Windows SSL Interception Gone Wild
facebook.comI think it's interesting that this BADWARE install was found more or less accidentally... apparently by some tech dude noticing that his bank login presented a Silverfish-issued CA cert.
Shouldn't the possiblity have been forseen and addressed beforehand?
Perhaps by...
(1) Anti-virus / anti-malware makers. Does this software not notify the user when strange CA certs are put into a system's root certificate storage? I understand that certain businesses do this for traffic monitoring... so it might be legit... but still, no user notification?
(2) Microsoft. Do their license terms really allow OEMs to install MiTM proxies and screw around with the root certs? Microsoft could do a good thing here by disallowing this sort of malfeasance... or is there some problem I'm not seeing with such an action?
If this were done in, say, OS X (unrealistic, of course), it would be found out and the whole tech world would know about it in a jiffy. John Siracusa would be howling at the Internet moon within a couple of hours...
I don't know where you got the idea that this got discovered accidentally by this one tech dude. Actually quite a bunch of people have been complaining online about this for months, then for some reason it blew up when the matter got the attention of the tech and sec communities.
see those for example: https://forums.lenovo.com/t5/Lenovo-P-Y-and-Z-series/Persona... http://www.thestudentroom.co.uk/showthread.php?t=3013039 https://forums.lenovo.com/t5/Lenovo-P-Y-and-Z-series/Lenovo-...
(3) Google; Chrome has a rather sophisticated mechanism for detecting MITM attacks, in that it's distributed with pinned certs for several Google properties, and phones home with reports of errors it receives. This is how the DigiNotar leak[1] was discovered.
Perhaps because it was persistent and on the TCP stack level the phonehomes never succeeded? The retry logic should be robust enough to try to deliver the fraud list anyway, even if it will only accept that it has been delivered after a secured connection is restored.
[1] http://en.wikipedia.org/wiki/DigiNotar#Issuance_of_fraudulen...
Chrome does not warn if the non-official root certificate is custom installed on the local machine. It needs to do this because of the various corporate web filters and anti virus tools that MITM connections too.
Maybe this is a practice that needs to stop. Malware scanners can scan on the local machine after the browser has decrypted the communication and web filtering, I think, is nothing but a sign of mistrust against the users.
> Maybe this is a practice that needs to stop. Malware scanners can scan on the local machine after the browser has decrypted the communication and web filtering, I think, is nothing but a sign of mistrust against the users.
It's really kind of a giant security vulnerability. If an attacker can compromise the machine doing the MITM on all the encrypted connections then they get every password and credit card number for every user in your company for every website.
Sure, but once you allow local administrator access to your machine, the "guest" can modify your data and software however it wants, so you've already lost.
web filtering, I think, is nothing but a sign of mistrust against the users.
What if it's the user who wants this filtering?
I run a local proxy that MITMs to filter out ads, tracking scripts, and other undesirable things. It works in all the browsers I use regularly, and any browsers that happen to be embedded in apps, because this way the stuff I want filtered out never even reaches the browser.
Can you please tell more about your setup? Why a handful of browser plugins were not enough in your case?
Filtering reverse proxies e.g. privoxy have an advantage over browser plugins as they work on the network level instead on the DOM. This means that it work as an universal adblock regardless of what OS or browser you are running. It's especially useful when you are on mobile safari or chrome as they don't support adblocks.
The only way Google "needs" to collude with corporate MITM tools is its desire to court user base from corporate IT depts (allowed de jure in many countries that have weak privacy legislation).
Usually Chrome is eager to show security-related notifications but for this there isn't even a yellow notification bar with "OK, got it" option.
I think this is another example of how Google clearly puts its own interests ahead of its users.
Google wants to further promote it's closed Chrome ecosystem, and to do that it needs to gain corporate support, for among other things, its Chromebooks and ChromeOS platform.
And it's obviously more important to appease corporate IT than to protect users security.
Built in Google-spying and now, support for corporate spying too? I wouldn't trust a Chromebook as far as I can throw it.
That's a very impressive case of double think.
Google codes Chrome in order to make it more useful for various kinds of customers, such as customers who have virus scanners.
And this becomes "Google putting its own interests ahead of its users"?
Back here in reality, that's called the customer is always right and is a fundamental tenet of business.
