This is a great move, but given my history I found this quote funny:
"Finally, a word to software authors who might be considering SSL interception: If you want to add features to the Web, don’t intercept, make an extension. All of the major browsers offer extension frameworks (see these links for Firefox, Chrome, IE, Safari, and Opera)."
It's funny because the whole intercept thing is an escalation between ad networks and browser writers.
Basically if you can simulate a search engine, and get someone to put ads on those pages, you can make a bit of money. Back in the day it was all about creating a toolbar that had some features, and oh by the way changed your default search engine. Didn't matter whether those results came from Google, Bing, Blekko, or more recently Yandex. The money was made when the person clicked an ad. (and yes the search provider got some form of remuneration, either for returning the results or as a share of the advertising revenue (or both in some cases).
But given the abuse of the extension eco-system all of the browsers now have really strong protections against switching your search choice, and if you don't do that the toolbar is pretty worthless. So to continue in their business of providing ads when they were not wanted, the folks in "Download Valley"[1] switched to trying to get between you and your search engine of choice and then "helping" it with a few more ads.
[1] Hat tip to Matt Cutts who clued me into that particular name for the cluster of folks who build all this adWare.
I would say the entire mechanism for extensions that can interact with pages is broken.
First, taking Chrome as an example, extensions are given the permission to see, track and interact with all pages loaded in the browser. Essentially, they can inject code, but they can also directly pull data from fill-in forms and other places.
Of course, these are the things that people use extensions for, so the ability to modify pages makes sense. Take one of the original extensions that was was used to modify pages at runtime, Greasemonkey. It was designed to attach a user.css to the page, or to run a transform on the page and inject specific DOM elements. Of course, there was nothing stopping an injected piece of script for posting data to a third party, but a cursory examination of the particular Greasemonkey customization would show that immediately, and the script could be flagged and removed from the collection.
Now we have extensions that do much more than these user scripts did in Greasemonkey and are self contained and harder to break apart and study. Two examples, Feedly which is my chosen replacement for Reader, has an extension which places a Feedly icon on every page. It doesn't add it to the browser chrome but actually adds it to the DOM of every single page that loads. As similar example is a Chrome extension for managing cookies, but which had a donation function that placed links on pages to donate to the project or something of the sort. Either of these could be accomplished with a small installable transform, and neither required the extension itself to have access to the DOM, the transform script could have handled the limited functionality of enumerating RSS/ATOM links or whatever the other extension did. But both of those extensions requested the amorphous permission of modifying every page you access.
In Firefox, at least until recently, unsigned extensions could execute native code in the form of XPCOM libraries, they could modify the entire chrome and run with the same permissions as the browser itself. They could intercept not only DOM calls but low level calls in browser js files which also ran with chrome permissions.
By reading a configuration file for a unique string, or, in some cases, guessing, you could find a path where placing a zip file or directory was enough to install an extension, so these extensions rode alongside installers for applications, BHOs in Internet Explorer that also installed themselves into Firefox, and other places that would have a chance of destroying a users experience and perception of Firefox.
That's why browsers suck as a platform - as a (power) user what I want is more powerful extensions. Security limitations seriously hinder usefulness of things - but we need them because Internet is a hostile place, full of criminals and assholes (like companies we're talking about here and their ilk) looking to take your hard-earned money from you.
It's funny because the whole intercept thing is an escalation between ad networks and browser writers.
...and what I think is more unfortunate, those who do interception to filter out ads and other crap are caught in the crossfire.
Browsers have extensions but to have to write and/or install one for each browser you use (which can be several, particularly if you're a web developer) and keep them in agreement with each other is a pain. It doesn't work for the browsers that are either embedded in apps or don't support any extensions (mobile...), and the abuse of extensions has lead to a situation in which browser vendors are trying to control what extensions you can use:
What you can do in an extension with respect to blocking content is also limited by the fact that e.g. a div to be removed would have to be parsed and loaded by the browser before an extension could work on and remove it, whereas a filtering proxy could strip it out completely and spare the browser from having to read a single byte of it.
In light of that, I see their "make an extension" statement as basically saying "instead of doing something more generic and cross-browser, we'll tell you to use something that we can have more control over, because security." No thanks.
It would have been a lot better if they'd broken superfish even if installed -- they're potentially leaving the least technically savvy people vulnerable.
People are getting mad at Lenovo for making people's laptop vulnerable to MITM attacks. But what I don't get is why people are not even more mad that Lenovo is injecting ads on their private computers.
Since when is it a thing that some laptop brands would put advertisements on your softwares? How come people still buy Lenovo if they do that?
Why would they be even more mad about the ads? Injecting ads is sleazy and deceptive, enabling MITM attacks is actually dangerous. You're right though, the ad injection by itself is still pretty sleazy even if it were perfectly safe. I think it just got overshadowed by the security concerns.
Heck, it's insane to me that most PC manufacturers slap a bunch of big ugly stickers on most of their laptops so they can make some absurdly small amount of extra revenue on a product that costs hundreds if not thousands of dollars. Willfully endangering users for a similarly marginal profit boost is so much worse. I have no idea why anyone would buy stuff from such a company.
