ARTICLE IS UNMARKED PDF

(PDFs can be malware, too.)


I originally discovered this issue a month ago when debugging my friend's Lenovo laptop. Neither chrome nor IE can render battle.net correctly because the HTML injection is not properly escaped. Since the problem persists after a fresh recovery, I guess it's from some pre-installed software. I almost reported it to FBI.


Shouldn't Lenovo be guilty of hacking and illegal wiretaps?


They should be put in front of a court. With they I mean the management of Lenovo, together with the management of Superfish.

Everything else is not acceptable.


To be guilty of wire fraud, Lenovo must have intent to defraud the user out of money. It will be tricky to prosecutte.


Placing their ads on a site where the user believes they are something else (e.g. Google search ads) has to qualify.


The law that would make this criminal would probably make innocently shipping software with security holes criminal as well.

(There are some people in the industry who call for this. I am not one of them.)


Should this fall under the original brief of the NSA? (Ironic, I know). I realize that FBI traditionally does "domestic" and CIA "foreign" -- but I seem to recall NSA has something about "cybersecurity threats" or some such nebulus thing in their mission statement?


No. The FBI handles cybercrime. The NSA is under the DoD.


But this isn't (just) cybercrime. This could be seen as weakening the ("cyber"-)infrastructure. But maybe that's just under "Homeland Security" now (of which FBI is a part?)?


Not only did I have to remove the certificate from my root authority in the control panel, I also had to remove it from my list of certificates in Firefox. This was after uninstalling Superfish. Once I did all of these things, and cleared my history and cache and all that, the website that folks have been linking said that it didn't detect Superfish (sorry, I'm typing this from a phone).

So my explanation wasn't very technical, but I feel as though the part of the process where you also remove the certificate from Firefox had been left out, and I wanted to share it in case it helps out another person.

This news took me by surprise, as I just received a brand new Lenovo Yoga 2 for work last week, and it had this vulnerability.


You're right. Further discussion in that bug and on twitter [1] confirm that Firefox is affected after a restart. The author of this didn't restart.

So any removal instructions which don't include clearing out Firefox's certificates are incomplete. This includes Lenovo's published instructions.

[1] - https://twitter.com/FiloSottile/status/568600661534875648


Here is a bit of article on Foxes and Fishes: http://arstechnica.com/security/2015/02/how-to-remove-the-su...


the website that folks have been linking said that it didn't detect Superfish (sorry, I'm typing this from a phone)

The website you're referring to, is https://canibesuperphished.com/​


Another useful website is: https://filippo.io/Badfish/


This is the one I was thinking about and implicitly referring to. Thanks for posting.


This is a PDF attached to this issue, requesting blacklisting of the Superfish certificate:

https://bugzilla.mozilla.org/show_bug.cgi?id=1134506


I'm somewhat puzzled by the single certificate. Couldn't they have generated a new signing request and self-signed on each machine - at least ensuring that each customer has a unique cert for their proxy?


These guys aren't the brightest bulbs out there. You could even have it switch certificates on every reboot... or not do this in the first place. ;-)


> or not to do this in the first place.

Are there other options besides installing my own root certificate?

Assuming I want to write software that legitimately MITMs all HTTP and HTTPS traffic (parental control, ad blocker, anti-virus scan for webpages...). I want it to be browser independent and work with browsers that don't support extensions.


Well, it's basically impossible in some cases to MITM while showing the same certificate without re-building a browser. So your best bet would be to modify existing browsers. That said, if content modification isn't required -- and all you want to do is snoop on SSL, you can use SSLKEYLOGFILE in NSS-based browsers like Firefox and Chrome. If legitimate, I'd prefer going the extension route: people want you in their browser, so you can walk them through whatever it takes to install you, or provide pre-made profiles with you enabled. The point of encryption is to avoid spying and while most users (as evidenced here) don't actually check that the HTTPS website certificate is what it claims to be, pretending to be the same site is about all you can do to modify content and MITM. I'd also point out that the problem here isn't so much that they're MITMing as that they're doing it really, really poorly. Of course, any backdoor could be used by others -- even your SSLKEYLOGFILE. ;-)


More so I haven't heard very convincing reasons for MiTM even in other settings, and certainly in this case that they choose not to be deployed as an add-on - has to do with avoiding detection and removal, which is malicious - and that's not only conjecture, they actually market themselves that way in places:

Komodia’s Watchdog

The Kernel protection watchdog is used to protect Komodia’s Redirector files from being deleted/modified, lsp from being uninstalled and also protects the main process will not be stopped.