There are many legitimate reasons to MITM web traffic. We don't need to disallow the practice, we need to build a framework that contemplates this need and provides a robust, stable architecture for it which makes it easy to distinguish between good listeners and bad listeners.
Yes, "It needs to do this because of the various corporate web filters and anti virus tools that MITM connections too." <-- this has to go away the sooner the better. Even corporations with a large interest in MITMing their employees (mostly banks, mil, gov) should realize, that this is bad security practice and will lead to all sort of other problems
Banks... imagine the irony.
Perhaps Chrome's MITM detection should only ignore private certs (for web filtering) if configured so via Group Policy or similar mechanism?
> Chrome has a rather sophisticated mechanism for detecting MITM attacks
Which obviously didn't work here, as Chrome was one of the most affected targets.
Firefox on the other hand, was more or less absent altogether. I know which browser I will trust.
Superfish will infect Fx also, it's just that Lenovo didn't pre-install Fx and the installer only runs once.
If you install superfish and then chrome, you will be affected. If you install superfish, then Firefox, you won't.
Thus Firefox is the more secure browser.
Superfish is not a man in the middle, by definition. It's running on your local computer. That's not the middle. That's the start. Consider that Superfish could have just done binary patching on the browser binaries instead of fiddling the local SSL configuration ... it's put there by the computer manufacturer so they can do anything they like.
It's called a "man in the middle" because it intercepts connections between the source and destination. The physical location is irrelevant.
That list is public; if you are in the business of writing these proxies anyway, fetching that list and using it as do-not-mitm exceptions is not a stretch. Which, unfortunately, defeats this nice side-effect of certificate pinning. People could have learned from the Diginotar mistake (being: mitm'ing ssl-pinned certs).
> (1) Anti-virus / anti-malware makers. Does this software not notify the user when strange CA certs are put into a system's root certificate storage? I understand that certain businesses do this for traffic monitoring... so it might be legit... but still, no user notification?
It was installed by the OEM. Doesn't really help if it only notifies the OEM.
> (2) Microsoft. Do their license terms really allow OEMs to install MiTM proxies and screw around with the root certs? Microsoft could do a good thing here by disallowing this sort of malfeasance... or is there some problem I'm not seeing with such an action?
The general solution to what you're talking about is to prohibit the OEMs from installing anything by default. The problem is the OEMs wouldn't like it and Microsoft has to keep the OEMs happy lest they get any bright ideas about offering their computers with Ubuntu for $50 less than Windows.
It's not just that the OEMs wouldn't like it. The US DoJ sued Microsoft (and tried to break it up) to prevent it from having any control over what they do. In fact, Microsoft doesn't know what OEMs are installing as "Windows" unless it goes out and buys one of their PCs.
Otherwise, some OEMs have tried installing versions of Linux, with negative financial results. A few are still trying. The real problems are selling and supporting them.
> Otherwise, some OEMs have tried installing versions of Linux, with negative financial results. A few are still trying. The real problems are selling and supporting them.
The problem seems to be that they're always trying to put them on budget machines, which is completely the wrong market. It's chasing the customers who pinch the last penny and you're never going to make any money from them regardless. Meanwhile those customers don't know what an "Ubuntu" is but pick it because it's cheaper, and then you get overrun with support calls when they want to install Turbo Tax.
The place where it makes much more sense is the corporate and professional markets where the customers actually know what they're buying. An IT department which is just going to nuke whatever the OEM installs in favor of their own volume licensed disk image would be happy to save the cost of a [redundant] Windows license for every machine. And professionals like programmers and scientists who actually use Linux would appreciate being able to buy workstation-class hardware with official driver support.
You are exactly right on both counts.
The main attempt to sell Linux to end users was the use of different versions on netbooks, which were mainly bought on price by relatively clueless users.
I talked to one supplier about the obvious cost-of-Linux-support problem at their launch. We won't do support, they said, it will be like an appliance: we'll just reset to factory condition.
You can imagine how that turned out...
>some OEMs have tried installing versions of Linux, with negative financial results.
Which isn't much of a surprise considering what I have observed so far (in trying to purchase a Linux PC). I can't recall ever having seen an OEM offer Linux for more than a sparse subset of their product line, usually mid-tier or low-tier machines.
