back to article Mozilla mulls Superfish torpedo

Firefox-maker Mozilla may neuter the likes of Superfish by blacklisting dangerous root certificates revealed less than a week ago to be used in Lenovo laptops. The move will be another blow against Superfish, which is under a sustained barrage of criticism for its use of a root certificate to launch man-in-the-middle attacks …

  1. Robert Helpmann??
    Joke

    What's in a name?

    Superfish. In retrospect, they made it really easy to spot that it was doing something smelly. Note to OEMs: don't install anything with a name like "Ubermalware" or "Ultratrojan" on your products.

    1. Anonymous Coward
      Anonymous Coward

      Re: What's in a name?

      Mozilla does not like the self generated 8192 bit certs I use on my home NAS either.

    2. Tom 13

      Re: What's in a name?

      But I thought ALL super Cxx's used UltraTrojan brand condoms to protect themselves.

    3. beep54

      Re: What's in a name?

      This is precisely the problem I have with the name, 'Malwarebytes'. Telling Gramma or whomever that you need to put this one on their machine, they immediately freak and start whining about I dun wan' no mal-ware!! Mal-ware bad!!!

  2. Ted 3

    Antivirus collusion?

    "Vulture South has counted 10 (mainly small) antivirus platforms that brand the adware as either a potentially unwanted program or an outright trojan, a figure that as of the time of writing now totals 24 with bigger names joining the fray."

    Is it possible that the larger antivirus platforms could be colluding with the likes of Superfish to ignore their activities? And that only now, when the odd "isolated" complaint has become a deafening roar that cannot be ignored, they are doing something about it? Is there another explanation of why the smaller firms flag Superfish, but the big boys do not?

    I ask these as genuine questions (not being snarky or sarcastic), as I have no idea about the inner workings of the antivirus industry.

    1. Old Handle

      Re: Antivirus collusion?

      It's possible, especially since AV software is also frequently pre-installed on new PCs. But I'm willing to give them the benefit of the doubt and guess that it's mainly about trying to strike balance between spotting threats and annoying the heck out of people. I mean if I were designing an anti-malware program it would flag Steam as "potentially unwanted", because I sure don't want DRM spyware on my computer. But I realize the average user doesn't see it that way. So basically they have to guess which malware is unexpected and invasive and which malware is there because the idiotuser tolerates it.

    2. John Sturdy
      FAIL

      Re: Antivirus collusion?

      I'm disgusted by the BBC's description of it saying it "offered shopping tips"; that's too close to collusion for me.

  3. P. Lee

    Ban 'em

    Whatever Lenovo's incompetence in the matter, siphoning off traffic traffic and subverting encryption is the very purpose of the SuperPhish software.

    There is no excuse and its a business practise which needs to be staked through the heart, head removed and burnt in the sunshine in front of the public.

    1. Flocke Kroes Silver badge

      I love crapware

      Makes the machine cheaper. Even if I was convinced a new computer came with a clean install of the OS of my choice, wiping and installing is required to proove I can restore from backups.

      1. Anonymous Coward
        Anonymous Coward

        Re: I love crapware

        The crapware gets installed on the bottom line consumer PCs - those that have the greater chance of going onto the hands of people without IT skills. probably only the 1.46% of them - or even less - will ever see another OS but the pre-installed one.

      2. Anonymous Coward
        Anonymous Coward

        Re: I love crapware

        > Makes the machine cheaper.

        Except that it doesn't. In jurisdictions where you can buy a Lenovo without windows, the windows alternative is more expensive. So at best, crapware is a windows subsidy. I don't think Lenovo or other manufacturers should be given such an easy let-off as an assumed economic necessity. Let them make that case, rather than us potential marks inventing such excuses for them.

    2. Ole Juul

      Re: Ban 'em

      Banning is letting them off too lightly.

      (sarc) It's an attack on the security and safety of the American people. I don't see why it isn't considered domestic terrorism. OTOH, if Superfish was bigger and lobbied more, then Obama could bail them out by issuing a statement that the NORKS are involved. (/sarc)

      1. Anonymous Coward
        Anonymous Coward

        Re: Ban 'em

        A good try, but Komodia is an Israeli company, not an American one.

        1. Nigel 11

          Re: Ban 'em

          So ... it's an Israeli company that has wilfully compromised the cyber-security of the state of Israel? (and also its most powerful ally, to say nothing of the rest of the world). Do they jail such people, or do they just shoot them?

  4. Anonymous Coward
    Anonymous Coward

    I feel like the same story has been posted 5 times already.

    1. Old Handle
      Facepalm

      Yeah, but it gets a little worse each time.