It's fine to proxy HTTPS.

But when you do so, you assume big responsibilities. You have to do all the stuff the browser does, and even lots of security people, if you sat them down and told them to write everything a browser does, would probably forget a few important things. (The browser security folks are exceptions.)

The top post on this page ('patcheudor) is from a researcher who reports that Superfish wasn't doing proper validation of certs, meaning we didn't even need to extract the private key from the binary to forge www.paypal.com.

If I spun up a stupid fake cert for www.paypal.com last week, with no knowledge of Superfish whatsoever, someone from a Lenovo computer would not get certificate warnings.

The more people look at this, the worse it gets. It's a fractal of bad security.


From what I understand of Superfish, Mozilla (and other browser vendors) can't just blacklist the certificate. That would make all HTTPS connections error out. A message notifying users of the issue is all they can do.


They definitely can blacklist the certificate.

They have the choice of having HTTPS effectively useless (by leaving the certificate there), or making HTTPS not work (by removing it, thus prompting action from the user to fix it -- perhaps by calling their tech savvy nephew).

Browser vendors should (and usually do) err on the side of security.


Or the users just switch to a browser that works. IE or Chrome :(


Most Firefox users switched away from those (or didn't switch to them) because it works better for them - including security wise. I suspect that won't be their first course of action.


One way would be to bypass the proxy if it's detected as a Superfish proxy by its certificate, but somehow I feel like this isn't a problem the browser vendors should be doing extra workarounds for (and giving precedence to "if we don't like your proxy we'll ignore it" isn't a great idea either.)


It doesn't appear to be implemented as a user visible proxy, it modifies the network stack. From:

https://twitter.com/matthew_d_green/status/56843703790644428...

Probably not a proxy; probably low-level socket interception in Windows.

So there isn't much the browsers can do to help the user.

At least the technical side of Lenovo's response is all the way to "We are writing a program to remove the certificates", which is probably the thing that is going to impact the most people.


That's not their problem. It's Lenovo who'll be getting the support calls for their defective, sorry, "enhanced" product


If the user installs a Firefox update and then all their HTTPS connections stop working, most users will blame Firefox unless the error messages are very specific about Lenovo's involvement, which simple blacklisting won't do. Users who follow technical news and understand the problem will already have removed the certificate manually (and removed the proxy).


I doubt it. Most non-techie users will probably not get around to installing another browser, so seeing that neither bank nor gmail nor facebook works, they'll blame their ISP.


But most people already have IE installed!


On the other hand, this is making the news.


Isn't this the sort of thing that Microsoft should be removing with the malicious software removal tool as well?


Shouldn't Lenovo be issuing a recall and pulling all the inventory in their distribution channel? In other words, Best Buy shouldn't be selling these things!


I believe Lenovo's official statement previously said "We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns." However, it now has a link to LEN-2015-010, a high-severity security vulnerability.

http://news.lenovo.com/article_display.cfm?article_id=1929 https://news.ycombinator.com/item?id=9074676 http://support.lenovo.com/us/en/product_security/superfish


They didn't even close all their parentheses.


Pulling unsold inventory would be in some ways far harder to do for the consumer computing industry than many other industries more commonly known for recalls (auto, pharma, etc) - these laptops won't just be sold at the large outlets that have properly managed supplier relationships with Lenovo, they'll also be sold at innumerable tiny independent stores, that probably got their stock from a reseller - or even a reseller of a reseller. Thus tracking down all the stock and issuing recall notices would be hard.

But recalling already-sold inventory? Even disregarding the difficulty and inconvenience, this would be a terrible idea. In order for them to be able to remove this, they'd need to be able to log in to your computer, and change the security settings, as well as modify the recovery partition. I doubt I need to explain why giving your login credentials to Lenovo is a terrible idea!

In reality then they've done the only reasonable thing they could do - post a statement with clear removal instructions. They didn't have a lot of choice admittedly, so I'm not particularly lauding them for this - once you've made enough of a mistake to appear in mainstream media (the story was on the BBC website, and there was a fairly large article in my newspaper this morning), you can't really get away with doing nothing if you'd like to continue selling laptops.


