Re: About that root certificate...
I think, and other readers are invited to correct me, that the problem is that all clients have a known, installed, self-signed root CA certificate. If you have an identical copy of the root certificate (something that is normally kept secure, and probably off-line), then you can generate SSL certificates for anything, knowing that they will by accepted by any Lenova client.
So now you can do your own Man-in-the-middle attack on Lenova clients. And this problem is not corrected by removing Superfish, only by removing the well-known root CA certificate.
Question: if this is correct, does Superfish reject (on the internet side) it's own well-known root CA certificate? If so, web browsers on Lenova clients only become insecure when Superfish is deactivatated?