      1. PleebSmash
        Windows

        idk I think it got a little better here

      2. Anonymous Coward
        Anonymous Coward

        Superfunked?

        I wonder if my iPad's been infected as the page I'm viewing these comments on definitely has adverts in it.

        1. Tom Maddox Silver badge
          Go

          Re: Superfunked?

          Yes. Yes, it definitely has. You should take your iPad to the nearest large body of water or open volcano and throw it in. iPads have been known to float, especially if running iOS 7 or later, so be sure to weight it down with a large amount of a highly dense substance such as gold. Before doing so, you should be sure to wipe all the data that might have come in contact with it, of course, including all cloud backups. You can never be too careful!

  5. Aitor 1

    Only superfish

    They should also remove all the known root certs that are used for MiM attacks, many from important cos, yet they refuse to do so, and delete forum threads about those certs...

  6. Paul Crawford Silver badge

    Deeper problem

    The deeper problem is the sorry state of SSL certificates in the first place, and why it was possible to go pretty much undetected until security researchers looked in to it.

    Lenovo deserve a really big bollocking here, but all of the web browsers, and business in general, needs to be doing something more serious about stopping faked certificates being used to MIM https, or making them damned obvious to the users.

    1. Mark 85

      Re: Deeper problem

      or making them damned obvious to the users

      That won't work simply because the industry treats ALL users including IT as idiots. MS has seemingly led this with "friendly" error messages and even the unfriendly (honest messages maybe) are obscure and don't really help.

    2. MrT

      Re: Deeper problem

      There's also the way companies license and rebadge software - how many have the Komodia firewall in use, but labelled as something else? Big players in AV/firewall use switch around behind the scenes (e.g. IIRC ZoneAlarm switched to Kaspersky AV engine and Sonicwall antispam between releases, others buy smaller companies and embed their product). If Komodia is used in various parental control packages, then this issue suddenly flags wider than just Lenovo consumer-level laptops.

      1. x 7

        Re: Deeper problem

        "Komodia firewall "

        I suspect you are getting confused there with the Comodo Firewall

        two completely different companies with unfortunately similar sounding names

        nothing negative against Comodo - except in my experience their software is clunky and the AV signatures not very comprehensive, but thats nothing to do with this current problem. Don't confuse the two companies

        1. Mark 85

          Re: Deeper problem

          I've never had a Comodo product installed yet I have certificates from them... WTF?

          1. Destroy All Monsters Silver badge

            Re: Deeper problem

            Comodo provides trusted root for quite a few fish lower down the certificate chain, so there are Comodo certs in the standard "trusted root CA" packages.

    3. Anonymous Coward
      Anonymous Coward

      Re: Deeper problem

      The issue is there's no way to tell a "fake" certificate from a "trusted" one - as long as a software or a user has enough privileges to install a root CA on a system. This is a weak point of the X.509 standard - everything depends on CAs trust. There are good reasons to install CAs outside the OS "known ones" - for example company wide CAs.

      Anyway, this had little to do with TLS/SSL - it's really an example that if you let some softwre to mess with your system with high privileges, you're screwed. And you should never trust a pre-installed OS - no matter what OS is.

      1. DaLo

        Re: Deeper problem

        "The issue is there's no way to tell a "fake" certificate from a "trusted" one"

        Your Browser or PC could tell by checking the signature of the certificate for a site from a known good, external source first and then comparing to the signature you are seeing. If they don't match then there is an issue.

        Therefore the first visit to https://mybank.com comapres the digital signature to the signature seen by a trusted external host. If they match that signature is cached so the check isn't needed again for a set length of time, if it doesn't a warning is thrown.

    4. Anonymous Coward
      Thumb Up

      @Paul crawford - Re: Deeper problem

      Well said. It's the '"undetected" part that's been bugging me.

      We have a situation where any software, it seems, can quietly install its own root CA cert during an installation and merrily proceed to intercept a machine's https connections without the user being aware at all of the serious weakness in their own security that has been introduced.

      It would be nice if Windows and Firefox at least informed the user that the software had done it, and made it possible for the user to easily remove the CA permanently if they so wish.

      The level of trust that allows Avast, for instance, to automatically install its own 'benign' MitM software and certificate also allows the likes of Superfish to do what they do. Something's a little bit broken for sure.

      1. Dan 55 Silver badge

        Re: @Paul crawford - Deeper problem

        It does let you disable it, but what it doesn't do and should do is ask you if you're aware this new certificate has been dropped into the certificate store and if you want to keep it or wipe it.

      2. Anonymous Coward
        Anonymous Coward

        Re: @Paul crawford - Deeper problem

        Certificates are used for more tasks than TLS/SSL connections only. And *any* software run under root/administrative privileges will have the rights to modify the certificate store - and installers run privileged because they need to modify the system.

