Reply to post: Re: About that root certificate...

Superfish: Lenovo ditches adware, but that doesn't fix SSL megavuln – researcher

david 12 Bronze badge

Re: About that root certificate...

I think, and other readers are invited to correct me, that the problem is that all clients have a known, installed, self-signed root CA certificate. If you have an identical copy of the root certificate (something that is normally kept secure, and probably off-line), then you can generate SSL certificates for anything, knowing that they will by accepted by any Lenova client.

So now you can do your own Man-in-the-middle attack on Lenova clients. And this problem is not corrected by removing Superfish, only by removing the well-known root CA certificate.

Question: if this is correct, does Superfish reject (on the internet side) it's own well-known root CA certificate? If so, web browsers on Lenova clients only become insecure when Superfish is deactivatated?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019