You are here

Why Lenovo SuperFish is very bad for ALL of us

Even most of the experts talking about SuperFish aren't discussing just how deep a problem this is, for all of us. Therefore I couldn't let this one go without writing something about it...

To find out if you are affected by Superfish, check https://filippo.io/Badfish.

Don't own a Lenovo? You still might have SuperFish. It might be on one browser but not others, so you need to check all browsers on all devices.

====================================
Those of you not familiar with the malware known as SuperFish can catch up here:
http://www.cnet.com/news/superfish-torments-lenovo-owners-with-more-than...
https://www.us-cert.gov/ncas/alerts/TA15-051A
http://arstechnica.com/security/2015/02/superfish-doubles-down-says-http...

Here is the site of the SuperFish developers:
http://www.home.superfish.com/#!products/crej

This page shows that the company is joint Israeli American. Why am I not surprised?
http://www.home.superfish.com/#!about-us/c1eqi
====================================

It doesn't end there though - not by a long shot. It's far worse. You may have the problem even if you aren't using SuperFish. This is because the source code used to decrypt your encrypted traffic is also used by other software. It's called "Komodia Redirector with SSL Digestor", and is used by an unknown number of commercial applications. You can find a partial list of known vendors halfway down this web page.

Here is an important article outlining the deeper issue:
http://arstechnica.com/security/2015/02/ssl-hijacker-behind-superfish-de...

Chances are excellent that it's also being used by criminals who for obvious reasons don't want you to know they are doing it. Basically anyone who is slightly smarter than a script kiddie can build an app with Komodia that can intercept your critical secure web traffic (like banking or government sites) without you even knowing it!

But wait, it's even worse than that. It is relatively easy to write your own software that does what Komodia does, with the same result - intercepting your most critical web activity.

How? By installing what's known as a "Certificate Authority" (CA) certificate into your browser. What the heck is that, and why should you care? You should care because CA certificates are easily the most important certificates on your computer, because they issue the company certificates.

Every certificate has a name and an authority which issues the certificate. concen.org's issuer is GeoTrust. When you browse here, no warning pops up because your browser has a GeoTrust CA in it. But what if someone installed a CA on your browser from, say "GeTrust". They could create a fake concen.org certificate issued by "GeTrust", which they could use to decrypt your data, store it, then send it on to concen.org. You'd never know it even happened, and neither would we. Concerned yet?

But they don't even have to do that - they can use the SuperFish CA themselves because the private key for that CA has a password: "komodia". That's right kids, anyone who knows that password can hijack your session without even installing their own CA - they can use any CA that was issued by Komodia! WTF???

I need to make another point. Software deliberately and (AFAICT) legally distributed by a large corporation decrypts private web traffic. WHY IS THIS LEGAL?

If it is legal because the user agreed to it by accepting the Terms & Conditions of the app, it must be made illegal for a person to give up these rights. IOW, contract clauses giving up a user's right to keep their encrypted data private must be rendered NULL and VOID.

It is outrageous that we are allowing our governments to let companies (and therefore hackers) steal our most private data.

Comments

Superfish may have appeared on these models Lenovo:
G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
Y Series: Y430P, Y40-70, Y50-70
Z Series: Z40-75, Z50-75, Z40-70, Z50-70
S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
E Series: E10-30

edited to specify the list is for Lenovo only

is potentially affected by the techniques used by SuperFish. Anyone who says this issue is limited to Lenovo is not telling the whole truth.

If it is legal because the user agreed to it by accepting the Terms & Conditions of the app, it must be made illegal for a person to give up these rights. IOW, contract clauses giving up a user's right to keep their encrypted data private must be rendered NULL and VOID.

now I am fairly sure it's the case in Scotland(Scottish Law being different to England and Wales) that no contract can take away your rights but may ADD to your rights. Thus this should be illegal here.
I am also kinda sure it's the same i the rest of the UK and the EU too.
I cannot speak for any other legal jurisdiction but under EU rules privacy is king.
Here you have statutory rights which cannot be removed from you not by EULA or any other license agreement.
Your statutory rights cannot be remove only added to.
Such as a warranty.. this is over and above your statutory rights as a consumer. normally on these things it'll state clearly "This warranty is in addition to your statutory rights"
Warranty periods in the EU are min 2 years with a 5 year expected life span of the product.(this started when plasma TV's came out, people were paying thousands for them at the time and they were going TITSUP regularly and thus the EU min guarantee was born for all electrical and electronic devices made for sale within the EU)
However in essence I am fairly sure that they have broken Scottish Law and EU Law with this.

...an Israeli who served in IDF intelligence!
The web site is being DDOSd according to Weischelbaum, but who would trust a douchebag like him? I hope he dies a slow death from the most painful cancer possible.

seeing as how there have been reports that 10 or more applications use komodia certs.
this is a test to see if you system has been compromised
https://filippo.io/Badfish/

Why bother with this ? Choose a GNU/Linux distro and be happy ;-) Or, maybe something more hardcore as a BSD flavor.

One can fool a ping all the time and all the pigs some time... But with Free Software eventually any deception is exposed. There are just to many eyes !

ttsoares wrote:

Why bother with this ? Choose a GNU/Linux distro and be happy ;-)

It doesn't matter what OS you're using. If someone is using a Certificate Authority (CA) that a hacker knows the keys to, then their HTTPS traffic can be decrypted by that hacker, without them knowing it's happening. There doesn't need to be any software installed on the target computer, just the CA.

.. but you have to remember your average pc/laptop/tablet buyer doesn't generally have much awareness of FOSS and many's the time i have seen newbies on FOSS forums getting talked down to by old hands... it's a bit shitty but there you are.
Windows and to a much lesser extent OSX are what people want and are buying machines with.
when it comes to FOSS... if you want to encourage someone onto it.. GREAT... but be patient with then and encourage them...
Mint Linux is a good place start.
It's up to everyone on the FOSS scene to evangelise without patronising, be welcoming and give advice and encouragement and keep it positive and not condescending...

Pax wrote:

many's the time i have seen newbies on FOSS forums getting talked down to by old hands... it's a bit shitty but there you are.
It's up to everyone on the FOSS scene to evangelise without patronising, be welcoming and give advice and encouragement and keep it positive and not condescending...

That hasn't been my experience. There's assholes everywhere, but far fewer in Linux forums.