        Sure, maybe something could be done, for example requiring than any executable trying to modify the certificate store(s) should be properly signed itself - but the vetting procedure to obtain a certificate is not so sound, often, as it should be. As long as it is a commectial business only, obtaining money becomes more important than ensuring security.

        But it won't help Mozilla, for example, because Mozilla uses its own stores, and thereby they are outside the OS knowledge.

        As long as a privileged user - or someone on their behalf like the device maker - installs crappy software, there's little you can do from a technical point of view to protect the system - otherwise it could become so inflexible it can lead to usability issues. It's a matter of policies and knowledge.

  7. Anonymous Coward
    Anonymous Coward

    So long Lenovo

    It'll take more than Lenovo ads pushed by Superfish to make me buy another PC from them.

  8. Anonymous Coward
    Anonymous Coward

    Should have been banned 15 minutes after the exploit was discovered

    Or at least as soon as US-CERT confirmed it last week.

    Really, there's no excuse for dithering around on this. I can think of a certain free self-service CA that has been struggling for over a decade to get into Firefox's cert bundle, and they've never been tied to an actual exploit like this. Seems like a pretty disturbing double standard is in play here.

    1. Anonymous Coward
      Anonymous Coward

      Re: Should have been banned 15 minutes after the exploit was discovered

      Quite a few political decision around the anorexic reddish badger are a frankly bizarre unless ulterior motives exist....

      1. Anonymous Coward
        Anonymous Coward

        Re: Should have been banned 15 minutes after the exploit was discovered

        So I did some follow up, reading the subject Bugzilla report (https://bugzilla.mozilla.org/show_bug.cgi?id=1134506), and it looks like there's no longer a debate about whether to do something but instead on how best to do it. Apparently the question is whether adding the cert(s) to the blacklist will be effective. As someone else commented, this incident has once again raised questions about fundamental weaknesses in the existing SSL cert regime.

  9. Anonymous Coward
    Anonymous Coward

    And how many other root CA's on your PC can you trust?

    See title

    1. P. Lee

      Re: And how many other root CA's on your PC can you trust?

      Not just CAs.

      The Australian tax return software asks for root privileges to install. Who knows what else its doing? This is one step further on from "if you don't trust this software, don't run it." I think we've come to the point where we do need to execute software which we don't trust, so we need some additional controls.

      Its time to get a little more serious about security.

      Some sort of EXEC <binary> --additional-data-dir --net-socket-allow --ip-domain-exclude=XXX --ip-domain-include=YYY to allow the OS to control things with process-specific firewalls and disk restrictions. A kind of "noscript" for the OS, with some sensible defaults. Maybe the docker chaps could help?

      As a mockup, could the disk restrictions could be done with an ad-hoc user account and a union disk configuration? With IPv6 at at least, we can run up an application on its own IP address to make firewalling a bit easier.

      This could be done without upsetting existing apps, to allow untrusted applications to run without requiring root installation privileges. Apps which comply and provide a manifest get a shiny badge and good karma for their efforts. Apps which don't comply get a warning siren and booing from the gallery. The idea is to get app makers to document requirements which makes things safer for home-users and easier to manage for corporate systems.

  10. Palpy

    Comodo has a bit of a problem too: PrivDog bundleware

    According to the tech blog GHacks, PrivDog is bundled with some Comodo products. And "...it installs a certificate on the system as well. While it does not share the same key on all installations, it has an arguably even bigger flaw than that: it intercepts all certificates and replaces them with one signed by its own root key."

    This essentially seems to mean that all certificates received by your browser are registered as "valid" -- because they are replaced by the valid one signed by PrivDog. Security: FAIL.

    So it's not just Komodia, but Comodo as well.

    Oh, and "In case you are wondering what the connection between Comodo and PrivDog is: the CEO and founder of Comodo seems to be behind Privdog as well."

    Thanks to Martin Brinkmann over at GHacks, and "babawere" on the Hacker News forum.

    1. x 7

      Re: Comodo has a bit of a problem too: PrivDog bundleware

      Ironic considering Comodo are/were one of the biggest provider of certs.......and the rationale of much of their security software was based on that fact and the resulting easy internal access allowing simple verification. Do we now have to assume all Comodo-issued certs are in fact valueless?

  11. Anonymous Coward
    Anonymous Coward

    Re. terrorism

    Yeah, Lenovo needs hauling before "Da Feds" and held to account.

    $Deity knows how many older machines had a variant of this, including apparently ones dating back to 2012 even though it wasn't quite as bad the latent vuln is still there.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like