Reply to post: Re: About that root certificate...

Superfish: Lenovo ditches adware, but that doesn't fix SSL megavuln – researcher

Jamie Jones Silver badge

Re: About that root certificate...

"I think, and other readers are invited to correct me, that the problem is that all clients have a known, installed, self-signed root CA certificate. If you have an identical copy of the root certificate (something that is normally kept secure, and probably off-line), then you can generate SSL certificates for anything, knowing that they will by accepted by any Lenova client."

My point was that this depends on whether the *superfish* proxy accepts such a certificate as valid - the web clients on the machine are irrelevent if they go through the superfish proxy.

"I think, and other readers are invited to correct me, that the problem is that all clients have a known, installed, self-signed root CA certificate. If you have an identical copy of the root certificate (something that is normally kept secure, and probably off-line), then you can generate SSL certificates for anything, knowing that they will by accepted by any Lenova client."

ummm, well yeah, that's exactly what I wrote (though whilst you got an upvote, 2 moronic plebs downvoted me with no explanation, or mitigation for their lack of brain cells)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019