In order for them to be able to remove this, they'd need to be able to log in to your computer,

They could offer to re-image the hard drive with a non-infected image.


It's not in Lenovo's interest to voluntarily recall anything, unless they wanted to save face, but I would imagine consumer expectations on Lenovo are different than, say, a car manufacturer.

But unlike a car manufacturer, I doubt any governments will compel them either... since this kind of thing is exactly what a government would want.


You are absolutely right, but frankly, they never should have sold them to begin with.


According to the Wall Street Journal [1], Lenovo are going to release a program that completely removes Superfish from their PCs.

> WSJ: What are you doing now to ensure the security of people who bought Lenovo laptops with the Superfish app?

> Hortensius: As soon as the programmer is finished, we will provide a tool that removes all traces of the app from people’s laptops; this goes further than simply uninstalling the app. Once the app-wiping software is finished tonight or tomorrow, we’ll issue a press release with information on how to get it.

[1] http://blogs.wsj.com/digits/2015/02/19/lenovo-cto-were-worki...


Also from this Article:

❝WSJ: Isn’t the best prevention tool to simply stop pre-loading any software on Lenovo computers?

Hortensius: In general, we get pretty good feedback from users on what software we pre-install on computers.❞

Probably it would be a good idea, if this is really what the company things is true, that upon first boot a menu is opened asking for the particular programs to install?

    Thanks for buying a Lenovo product. To get the most out of
    your new high-performance mobile workstation, the following
    software products can be installed free of charge by ticking the
    check-box and clicking 'Next'.

    [x] Superfish Ad-Injector, making your web-browsing experience
        miserable and yourself vulnerable to Man-in-the-Middle-Attacks
        when doing facebook and online banking.

    [x] Limited trial of Super-High-Security-Internet-
        Security-Anti-Vius which will constantly nag you about paying
        for the full product

    (...)


Yes to both.


Bullet point 4 is what I'd been wondering about:

• The Superfish proxy accepts its own certificate, so now that the private key has been leaked, an attacker can mimic an arbitrary site in Chrome and IE

I thought there might be a chance that despite all the other idiocy here, they might have refused external certificates from their own CA, mitigating the risks somewhat. But no suck luck for Lenovo customers!


The Superfish proxy accepts any certificate. If you're being MITMed (before Superfish MITMs you), Superfish will help them by replacing their certificate with Superfish's.


I don't believe that's true, but if so – for example if it replaces self-signed certs, or certs from any untrusted CA, with its own (force-trusted) cert – then that would be worthy of another scary explicit bullet point.

(It might just accept all CAs locally-configured, and it's accepting its own because they didn't special-case a rejection.)


It's TRUE, confirmed, and replicated by others. See my other post to this parent. And you are correct, this is worthy of another scary explicit bullet point!


It is true. I can't remember where I read it, but I remember seeing it either here on HN or on Twitter.


Komodia's own info says that it will generate an invalid certificate if the real certificate was invalid or untrusted "so it will not cause a security problem". They may be lying, but that page is fairly open about the way it works:

http://www.komodia.com/wiki/index.php?title=SSL_Digestor#Cer...


I wouldn't go as far as say lying, they just failed to consider the SAN. Unfortunately they pulled the doc, possibly due to what they claim to be a DDOS but it's still in Google cache:

http://webcache.googleusercontent.com/search?q=cache:XUbVSX8...


'SAN'?



SubjectAltName.


And this matters because even if you uninstall the program, it leaves the certificate behind, right? So you have to manually remove the cert to shield yourself against future attacks, in addition to removing the program


Not that this excuses Lenovo in any regard whatsoever, the removal instructions[1] Lenovo link to in their press release[2][3] includes the removal of a certificate.

[1] http://support.lenovo.com/us/en/product_security/superfish_u...

[2] http://news.lenovo.com/article_display.cfm?article_id=1929

[3] http://support.lenovo.com/us/en/product_security/superfish


Good, though TBH, it didn't include removal of a certificate just few hours ago. I guess they're breaking under the pressure of PR shitstorm.


That would have been comical, considering uninstalling doesn't remove the root cert, so a user would have been more secure with superfish installed than uninstalled.


Nope. Look at my reply to the parent. The Superfish solution is not properly passing the validation state of the public cert provided by the cert to the browser. As a result its fairly trivial to MitM HTTPS without need of the private when the Superfish software is installed. To be clear, it is absolutely worse to have Superfish installed than to have it removed.


