SuperFish - worst case certificate abuse
There is a new “man in the middle” attack against web pages that is significantly worse than I have seen before. Interestingly, it does not even appear to be intended as an attack.
Just last month I wrote about how Gogo in-flight WiFi was intercepting secure web communications on airplanes.
The new threat is worse. Many Lenovo laptops have been shipped with software called SuperFish installed. SuperFish is supposed to help with price comparisons while shopping, but they do it by intercepting all of your web requests, including secure communications.
Unlike with Gogo, SuperFish installs its own root certificate into the computer so there is no notification that anything is wrong. As far as your browser and computer know, the certificates are completely legitimate.
Worse yet, the same certificate is used for every computer, so if anyone knew the secret key they could also man in the middle any of those computers.
So… wait for it…. of course the secret key for the certificate is stored on the computer too, encrypted under as simple password which has been cracked. Anyone who has SuperFish installed can get that key.
Since any attacker can get that root certificate key, they are all in a position to launch man in the middle attacks against Lenovo users.
If you have a Lenovo computer, or have installed SuperFish for some other reason. Remove it ASAP. It is not trivial, test your computer here.
To remove SuperFish, go here.
Further reading:
How the certificate was extracted: Errata Security: Extracting the SuperFish certificate
An excellent article from arstechnica Lenovo PCs ship with man-in-the-middle adware that breaks HTTPS connections [Updated] | Ars Technica
Another good source from ZDNet Researchers: Lenovo laptops ship with adware that hijacks HTTPS connections | ZDNet
Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.