>A few are still trying.
Which ones? The situation may have changed since I last paid any attention a few years ago.
>The real problems are selling and supporting them.
The MVP here is to merely accept returns for units that turned out to be particularly troublesome; which they usually do (ie: the Samsung UEFI thing from 2013).
A non-Microsoft UEFI key thing might be nice as well, but that's another story.
Wal-Mart sold Linux machines at one time, and maybe still does. Dell does. A lot of small suppliers do (because they don't get such big OEM discounts on Windows and don't have high-volume automated production lines). But the real problem is that one "support incident" eats the profit from about five sales, or more.
If you think there's a market for Linux PCs, you can always set up a company to sell them. You wouldn't be the first to try, but you might be the first to succeed ;-)
>Dell does.
Dell used to. I just contacted Dell sales and according to "Hazel" they do not offer any non-Windows OS for consumer products nor will they sell a system sans-OS.
>But the real problem is that one "support incident" eats the profit from about five sales, or more.
Meh, there is a lot of room for argument here. I think the real problem, after MS' many anti-competitive shenanigans is that most people just think MS Windows is synonymous with "computer". Those who really want a Linux PC will just buy the hardware they want and install it themselves.
>If you think there's a market for Linux PCs, you can always set up a company to sell them. You wouldn't be the first to try, but you might be the first to succeed ;-)
Someone someday will probably succeed at that. I'm probably not that someone, and that day may not be today. I do think that there is a small market for it, and there could be a bigger one, maybe if/after Gaben has any success with SteamOS. OTOH, if we ever have a modular laptop standard with a commodity peripheral market then maybe not, as there would be less need. (given that the only OEM pc's I have purchased in the last 10 years were laptops).
> Meh, there is a lot of room for argument here.
Not really. I got my info from senior managers at some of the (very large, Taiwanese) companies concerned.
> I think the real problem, after MS' many anti-competitive shenanigans is that most people just think MS Windows is synonymous with "computer".
Microsoft has never been accused or taken to court for any "anti-competitive shenanigans" re the success of Windows, only for ways it tried to exploit that success.
> Those who really want a Linux PC will just buy the hardware they want and install it themselves.
Yes, exactly. And they will install whichever of the 157 versions they prefer. These are among the reasons why it's hard to make a profit selling Linux PCs.
>Not really. I got my info from senior managers at some of the (very large, Taiwanese) companies concerned.
Oh. Why didn't you tell me that you had a real authoritative source? /s
>Microsoft has never been accused or taken to court
Microsoft's historical business practices WRT both Apple and Linux are well documented. Lawyers have made whole careers work generated. There is no need to hash this out for the billion +1th time.
>These are among the reasons why it's h...
I don't know who you think you're arguing with. I haven't asked you for seed money. I've not tried to convince you to go into business selling PC's.
> Oh. Why didn't you tell me that you had a real authoritative source? /s
Sorry, reality intruded. I should have known you'd find that a problem. However, you could get a clue from the fact that most companies who have tried to sell Linux have either stopped or gone bust, or do it on a very small number of systems. This is not because they are against making a profit.
> Microsoft's historical business practices WRT both Apple and Linux are well documented.
Up to a point. But most of the inexpert comment I see is badly informed and usually wrong. Still, who reads documentation?
> I don't know who you think you're arguing with
My mistake, I didn't know I was arguing....
> Dell used to. I just contacted Dell sales and according to "Hazel" they do not offer any non-Windows OS for consumer products nor will they sell a system sans-OS.
They do, it's called "Project Sputnik". It's targeted at developers though, which is a market that clearly makes sense, as AnthonyMouse pointed out.
http://www.dell.com/learn/us/en/555/campaigns/xps-linux-lapt...
The XPS 13 review yesterday was interesting, but I think I need a more beefy machine. Anyone has experience with this precision developer edition on Linux?
For a company specialized in Linux PCs, there is System76.
Thanks for the links. I confined my statement to consumer products, so that's still true. I am a little disappointed that "Hazel" didn't mention this one, because I specifically asked about XPS series laptops, and then asked if there were any other.
These days I have a purchasing department that impedes my purchases, so as long as the crap they give me isn't too bad I just let it be.
... or they could develop badware for Ubuntu.
I found it by myself several weeks before all this news came out.
I got my new Lenovo Y50, visited my own website with it and decided to see how my https cert looked. I got quite scared when I saw I was being MITMed but I googled it and there were already a ton of forum posts saying it's just stuff bundled with Lenovo. So I uninstalled it.
Note that uninstalling the program doesn't completely undo the damage; you also need to get rid of the trusted certificate that it uses to make all of its forged certs look legitimate to the browsers. (The private key for that cert has been widely distributed, and at this point, anyone can use it to make a cert for your bank that will look legitimate to your machine so long as the Superfish root cert remains in place.)
Complete instructions here: http://www.pcworld.com/article/2886278/how-to-remove-the-dan...
Is it just me, or is the Superfish fiasco being covered disproportionately against the other big security story this week, the NSA/GCHQ SIM heist?
Frankly, it's hard to keep up with all the security fail news these days (including surveillance).
If it wasn't for the SIM story, I'd have missed the Five Eyes legal restraints dodge:
https://plus.google.com/104092656004159577193/posts/2ncBEdPV...
It wasn't exactly news by the time Snowden did his dance:
Knowing of UKUSA and Five Eyes, knowing that they share intelligence on parties OUTSIDE the member states, and knowing that they are providing one another with intelligence on each other's citizens and residents are different things.
Your Wikipedia article link doesn't directly address this. It points to several other documents though:
A 2000 ZDNet article by Duncan Campbell:
http://www.zdnet.com/article/echelon-world-under-watch-an-in...
"Under a secret agreement signed in 1947, called UKUSA, the English-speaking countries agreed to share responsibility for overseeing surveillance in different parts of the world."
That doesn't tell much. But this does:
"On 6 September 1960, two NSA defectors held a press conference and revealed the worldwide scope of NSA's activities:"
"'We know from working at NSA [that] the United States reads the secret communications of more than forty nations, including its own allies... Both enciphered and plain text communications are monitored from almost every nation in the world, including the nations on whose soil the intercept bases are located.'"
It also discusses the Church Commission hearings (1975).
I'm not sure how I'd classify this, but I see general awareness as being vastly greater. And as someone who's been paying attention to this story for a long time (15+ years), it's news to me.
This article linked from Wikipedia has a Canadian stating that the Brits asked them to monitor British citizens and US lawmakers worrying that it was being used to spy on US citizens:
http://www.nytimes.com/library/tech/99/05/cyber/articles/27n...
I guess widespread speculation that avoiding domestic surveillance laws is one of the things done with the system isn't the same as knowing that it is going on, but my point was that the widespread speculation had proceeded Snowden by quite some time.
Fair point. And I do appreciate the additional information and links.
From your NY Times article (published May 27, 1999):
Until last Sunday, no government or intelligence agency from the member states had openly admitted to the existence of the UKUSA Agreement or Echelon.
The mutual surveillance / legal evasion possibility appears to be suspected but not demonstrated. Again as with much else, what Snowden's done is to specifically document such activity. Which is of and by itself a material distinction.
European Parliament officials have also expressed concern about the use of Echelon to gather economic intelligence for participating nations.
And:
While few dispute the necessity of a system like Echelon to apprehend foreign spies, drug traffickers and terrorists, many are concerned that the system COULD be abused to collect economic and political information.
(All-caps emphasis added -- minimal HN formatting options have their drawbacks.)
So, I'll maintain that the documentation of such abuse is a New Thing.
Superfish has more severe practical implications.
The SIM heist confirms that few entities have capabilities that almost everyone assumed they have.
Superfish enable anyone to attack significant percent of internet users.
Indeed. Most of NSA news are only confirming what everyone could reasonaly already assume - i.e. that yes, they can hit you everywhere. Don't get me wrong, I love NSA stories, but the Superfish one is rightfully more covered because:
- it's an immediate and very serious threat to a lot of people (every script kiddie with room-temperature IQ level can use it to clear someone's bank account)
- it's a very clear example of how customers are literally being fucked over by businesses, and how a big and trusted company turned out to be represented by flat-out lying assholes (one rarely gets to see a case without any room for doubt)
- it's a case that you can (and should) do something about
Maybe it's not just you, however I think a potential factor to give one more attention is that you can do something about the first, at least in the short term.