I find it a bit weird that it can MITM https://www.google.com/ on Chrome. I thought Chrome did CA-pinning for Google-domains.


Chrome does do pinning, but ignores pins when the cert parent is a privately installed cert (because this is a "feature" used by many enterprises).

"""

Chrome does not perform pin validation when the certificate chain chains up to a private trust anchor.

A key result of this policy is that private trust anchors can be used to proxy (or MITM) connections, even to pinned sites.

'Data loss prevention' appliances, firewalls, content filters, and malware can use this feature to defeat the protections of key pinning.

"""

See: http://www.chromium.org/Home/chromium-security/security-faq#...


And the rationale:

"We deem this acceptable because the proxy or MITM can only be effective if the client machine has already been configured to trust the proxy’s issuing certificate"

I think that's fair, or at least it has traditionally been a fair assumption for most users.

The issue here is that your hardware vendor has compromised your machine, so that is no longer a fair assumption.


Well continue the process. Suppose Chrome did flag such things. That'd break a lot of "legitimate" use cases, and someone would implement a workaround. For instance, they could just patch the Chrome binaries to disable the warnings or change the pinning logic. Insert their own certs into the pin list. Without something like Intel SGX, you or Google can't totally win.

Of course, Chrome could give some indication like a lock+eyeball or something, and hope the interception vendors are too lazy to bother modifying the code. They could also only disable warnings if the machine is connected to a domain or other management system.


There's another issue with ignoring cert pining with user-added root certificates: if you add a root certificate that's missing on your client machine (for instance CAcert or your national CA like ICP-Brasil), the CA you added can bypass pining, even though it shouldn't be able to.

On Mozilla, you can configure it to never bypass pining (security.cert_pinning.enforcement_level set to 2, see https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinn... ); I don't know how to do it on Chrome.


TIL Google is ok if you get backdoored by your boss.


The company I work for has a strict policy of no direct outbound connections from the corporate network. This is to prevent (or just make harder) for compromised machines from "phoning home".

This has the unfortunate side effect that all internet traffic must go through a proxy, they have to MiTM SSL traffic.

I just use my smartphone's data for any personal internet browsing.


Well you don't have to MITM SSL in order to proxy it, it can be done in other ways. They probably choose to do so in order to see the details of the request.


Correct, the firewall intercepts all traffic looking for potential compromises and blocks it. Given all these corporations getting hacked, such measures seem necessary.


Conclusion does not follow from premise. Once an attacker's code is running on machines that have access to sensitive data, you've already lost - there's no way to prevent it smuggling the data out in legitimate-looking requests. The right way is to stop the bad stuff getting in in the first place.


Not all attacks are perfect. It's true that an attacker can potentially do anything once in control of machines with sensitive data, but it doesn't mean that all hope is lost. If an intrusion detection system catches some x% of potential threats, it can easily be worth it.


The goal is to slow them down, put as many barriers as possible allowing higher chances of detecting them. Intercepting and blocking known "phone home" messages is one way to slow them down.


btw, I took a look at google's cert in my corp network and we are getting the real one from google, so my corp is not MiTM SSL traffic from some sites right now.


I wouldn't say that's a side effect. The point of the policy is to allow the observation of website traffic to make sure it's normal.


What does your company do if you have to access a TLS site which uses client certificates for authentication? AFAIK, client certificates don't work when there's a MITM on the TLS traffic, since the MITM proxy doesn't have a way to produce a client certificate that will be accepted by the server.


Are compromised machines on your corporate network a common problem? It seems like the problem is the compromised machines, not the phoning home. :)


It's called defence in depth. If you can prevent 99% of malware infections and can prevent 75% of malware from phoning home, you have a 99.75% confidence (1 in 400) of not having a data leak due to a compromised machine. That's 4 times better than only preventing infections.


I'm pretty sure the real reason is managers not wanting their employees to do private browsing while at work.


If your boss owns the tools with which you do your work, they have the right to dictate how you use them.

Use personal devices for personal computing.


Not in Germany, not if there is even a minimum amount of using the computer for private purposes permitted.


That's interesting. So if it is forbidden to use the computer for anything personal, employers are allowed to snoop?


Perhaps a legal right.

