Shouldn't the possiblity have been forseen and addressed beforehand?
Perhaps by...
(1) Anti-virus / anti-malware makers. Does this software not notify the user when strange CA certs are put into a system's root certificate storage? I understand that certain businesses do this for traffic monitoring... so it might be legit... but still, no user notification?
(2) Microsoft. Do their license terms really allow OEMs to install MiTM proxies and screw around with the root certs? Microsoft could do a good thing here by disallowing this sort of malfeasance... or is there some problem I'm not seeing with such an action?
If this were done in, say, OS X (unrealistic, of course), it would be found out and the whole tech world would know about it in a jiffy. John Siracusa would be howling at the Internet moon within a couple of hours...
see those for example: https://forums.lenovo.com/t5/Lenovo-P-Y-and-Z-series/Persona... http://www.thestudentroom.co.uk/showthread.php?t=3013039 https://forums.lenovo.com/t5/Lenovo-P-Y-and-Z-series/Lenovo-...
Perhaps because it was persistent and on the TCP stack level the phonehomes never succeeded? The retry logic should be robust enough to try to deliver the fraud list anyway, even if it will only accept that it has been delivered after a secured connection is restored.
[1] http://en.wikipedia.org/wiki/DigiNotar#Issuance_of_fraudulen...
Maybe this is a practice that needs to stop. Malware scanners can scan on the local machine after the browser has decrypted the communication and web filtering, I think, is nothing but a sign of mistrust against the users.
Which obviously didn't work here, as Chrome was one of the most affected targets.
Firefox on the other hand, was more or less absent altogether. I know which browser I will trust.
It was installed by the OEM. Doesn't really help if it only notifies the OEM.
> (2) Microsoft. Do their license terms really allow OEMs to install MiTM proxies and screw around with the root certs? Microsoft could do a good thing here by disallowing this sort of malfeasance... or is there some problem I'm not seeing with such an action?
The general solution to what you're talking about is to prohibit the OEMs from installing anything by default. The problem is the OEMs wouldn't like it and Microsoft has to keep the OEMs happy lest they get any bright ideas about offering their computers with Ubuntu for $50 less than Windows.
Otherwise, some OEMs have tried installing versions of Linux, with negative financial results. A few are still trying. The real problems are selling and supporting them.
I got my new Lenovo Y50, visited my own website with it and decided to see how my https cert looked. I got quite scared when I saw I was being MITMed but I googled it and there were already a ton of forum posts saying it's just stuff bundled with Lenovo. So I uninstalled it.
Complete instructions here: http://www.pcworld.com/article/2886278/how-to-remove-the-dan...
If it wasn't for the SIM story, I'd have missed the Five Eyes legal restraints dodge:
https://plus.google.com/104092656004159577193/posts/2ncBEdPV...
The SIM heist confirms that few entities have capabilities that almost everyone assumed they have.
Superfish enable anyone to attack significant percent of internet users.
- it's an immediate and very serious threat to a lot of people (every script kiddie with room-temperature IQ level can use it to clear someone's bank account)
- it's a very clear example of how customers are literally being fucked over by businesses, and how a big and trusted company turned out to be represented by flat-out lying assholes (one rarely gets to see a case without any room for doubt)
- it's a case that you can (and should) do something about
Besides cleaning your box, you can blame Lenovo, stop buying their products, promote the boycott, etc. All things that regular people can do and serves as an anger/stress/steam release valve.
The NSA news, even though it is/should be a much more important or pressing issue, it's something you "can't do anything about". I mean, ostensibly you can do a lot as a citizen, however most of those actions have long term effects and thus are not as useful as a release valve. It involves commitment and even sacrifice, whereas blaming a corporation (however righ you might be) is much more immediate and serves the purpose of having someone to blame for that and lots of other stuff, i.e. you can then blame the general state of IT security, then how the govt does nothing about it, how privay is nowadays non-existent, think of the children, etc.
I also believe another factor is the way news have found a way to tap into this need for the audience to have a release valve. Something or someone to be angry at and so all your problems can be channeled to that. Where I live I've seen a growing amount of newspapers and news media that just basically do a certain journalism that does not bring anything to the table but things to be raging about.
I guess it's easier to sell stuff when you can easily get people "on your side", and since there's always a lot of people angry at something, it becomes easy to have an audience.
So what's the point then (from the POV of the media) of bringing "important" (for different values of important) news to the front page when that would require their audience to commit to actions that would last several years (change your country's politics for example) and thus not as easily enticed to "get on your side" (and thus buy your media), if on the other hand you could bring, I guess you could call them "anger-bait" (like click-bait) news, and have everyone talk about it by virtue of functioning as an escape valve where people relieve their stress, fear, anger, etc?
I'm not saying it's a good thing, but I've seen more and more evidence that points in this direction, and I guess that would be my answer as to why one has much more attention than the other.
Edit:
As an analogy, I read somewhere about the recent Charlie Hebdo (sp?) attack and how it got disproportionate attention vs the two thousand killed by ISIS (I believe it was ISIS... or Borok Haram?). Maybe it's a similar thing. You believe you are able to do "more" when it's close to home (Western nation) vs far (somewhere in Africa, far away from me).
They did this for years, actually. They paid add-on developers to bundle their shopping app with the developer's app. I remember this going on ~2010/2011 at least.
People were not happy about it to say the least.
But I don't think you need a CA at all since plugins can see the full DOM (whether SSL or not). Like if you "inspect element", view source, or run firebug.
The plugin is already written too: https://addons.mozilla.org/en-US/firefox/addon/windowshopper...
https://twitter.com/ow/status/568935755344580608
Superfish: Go shame yourself. If I was an investor in your company, I'd pull my money now.
(another reason to put Flash behind click-to-play and/or push for HTML5 video)
[I work at FB, but not on sounds or directly on https man-in-the-middle detection.]
Click-to-play prevents Firefox from running any plugin code without explicit user action. I am 99% certain this is also the case for Chromium-based browsers. Source: I am a Firefox developer and I have worked on the click-to-play code, e.g. http://bugzil.la/899347
If you go through the Chrome bug tracker, you can find several instances where Chrome engineers point out that Click-to-Play is not meant to be a security feature, and that the "Block all" setting is what is actually secure. There are several bugs which demonstrate ways around Click-to-Play which are closed as "WontFix". A quick search yields the following quotes from Chrome engineers:
"Yes, this is why click-to-play is designed as a convenience and not a security feature. If you want plugins blocked in a way that cannot be click-jacked, use "Block all," which requires a protected browser interaction (context menu, page action, etc)." [0]
"The "Click to play" setting is not a security measure. If you want to securely block plugins you must use the "Block all" option, which is a bit less convenient than "Click to play," but provides a click-jack resistant, browser mediated interface." [1]
"I'm kicking this out of the security queue because it isn't a security mechanism ... The secure method of blocking plugins is to select "Block all" and right-click to run. Whereas the "Click to play" feature is for convenience and performance." [2]
"It's not a security feature..." [3]
[0]: https://code.google.com/p/chromium/issues/detail?id=176724
[1]: https://code.google.com/p/chromium/issues/detail?id=225636
[2]: https://code.google.com/p/chromium/issues/detail?id=160707
[3]: https://code.google.com/p/chromium/issues/detail?id=414232
I'm sure there are other instances where they talk about it more, these are just the first results I found.
This can be done without any proxy or certificate installation.
This is the second article I've read that states this - Superfish does no such thing.
https://web.archive.org/web/20150220003144/http://www.komodi...
installed as a LSP:
http://en.wikipedia.org/wiki/Layered_Service_Provider
"modify the windows networking stack" is not an absurd description of that.
https://stackoverflow.com/questions/16269624/the-truth-behin...
Never mind that Facebook sees all the computer user's Facebook traffic, and cross-indexes it with every other bit of data gleaned from their vast graph and uses it for profit.
What of sites that unilaterally change rules retroactively? Or fail to provide reasonable alternatives?
Facebook does all of the above.
To an extent that I don't trust it, and don't use it.
But there are plenty of other services which wave the "but you consented!" flag. Google comes to mind, and I've had my set of issues with them as well.
My fear is that these companies will use this Superfish debacle to attack and restrict the ability for users to download legitimate software which leverages these technologies. As users and developers, we want to retain this ability.
Adware sucks, and there are dozens of anti-virus companies who should be all over anyone who tries to pull this crap. The problem here is not with MITM, SSL packet inspection or modification. The problem here is that Lenovo allowed themselves to be turned into a distribution channel for a poorly implemented, spammy piece of adware for a few extra pennies.
Userscripts and userstyles are very popular, and I see no particularly large backlash against them.
They already have, with HTTP/2. Encryption is mandated for HTTP/2 so something like Privoxy (or even just a caching proxy) has to use a Superfish-like method to bypass the encryption. The only alternative is to modify the browser, which they are also locking down with unchangeable ChromeOS and limiting plugins to only officially sanctioned ones.
...and you won't really even be able to just not use HTTP/2 because the web will be much slower as pipelining is not even implemented in Chrome, and Firefox will no doubt drop it soon. Websites optimized for HTTP/2 could take minutes to load without pipelining.
The real irony is that neither Google nor Mozilla determined what software caused pipelining problems, so guess what, it was Superfish and its like. Instead they made a new protocol that requires Superfish-like MITM interception, to work around problems caused by Superfish-like MITM malware.
Your own site, work, or vendor / client sites could be added.
Or you could want to remove a Comodo (or Honest Achmed's Used Cars and Certificates).
http://www.livehacking.com/2011/04/25/honest-achmeds-used-ca...
https://bugzilla.mozilla.org/show_bug.cgi?id=647959
Just because your OS / browser vendor "trusts" a cert doesn't mean you should.
I presume 'nugget is talking about the HTML rewriting aspect of the software. Injecting additional/unwanted tracking code == bad, user-requested re-writing of content == good.
Also if you want to use http://www.cacert.org/ you need to add their cert.