Besides cleaning your box, you can blame Lenovo, stop buying their products, promote the boycott, etc. All things that regular people can do and serves as an anger/stress/steam release valve.
The NSA news, even though it is/should be a much more important or pressing issue, it's something you "can't do anything about". I mean, ostensibly you can do a lot as a citizen, however most of those actions have long term effects and thus are not as useful as a release valve. It involves commitment and even sacrifice, whereas blaming a corporation (however righ you might be) is much more immediate and serves the purpose of having someone to blame for that and lots of other stuff, i.e. you can then blame the general state of IT security, then how the govt does nothing about it, how privay is nowadays non-existent, think of the children, etc.
I also believe another factor is the way news have found a way to tap into this need for the audience to have a release valve. Something or someone to be angry at and so all your problems can be channeled to that. Where I live I've seen a growing amount of newspapers and news media that just basically do a certain journalism that does not bring anything to the table but things to be raging about.
I guess it's easier to sell stuff when you can easily get people "on your side", and since there's always a lot of people angry at something, it becomes easy to have an audience.
So what's the point then (from the POV of the media) of bringing "important" (for different values of important) news to the front page when that would require their audience to commit to actions that would last several years (change your country's politics for example) and thus not as easily enticed to "get on your side" (and thus buy your media), if on the other hand you could bring, I guess you could call them "anger-bait" (like click-bait) news, and have everyone talk about it by virtue of functioning as an escape valve where people relieve their stress, fear, anger, etc?
I'm not saying it's a good thing, but I've seen more and more evidence that points in this direction, and I guess that would be my answer as to why one has much more attention than the other.
Edit:
As an analogy, I read somewhere about the recent Charlie Hebdo (sp?) attack and how it got disproportionate attention vs the two thousand killed by ISIS (I believe it was ISIS... or Borok Haram?). Maybe it's a similar thing. You believe you are able to do "more" when it's close to home (Western nation) vs far (somewhere in Africa, far away from me).
Browser plugins can read SSL pages no problem. So why did Superfish not just present itself like a browser plugin? Then it's just normal bloatware and probably pulls in the same profit. Some people might uninstall it is the only reason I can think why they didn't go this route. They could have pre-bundled Chrome and FF to avoid having users ok the plugin installation.
> So why did Superfish not just present itself like a browser plugin
They did this for years, actually. They paid add-on developers to bundle their shopping app with the developer's app. I remember this going on ~2010/2011 at least.
People were not happy about it to say the least.
And VCs gave them money for this shit. What a fucked up investor world this is.
Here they are:
https://www.crunchbase.com/organization/superfish/investors
I'd love to see people put money where their mouth is and refuse to be funded by those investors... but I'm pretty sure it's not going to happen.
Can browser plugins install root CA certs? Honest question, Im not sure but I would be surprised if they could?
You can write anywhere to disk where user has privileges (at least in FF). Not sure if that's enough.
But I don't think you need a CA at all since plugins can see the full DOM (whether SSL or not). Like if you "inspect element", view source, or run firebug.
The plugin is already written too: https://addons.mozilla.org/en-US/firefox/addon/windowshopper...
Mozilla should just pull this plugin from addons, seriously.
What am I missing here? What makes this addon so bad? It looks like it injects buttons/overlays to show "lower" prices of items you are already viewing. While I have zero desire to install this addon I'm failing to see what it's doing that makes it deserving of being pulled.
The add-on from similarproducts.net uses superfish technology.
http://www.similarproducts.net/
> SimilarProducts is a monetization platform that uses Superfish technology to help users find and discover products visually. The technology instantly analyzes images on the web and presents identical and similar product offers.
It _is_ SuperFish, see the about page.
The company is scum, as has been proven the last couple of days. I don't know why anyone (Mozillas Add-On place included) should support them and carry their software.
MITMing everything saves them from having to write a plugin for each browser and update it.
"We've observed more than a dozen other software applications using the Komodia library" is the scary part.
This. The install base is reportedly up to 40m users.
https://twitter.com/ow/status/568935755344580608
Superfish: Go shame yourself. If I was an investor in your company, I'd pull my money now.
How about MS's continued use of winsock?