The line between what computing should be done on what device is blurry in both directions -- it's not just "people do personal computing on corporate devices". It'd be a bit strange to hear a boss tell me to never browse Amazon or Hacker News during lunch.


I think it's wise to assume corporate-owned devices are just that: 0wned by corporations.

I use my work laptop all the time for a variety of things, but I do so under the assumption that the company may be snooping on me. (No idea if they are or not.)


Exactly. It's a work machine, used for doing work. I don't do private/personal/secure things on it, as it's not my personal computer. Browsing HN or w/e isn't really a private activity, so I don't mind it being snooped.


I wonder why people are downvoting you. It's a good point and not something everyone has explicitly considered before.


Common practice in some workplaces.


If it's my boss's machine, yes, my boss gets to do it.


Thank for bringing this to my attention.

I guess I should look into the Chromium source to disable this MITM "feature"... I'm really too busy so if anyone else does this I'd much appreciate a patch.


Because that's not exploitable or anything.


Maybe it triggers the logic that allows (supposedly) user-added certs to override those pins? (Google was pressured into adding such logic by corporate users, whose IT departments want to -- supposedly openly -- MITM employees' connections.)

Edit: I think that's the case. AGL's original announcement of pinning said:

"There are a number of cases where HTTPS connections are intercepted by using local, ephemeral certificates. These certificates are signed by a root certificate that has to be manually installed on the client. Corporate MITM proxies may do this, several anti-virus/parental control products do this and debugging tools like Fiddler can also do this. Since we cannot break in these situations, user installed root CAs are given the authority to override pins. We don't believe that there will be any incompatibility issues."

https://www.imperialviolet.org/2011/05/04/pinning.html

If Chrome thinks that this was a "user installed root CA", it would have been allowed to override the pin. (Disclaimer: I haven't checked that this is right, I'm just using my recollection of how this could work according to AGL's account.)


> Google was pressured into adding such logic by corporate users, whose IT departments want to -- supposedly openly -- MITM employees' connections

"openly"? Why doesn't the user see that a fake certificate is being used then? There is no excuse for not showing a big fat warning.

This only shows which side Google is really on when it's evil corporations vs. you, the user.


"openly" usually means "it was burried in a paragraph on page 25 of the 3rd addendum of their employment agreement".


Ah, That explains it. Thanks! And to semenko too.


It points to an interesting problem that, while browser vendors officially think that users ought to be notified when someone is using an intercepting proxy -- that it shouldn't be invisible to them -- when users aren't installing their own OS or configuring their own browser, it could be completely invisible in practice.

So the IT department-installed or OEM-installed cert is treated as "user-installed" by the pinning logic, and the user never actually gets warned.


As someone who respects your work, I would suggest that perhaps the more interesting problem is EFF's structural inability to do anything but apologize for Google policies and practices that clearly and obviously harm user freedom and privacy.


This isn't right though.

I got a Lenovo Y50 a couple weeks ago, and when I downloaded Firefox and looked at the certificate, it was Superfish.

I've since uninstalled Superfish and deleted the keys (I exported them first though). I know I probably should reinstall Windows but I'm too lazy.


I will never again consider buying a Lenovo neither for myself, nor any company I am with. I'll also make sure to recommend another brand to anyone who asks my opinion. What an absurdly stupid business decision.


Shouldn't the content providers strike back, in order to stop such things as a business? E.g., a class action against those vendors who pre-install said software. Determine the average share of traffic of these machines, use average Adsense-earnings to determine the damage ... Globally, this might add up to something that would be suitable to take even a major corporation out of business ...


It would be interesting to try any of the Lenovos at a Microsoft Store (say at San Francisco Center) and see if they also contain this malware.


Lenovo too smart in laying down the removal instructions under their security advisors today!!


Any idea why it doesn't affect Firefox?


Firefox has it's own certificate store. Both IE and Chrome utilize the Windows store.


But as pointed out in other comments, it looks like SuperFish does install the extra cert in Firefox's database too, but only after a restart.


Great research and I like the level of detail

But why take actually photographs of the computer screen instead of just using native screen capture? The lights and reflections are super distracting. A minor nit, yes but still...


This article crashed my browser.


PDF


Article is a PDF


PDF

Didn't Hacker News used to mark PDFs?


It marks PDFs if the URL ends in .pdf.


Flagged for being unmarked PDF.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: