back to article EFF fears crims are getting smart to Superfish SSL flaws

The Electronic Frontier Foundation (EFF) says it has found evidence that the security problems with Superfish could be much worse than first thought. Superfish caused such a stink when it was discovered last week because the Komodia software it used borks SSL connections. But EFF researchers have found that the Komodia library …

  1. Anonymous Coward
    Anonymous Coward

    "Unless the Lenovo affair acts as a wake-up call to the industry then it's inevitable that we'll find more of this stuff."

    Well, considering almost every PC/Laptop is shipped with Windows, I think we're just used to it. That isn't a swing at Windows (and surely not a prop either), but seriously, who hasn't seen REALLY shady software that is somehow "bundled" with a windows product? No shit, if I buy a personal machine that comes with pre-installed software, I consider it to be fact that it's garbage.

    Of course not everyone knows this. Like my mother...no way she knows this. However, she also doesn't get the manual that is titled "The GNU guide to personal software". So, I can see reasons to cover this story, but isn't the lesson here not to buy Lenovo and move on?

    The only real question I have is: Did Lenovo or Superfish break any laws, or are they just pushing the envelope?

    1. Mark 85

      Who's laws would they be breaking? I think they were just pushing he envelope in the name of profit and that leads to sleaziness.

      A rethink says they broke the laws of trust and faith. We trusted that they would not compromise the laptop (any more than Windows already does) and we had faith in this.

      1. Robert Helpmann??
        Childcatcher

        Who's laws would they be breaking?

        A lot depends on where they are based, where their customers are, damage done, intent, and the quality of the lawyers involved. They might be liable for simple negligence or creating an attractive nuisance. Gah! I can't imagine taking this to a jury trial. Trying to explain technical info to a non-tech is bad enough. I would hate to have to do so with 12 at once through a trial lawyer acting as interpreter.

        1. Bronek Kozicki
          Windows

          Re: Who's laws would they be breaking?

          Some think that they broke wiretapping laws, at least in some states in the US. E.g. in California, wiretapping laws require consent of all parties, and there is no way a website (either journal, blog or banking) would agree to what Superfish was doing. It is arguable (likely, before the jury) whether wiretapping laws which were created for phone conversations, should also apply to HTTPS connections, but still. Certain laws might have been broken, and we are likely to hear more about it in the future.

          And there is also question of consumer protection and privacy laws, while weak in US they are actually much stronger in Europe where Lenovo has been doing exactly same thing.

          A picture chosen to represent Lenovo's view of its consumers customers.

          1. An0n C0w4rd

            Re: Who's laws would they be breaking?

            @Bronek Kozicki

            As far as I am aware, there is already legal precedence for the wiretap laws to be used for Internet traffic, and it doesn't have to be for SSL traffic, *all* IP traffic counts.

            The trouble comes from the license agreement. As far as I understand it, enterprises can put fake SSL signing certs onto their computers so that they can intercept SSL connections at their IDS/IPS/filtering gateways so they can make sure that no malicious traffic is found because you likely agreed to it as part of the conditions of employment.

            If Lenovo put that in the license agreement (that no-one ever reads) then they *may* have a get out of jail free card.

            1. Tom 13

              Re: Who's laws would they be breaking?

              At best you have precedent for the US or EU, not worldwide, and I don't think the precedent has reached that level for either entity.

              Enterprise SSL monitoring is not part of this equation. It's consumer grade equipment connected to the internet.

              Despite claims to the contrary and lawyers who will argue the point, click through agreements can't have unusual or unexpected clauses that indemnify either party against certain rights. The right to be secure in your financial transactions would be one of those rights. SuperFish breaks that.

            2. Bronek Kozicki

              Re: Who's laws would they be breaking?

              @An0n

              I'm pretty sure I wrote "require consent of all parties". Whatever the owner of Lenovo laptop agreed to, the other side (e.g. bank, journal or a blog) did not, since T&C were meant for laptop owner only and other party was were never presented with it.

    2. Roland6 Silver badge

      Re: @mybackdoor

      >but isn't the lesson here not to buy Lenovo and move on?

      Err No!!! You obviously don't get what is being said.

      Whilst there may be questions about Lenovo's role in the widespread distribution of the Superfish code and the vulnerabilities it introduced both on a individual PC and in creating a large install base of PC's with exactly the same vulnerability and hence make a tempting target for malware writers. The fundamental issue is that there is absolutely nothing preventing a user from downloading some innocuous looking browser add-on and that add-on setting itself up as a Superfish mark 2. Yes Windows will flash a warning to the user about whether they really want to install a new certificate. However, for the vast majority of (non-IT) users they want the add-on, hence they will click 'OK' on the messages with little or no understanding of what exactly they were clicking 'OK' to. In fact I'll suggest that even IT literate users would have problems determining if a browser add-in did or didn't need to install a new certificate.

      Going back to Lenovo and Superfish, without a detailed evaluation of the code, I doubt many even so called security experts would of spotted the flaw. Yes some may have spotted the poor password and some other aspects, but I suspect that the majority would of missed the dimension added by having the code installed on thousands of PC's...

      1. Roland6 Silver badge

        Re: @mybackdoor

        Yes Windows will flash a warning to the user about whether they really want to install a new certificate. However, for the vast majority of (non-IT) users they want the add-on, hence they will click 'OK' on the messages with little or no understanding of what exactly they were clicking 'OK' to. In fact I'll suggest that even IT literate users would have problems determining if a browser add-in did or didn't need to install a new certificate.

        I can confirm that some supposedly IT literate users will tell users that certificate warnings are normal and just click ok... In fact they can go to the next step and tell the user to click the box "don't ask me again"...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like