Please elaborate? What about it? (Seriously, I'd like to know what the current perceived issues with winsock are, I'm a bit out of date with Windows security)
Ah, so this is why Facebook tries to load Flash on almost every page... Allows them to gather data like this. Always wondered why Flash was "needed".
(another reason to put Flash behind click-to-play and/or push for HTML5 video)
I suspect flash is generally used to play sounds from chat messages - the https man-in-the-middle detection is heavily sampled, as referenced in https://www.linshunghuang.com/papers/mitm.pdf.
[I work at FB, but not on sounds or directly on https man-in-the-middle detection.]
Nope, without flash you still get the chat sound messages. I've no flash on my system and the only thing that's different on facebook is that I can't watch user-uploaded videos. Only their mobile site supports HTML5 last I checked.
It is still possible that they use flash as default audio source and fallback to HTML audio if flash is unavailable. Although of course it would be better if they could get rid of the flash altogether.
I don't follow why this upsets you. Seems like an argument for why allowing flash to run can be used for good?
Side note: click-to-play is a usability feature, not a security feature. It's still possible for Flash code to run before the user "clicks to play".
Click-to-play in Firefox at least is a security feature. It's enabled automatically for known-insecure plugins like old versions of Java and Flash. You can enable it manually by setting a plugin to "Ask to activate" in the Firefox add-on manager: https://blog.mozilla.org/security/2012/10/11/click-to-play-p...
Click-to-play prevents Firefox from running any plugin code without explicit user action. I am 99% certain this is also the case for Chromium-based browsers. Source: I am a Firefox developer and I have worked on the click-to-play code, e.g. http://bugzil.la/899347
>Click-to-play prevents Firefox from running any plugin code without explicit user action. I am 99% certain this is also the case for Chromium-based browsers.
Wrong: https://code.google.com/p/chromium/issues/detail?id=174963
Since people are disagreeing with my comment, I'll add some extra information (apparently I missed the editing time window, but I stand by my original comment). I should note though that I was talking about Chrome (I don't know what the deal is with Firefox).
If you go through the Chrome bug tracker, you can find several instances where Chrome engineers point out that Click-to-Play is not meant to be a security feature, and that the "Block all" setting is what is actually secure. There are several bugs which demonstrate ways around Click-to-Play which are closed as "WontFix". A quick search yields the following quotes from Chrome engineers:
"Yes, this is why click-to-play is designed as a convenience and not a security feature. If you want plugins blocked in a way that cannot be click-jacked, use "Block all," which requires a protected browser interaction (context menu, page action, etc)." [0]
"The "Click to play" setting is not a security measure. If you want to securely block plugins you must use the "Block all" option, which is a bit less convenient than "Click to play," but provides a click-jack resistant, browser mediated interface." [1]
"I'm kicking this out of the security queue because it isn't a security mechanism ... The secure method of blocking plugins is to select "Block all" and right-click to run. Whereas the "Click to play" feature is for convenience and performance." [2]
"It's not a security feature..." [3]
[0]: https://code.google.com/p/chromium/issues/detail?id=176724
[1]: https://code.google.com/p/chromium/issues/detail?id=225636
[2]: https://code.google.com/p/chromium/issues/detail?id=160707
[3]: https://code.google.com/p/chromium/issues/detail?id=414232
I'm sure there are other instances where they talk about it more, these are just the first results I found.
In recent chrome builds, they changed the behavior to right-click->Run Plugin which to my knowledge makes it immune to these attacks.
Er, are you sure about that? That doesn't appear to be the case with Firefox.
I think you might be confusing "click to play" in a Flash video/app vs. the browser-enforced "click to play", which in Chrome/Firefox prevents the plugin from running in that tab to begin with.
He is referring to the fact that in Chrome click to play has no security effect at all - pages can click jack you to activate it.
To quote a Chrome developer: "Click to play is not actually a security boundary. In particular, it has always been subject to click-jacking."
But this problem is not only about CA certs. If the application sits in the same computer it can intercept the SSL libs used in the application (wininet for IE, and the Firefox and Chrome used libs) to watch and modify SSL connections.
This can be done without any proxy or certificate installation.
I recently bought one of these and didn't even boot it into windows before ripping out the drive and tossing in a linux installation on my SSD. Never been more grateful to be technologically competent. Also, I am wiping that drive.