Probably because the MITM vulnerability is horrible sloppiness, but the ad serving is done with the malicious intent of continuing to extract revenue from users that just ponied up a couple thousand dollars for the laptop to begin with.
I've read people saying there's no way developers didn't know what they were doing WRT the MITM vulnerability. To them I say "you've never worked for a giant corporation." Security holes are second in volume only to spent Keurig pods.
However, the choice to turn someone's entire computer in to an adware mechanism was explicit and just really sleazy.
I believe the possibility that a developer capable of understanding and creating this local MITM not being aware of the wider security implications is near zero. That would be like a scientist understanding nuclear fission and bomb making not knowing that detonating it in the middle of a city would cause a lot of deaths...
The MITM framework was created by a separate company from the company that developed the specific piece of software. Just like you don't actually have to have a clue how a web server works to write a Rails app, the Superfish developers bought an off-the-shelf MITM framework and used it, which doesn't require much thought.
<< Since when is it a thing that some laptop brands would put advertisements on your softwares? How come people still buy Lenovo if they do that? >>
For more than a decade, and almost all OEMs do this. Norton anti virus was the most widely distributed software in the late 00s, paying close to a dollar per install to OEM partners, and then aggressively advertising paid upgrades to users.
Back in the old days, Norton was the first thing I killed off of customer's PCs. Funny how much faster the machines were even after installing another antivirus.
Indeed. And not that it was easy to kill; I'm pretty sure it had some hardcoded delays in it, because I can't think of another program requiring so much time and annoyance to remove.
And in my books, this is clearly malicious behaviour from a corporation - think of all those productive hours in the entire world wasted because someone decided to ship some crap that then customers had to remove themselves to fix performance.
I know it's capitalism, that people are allowed and encouraged to fight with each other (er, compete) for money, but at least let's be explicit about it. It's funny how a company can punch you in the face and make you think it is normal. It's not. You just got punched in the face, you have a right to retaliate.
If you believe what Lenovo is saying, they started removing the software 6 weeks ago (4 months after they added to their images) because people were complaining about it injecting ads.
I think they had also already turned off that behavior, the 'it no longer talks to the server' in their statements.
Is there a way to check if any non-standard root CAs have been added to my browser, without going through them one by one and comparing them to a fresh install? If not, is there at least a button to reset the list to a blessed-by-Mozilla default?
Because it's not just Superfish we need to be worried about. It's too easy for arbitrary programs to add root CAs to browsers, even if they aren't pre-installed by the hardware manufacturer. A while ago, I installed Avast! Antivirus on a Windows PC and found that it did exactly the same thing: injecting its own root CA into every browser (including Firefox) so that it could MITM all https connections.
Corporate IT with their own root CA is a special case that has nothing to do with the vast majority of Firefox users. For the rest of us, it would be very helpful if Firefox shipped with an independent certificate verification feature by default. Corporate IT can feel free to disable it at their own risk.
What we really want is some way to be able to check the fingerprints to make sure that the cert that's being used is the expected one. This unfortunately doesn't seem possible without some out-of-band communications system.
Here in Thailand the junta promises to MITM all TLS traffic. I doubt it can be stopped, but it would be good to at least be able to see when they do it. I don't see sites publish their certificate fingerprints anywhere which would at least allow some form of manual check.
It might be enough to be able to get the browser to tell us when a certificate changes -- this would need to be opt in of course.
> I don't see sites publish their certificate fingerprints anywhere which would at least allow some form of manual check.
That's exactly what Google and the likes are building in Certificate Transparency (http://www.certificate-transparency.org/). It's basically a log of all modifications on any certificate chain that can be monitored by anyone who is interested so that misissuance can be detected.
There's also the old Perspectives project which idea was forked into Convergence (https://en.wikipedia.org/wiki/Convergence_%28SSL%29) by good ol' moxie. The idea: any number of independent entities run notary servers, and when you get the certificate for a domain you also ask the certificate for the same domain to those notaries; if they have the same certificate, it means you all have the same "view" of the domain, so everything is probably ok. If they differ, maybe you (or they) were MiTM'ed.
Oh, and of course "publishing certificate fingerprints [somewhere]" is basically the idea behind DANE. So the idea is hardly, new. The implementation, now ...
The answer is certificate pinning. For example, it is impossible to MITM google services if you are using Chrome because the correct public keys are hardcoded in the browser itself.
If the site certificate is not pinned, you can use a 3rd party service hosted outside the MITM proxy to compare certificate fingerprints (such as https://www.grc.com/fingerprints.htm)
Why dont browser makers add a function where the browser would tell you if your SSL connection is being intercepted? It's trivially easy to check, all you need is a known good site to sign a message with the cert of a specific CA, and if the browser sees it's signed by anything else, it would throw a warning. Chrome already does something similar with cert pinning.
Because the next Superfish will just let that one site through and intercept the rest. (If you don't believe me, take a look at the arms race around captive portal detection, and captive portals don't even have the convenience of running on the same computer and being able to add SSL root certs.)
