from Hacker News

Windows SSL Interception Gone Wild

by mkjones on 2/21/15, 12:56 AM with 130 comments

  • by jgwest on 2/21/15, 2:21 AM

    I think it's interesting that this BADWARE install was found more or less accidentally... apparently by some tech dude noticing that his bank login presented a Silverfish-issued CA cert.

    Shouldn't the possiblity have been forseen and addressed beforehand?

    Perhaps by...

    (1) Anti-virus / anti-malware makers. Does this software not notify the user when strange CA certs are put into a system's root certificate storage? I understand that certain businesses do this for traffic monitoring... so it might be legit... but still, no user notification?

    (2) Microsoft. Do their license terms really allow OEMs to install MiTM proxies and screw around with the root certs? Microsoft could do a good thing here by disallowing this sort of malfeasance... or is there some problem I'm not seeing with such an action?

    If this were done in, say, OS X (unrealistic, of course), it would be found out and the whole tech world would know about it in a jiffy. John Siracusa would be howling at the Internet moon within a couple of hours...

  • by ademarre on 2/21/15, 2:44 AM

    Is it just me, or is the Superfish fiasco being covered disproportionately against the other big security story this week, the NSA/GCHQ SIM heist?

    https://news.ycombinator.com/item?id=9076351

  • by logn on 2/21/15, 3:38 AM

    Browser plugins can read SSL pages no problem. So why did Superfish not just present itself like a browser plugin? Then it's just normal bloatware and probably pulls in the same profit. Some people might uninstall it is the only reason I can think why they didn't go this route. They could have pre-bundled Chrome and FF to avoid having users ok the plugin installation.

  • by nissehulth on 2/21/15, 1:55 AM

    "We've observed more than a dozen other software applications using the Komodia library" is the scary part.

  • by reedloden on 2/21/15, 1:49 AM

    Ah, so this is why Facebook tries to load Flash on almost every page... Allows them to gather data like this. Always wondered why Flash was "needed".

    (another reason to put Flash behind click-to-play and/or push for HTML5 video)

  • by wslh on 2/21/15, 11:18 AM

    But this problem is not only about CA certs. If the application sits in the same computer it can intercept the SSL libs used in the application (wininet for IE, and the Firefox and Chrome used libs) to watch and modify SSL connections.

    This can be done without any proxy or certificate installation.

  • by robbintt on 2/21/15, 4:36 AM

    I recently bought one of these and didn't even boot it into windows before ripping out the drive and tossing in a linux installation on my SSD. Never been more grateful to be technologically competent. Also, I am wiping that drive.

  • by robbintt on 2/21/15, 4:35 AM

    Holy shit, I bought a lenovo Z50-70, ripped out my drive, and put in a linux drive. I've never been happier to have some semblance of control over these things.

  • by aosmith on 2/21/15, 3:18 AM

    And this is why I run linux...

  • by larvaetron on 2/21/15, 1:45 AM

    > Superfish uses a third party library from a company named Komodia to modify the Windows networking stack

    This is the second article I've read that states this - Superfish does no such thing.

  • by ams6110 on 2/21/15, 2:15 AM

    we see several reasons to be concerned about this practice in the case of Superfish and others. Chief among those is privacy—the Superfish software can see all of the computer user's activity, including banking, email and Facebook traffic.

    Never mind that Facebook sees all the computer user's Facebook traffic, and cross-indexes it with every other bit of data gleaned from their vast graph and uses it for profit.

  • by nugget on 2/21/15, 1:44 AM

    Just to be clear, Facebook and Google hate any software that allows users to modify content within their walled gardens (whether that's an adblock, ad injector, or other). These companies want a totally controllable user experience in order to maximize their own user metrics and monetization.

    My fear is that these companies will use this Superfish debacle to attack and restrict the ability for users to download legitimate software which leverages these technologies. As users and developers, we want to retain this ability.

    Adware sucks, and there are dozens of anti-virus companies who should be all over anyone who tries to pull this crap. The problem here is not with MITM, SSL packet inspection or modification. The problem here is that Lenovo allowed themselves to be turned into a distribution channel for a poorly implemented, spammy piece of adware for a few extra pennies.