You're the Chuck Norris of HN
Too edgy for me :)
Come up with your own comments
All those HDDs at the store also have manipulated firmware.
Holy shit, I bought a lenovo Z50-70, ripped out my drive, and put in a linux drive. I've never been happier to have some semblance of control over these things.
You do realize.. ..that you can just re-format your drive as it is.
One week ago the HDD firmware manipulation by NSA/GCHQ was revealed. So, if the snoops intercept the parcel with the laptop, it's better when you go into a computer parts store and buy a random HDD...
And this is why I run linux...
The superfish issue is why you run linux? You could've given the world a bit of a heads up on it, don't you think?
No, if you wipe the hd and reinstall it's not an issue. I run linux because I like it. Stuff like this doesn't happen with mainstream distros.
I know at least Mint does DNS and browser plugin ad injection.
Is this documented somewhere? I tried searching for a couple combinations of "linux mint dns ad injection", but couldn't find anything relevant.
I was referring to their use of OpenDNS http://forums.linuxmint.com/viewtopic.php?f=90&t=128529
And hijacking Google search on Firefox, http://blog.linuxmint.com/?p=142
OpenDNS hasn't done ad pages for non-existent domains in ages. As for "hijacking" Google search, that's simply setting a different default - you can change it and nothing tries to stop you, and OS upgrades won't change it back (I believe).
Aww, really? This is the first I've heard of this.
No, not really.
I guess you haven't heard of amazon+ubuntu? This is just a side effect of maximizing profits, and it happens to anyone making a profit, unless they're idealistic enough.
Ubuntu wasn't MITM your connections, it's hardly the same. They had ads, not a massive security hole.
Also they informed useres about Amazon integration and afaik provide a way to disable it.
Sorry, I'm low on tinfoil. You'll have to go to the store and pick up your own.
> Superfish uses a third party library from a company named Komodia to modify the Windows networking stack
This is the second article I've read that states this - Superfish does no such thing.
My (not very studied) understanding is that it used SSL Digestor:
https://web.archive.org/web/20150220003144/http://www.komodi...
installed as a LSP:
http://en.wikipedia.org/wiki/Layered_Service_Provider
"modify the windows networking stack" is not an absurd description of that.
You may find this Stackoverflow discussion interesting. Note the date.
https://stackoverflow.com/questions/16269624/the-truth-behin...
How do you know one way or the other? Care to enlighten us?
What doesn't it do? It is modifying the network stack by intercepting all traffic (presumably through a proxy), right?
we see several reasons to be concerned about this practice in the case of Superfish and others. Chief among those is privacy—the Superfish software can see all of the computer user's activity, including banking, email and Facebook traffic.
Never mind that Facebook sees all the computer user's Facebook traffic, and cross-indexes it with every other bit of data gleaned from their vast graph and uses it for profit.
Yes, and they do all that with the user's consent.
Um, really? How informed is that consent?
What of sites that unilaterally change rules retroactively? Or fail to provide reasonable alternatives?
Facebook does all of the above.
To an extent that I don't trust it, and don't use it.
But there are plenty of other services which wave the "but you consented!" flag. Google comes to mind, and I've had my set of issues with them as well.
Umm, if you're using Facebook, it should be fairly obvious that you are giving your information to Facebook. Yes, I call that an informed consent.
And when you're browsing a web site with a Facebook Like button (that you don't click on), you're giving information about your browsing habits to Facebook and it's totally non-obvious.
Sorry, I don't understand. What does it mean that I am browsing a web site with a Facebook Like button that I don't click on?
If the button image is hosted on Facebook's servers (and it commonly is), they have a log of your request for it, including the page it was on (from the "Referer" header). This request is sent when you load the page, without the need to click on the button. Every site you visit that includes a Facebook resource gives them the ability to collect data about you and your habits. These are often part of a site's template, included without regard to the page it might appear on. You'd be surprised what a Referer URL can reveal about you.
Oh, that's what you meant. It was too obvious to me :)
I mean, of course elements that are embedded in Web pages may be traced by the party who sends them (and pages very often include off-site content).
It's not just an image, either. It's typically a widget that may even show you if your friends also liked the page.
And, in fact, one should not trust that even if a page says my friends liked the page, they actually did.
Well, it is at least in the T&Cs.