Alternatively, the next Superfish could just patch that check out.
Many captive portals don't want to be detected in a separate flow. OS X, iOS, Android, Chrome, Windows 8, etc. all notice if you're running a captive portal, and pop up a separate browsing window: as soon as you can reach the portal, they kill the window and let you get back to your work.
But if the portal was going to redirect you to some ads or other "value-added" content, then they may not want that window to be killed. My former local Barnes and Noble would explicitly whitelist Windows' detection URL, so that they could redirect you to the BN home page instead of to the page you were trying to visit.
And seriously, let's admit it - the "value added" thing is bullshit, and captive portals are mostly either useless (TOS that no one reads anyway) or evil ("value added"). And as I see a few of my cow-orkers working on a captive portal right now, I can't help but think that marketers indeed live inside a strong reality distortion bubble, not realizing that the product they want is making everyone's life worse.
I've read a lot of conflicting information about this. One source says Firefox doesn't use the windows store, so it's not affected. Then this says it is affected. But how? Are Lenovo laptops coming preloaded with Firefox? Is it happening after the fact?
Firefox doesn't use the Windows certificate store. The Superfish installer will add its certificate to Firefox's store if Firefox is already installed, but it isn't on Lenovo laptops.
>In order to be able to inject content into secure connections, it adds a trusted root certificate to the Windows and Firefox root stores.
I'm really not an expert. Can someone please explain what this means? How is Lenovo able to modify firefox to intercept web connections? If Lenovo can do this, can anyone? How can I check firefox hasn't been tampered with before I download it?
How do you know that the hash files are good? Well you check the signature of the files with the public key provided.
One of the more advanced things Mozilla is working on is verifiable builds. Which means given the source code, the exact same compiler, and configs one can end up with build that you did but would pass the same hash tests because it is bit for bit identical.
Now you have software that you can trust is from the source provided. However you are still not safe from what superfish is doing.
Superfish is not tampering with Firefox on download. It has a service that checks for new browsers. When it sees one it inserts its certificate authority (CA) into the browser's CA data store. The second part is that they force all the user's network traffic through a local proxy
You <=> superfish proxy <=> the internet
There are ways to detect this 'man in the middle'. The user can keep a list of certs and which sites they belong to. The browser can do this too which is called key pinning. The browser could warn the user on cert changes. It is difficult for users to make informed decisions as certs are replaced all the time for legitimate reasons. It also fails to catch the preinstalled superfish scenario.
SSL works by verifying a certificate against an authority, so if there is anyone you don't trust on your list, you can't trust site you are visiting. Superfish distributed their private signing key everywhere, protected only by the simple 'komodia' password. Now anyone can pretend to be them. Operating systems install their own list of authorities, but Firefox maintains its own. Other Komodia products are also vulnerable.
I feel like it's better to not mention the password on the key. It could have been the best password in the world and it wouldn't matter. Local signing means the key can be extracted. Talking about the minor obfuscation of storing a passworded key in the same file as the password is a red herring that gives the wrong impression.
In short: It wasn't protected by the password. It was protected by nothing.
Good point. The important part is that it illustrates just how vulnerable Komodia products are. That password will likely get people access to other things as well.
> "We do not remove the root certificate if the Superfish software is still installed, since that would prevent the user from accessing any HTTPS websites."
I would have thought that breaking HTTPS for these users is a superior outcome to allowing the continued use of broken HTTPS. If I were a n00b and it were my Lenovo laptop, I'd rather have my internet browsing fail.
From the blog article, note the last sentence in the quote below:
"Some other disinfection tools will remove Superfish from Windows, but not from Firefox. In order to ensure that these users are not vulnerable, we are deploying a hotfix today that detects whether Superfish has been removed, and if so, removes the Superfish root from Firefox. We do not remove the root certificate if the Superfish software is still installed, since that would prevent the user from accessing any HTTPS websites."
"Finally, a word to software authors who might be considering SSL interception: If you want to add features to the Web, don’t intercept, make an extension. All of the major browsers offer extension frameworks (see these links for Firefox, Chrome, IE, Safari, and Opera)."
It's funny because the whole intercept thing is an escalation between ad networks and browser writers.
Basically if you can simulate a search engine, and get someone to put ads on those pages, you can make a bit of money. Back in the day it was all about creating a toolbar that had some features, and oh by the way changed your default search engine. Didn't matter whether those results came from Google, Bing, Blekko, or more recently Yandex. The money was made when the person clicked an ad. (and yes the search provider got some form of remuneration, either for returning the results or as a share of the advertising revenue (or both in some cases).
But given the abuse of the extension eco-system all of the browsers now have really strong protections against switching your search choice, and if you don't do that the toolbar is pretty worthless. So to continue in their business of providing ads when they were not wanted, the folks in "Download Valley"[1] switched to trying to get between you and your search engine of choice and then "helping" it with a few more ads.
[1] Hat tip to Matt Cutts who clued me into that particular name for the cluster of folks who build all this adWare.