You had to agree to have Superfish installed too, if Lenovo is to be believed.
Just to be clear, Facebook and Google hate any software that allows users to modify content within their walled gardens (whether that's an adblock, ad injector, or other). These companies want a totally controllable user experience in order to maximize their own user metrics and monetization.
My fear is that these companies will use this Superfish debacle to attack and restrict the ability for users to download legitimate software which leverages these technologies. As users and developers, we want to retain this ability.
Adware sucks, and there are dozens of anti-virus companies who should be all over anyone who tries to pull this crap. The problem here is not with MITM, SSL packet inspection or modification. The problem here is that Lenovo allowed themselves to be turned into a distribution channel for a poorly implemented, spammy piece of adware for a few extra pennies.
To be fair, I'm sure any website owner would want to prevent others from modifying their own website and how users view/interact with it.
For the ones who are pro-DRM, that is probably true; the ones who realise that trying to do that is as futile as forcing one to sit in front of the TV during the adverts, probably not.
Userscripts and userstyles are very popular, and I see no particularly large backlash against them.
It's not as simple as that though. It's perfectly acceptable to want to have control over how your site is presented while still allowing your data to be accessible. If I spent a lot of time on my site UI, I wouldn't want some third party tweaking it, when that may mean I make changes to my front-end and some percentage of users break which I have no real control over. This remains true whether I replicate every capability in an open REST interface or not.
> My fear is that these companies will use this Superfish debacle to attack and restrict the ability for users to download legitimate software which leverages these technologies.
They already have, with HTTP/2. Encryption is mandated for HTTP/2 so something like Privoxy (or even just a caching proxy) has to use a Superfish-like method to bypass the encryption. The only alternative is to modify the browser, which they are also locking down with unchangeable ChromeOS and limiting plugins to only officially sanctioned ones.
...and you won't really even be able to just not use HTTP/2 because the web will be much slower as pipelining is not even implemented in Chrome, and Firefox will no doubt drop it soon. Websites optimized for HTTP/2 could take minutes to load without pipelining.
The real irony is that neither Google nor Mozilla determined what software caused pipelining problems, so guess what, it was Superfish and its like. Instead they made a new protocol that requires Superfish-like MITM interception, to work around problems caused by Superfish-like MITM malware.
HTTP/2 doesn't actually require TLS (it got removed because of too many people pushing for it not being required for things like home routers and the like), though none of the major browser vendors intend on supporting HTTP/2 without it.
I'm not sure why a normal user would ever need to add CAs to their root store. Can you clarify?
Adding (or removing) CAs is a fully legitimate activity.
Your own site, work, or vendor / client sites could be added.
Or you could want to remove a Comodo (or Honest Achmed's Used Cars and Certificates).
http://www.livehacking.com/2011/04/25/honest-achmeds-used-ca...
https://bugzilla.mozilla.org/show_bug.cgi?id=647959
Just because your OS / browser vendor "trusts" a cert doesn't mean you should.
Just because your OS / browser vendor "trusts" a cert doesn't mean you should.
In other words, users should always have the right to control who they (indirectly) trust. That's what the comment above is referring to - it will be even worse if Superfish is used as an excuse to take away this right.
Quite right.
Depends on what you mean by "normal user." It's somewhat advanced, for sure, but many companies use private CAs to issue certs for their intranet sites, and the ability to install those certs on client machines is very useful.
Plenty of enterprise users need to. There are other reasons too.
I presume 'nugget is talking about the HTML rewriting aspect of the software. Injecting additional/unwanted tracking code == bad, user-requested re-writing of content == good.
Oddly Google's Android team took a different approach; on Android 4.0+ there is no way to install additional certificates without a periodic "Network may be monitored by unknown third party" notification being presented.
Very annoying if you wish to use your own CA or add another and it is also dangerous in that it masks any cert installation by malware.
Realizing an adblock mechanism, for one. (Similar to InterMute in late 90s, and admucher.com now.)
That's a really intrusive, dangerous way of implementing ad blocking, though. Much better to have that functionality live in the browser itself (or an extension).
I add CAs to my root store so that I can view my https traffic using fiddler.
Also if you want to use http://www.cacert.org/ you need to add their cert.
Your going to get hellbanned if you keep talking like that. We love our corporate masters here.