"And it didn’t involve sneaking malicious adware onto your customers’ computers."
Lenovo in 2015 been given some bad press about its bundled software (more commonly called bloatware) which is being shipped with Lenovo systems. The software which is causing a large concern is Superfish. An add-on which is supposedly designed to enhance our online shopping experience and provide suggestions about products and services which we don’t want to purchase to begin with. In short, it may seem like another form of typical adware which is bundled with most OEM released computers. However, there is a rather nasty twist to Superfish, it actually conducts a man-in-middle attack by creating it’s own security certificates for connections encrypted over the HTTPS protocol.
Basically, Superfish is able to decrypt our encrypted connections and gain any information which they wanted to, as well as, bombard us with advertisements about absolute rubbish!
How Does Superfish Work?
Since most websites will establish a secure connection using HTTPS and SSL, then the website will need to obtain a security certificate and establish itself as who claims to be. Before I delve deeper into the details about Superfish, its important to explain what is HTTPS, SSL and certificates for those who do not know.
HTTPS (Hypertext Transfer Protocol Secure) is a amalgamation of the standard HTTP protocol and the SSL/TLS protocol to provide encrypted communication over a network. Ironically, the main purpose of HTTPS is to prevent man-in-the-middle attacks, but from the Superfish perspective, this is being largely ignored for the sake for being able to add more ads to secure connections.
HTTPS requires websites provide a valid security certificates, and that is certificate be signed by from a trustworthy certificate authority. We can view the certificate authorities which issue the digital certificates through Certificate Manager (certmgr.csc).
The digital certificate is used to establish the ownership of a public key within a public-private key pair which can be used to establish a secure and encrypted connection between a server and the user. It is vitally important that the Certificate Authority (CA) is trustworthy, since they’re responsible for validating the credentials for the digital certificate issued match the details of the website.
To ensure that the Public Key wasn’t stolen or being used by a malicious party, we need to use a Digital Certificate to verify the user. The CA will sign this certificate verifying that it is correct. However, if the CA owns the Public Key, then it will self-sign itself as trusted. This is known as a self-signed certificate or a Trusted Root Certificate. When this has been verified, then the Private Key can be used securely by the user to complete Public-Private Key Pair to encrypt and decrypt information.
Superfish creates it’s own Trusted Root Certificate for itself, and then uses that certificate to issue digital certificates to websites. From here, it is able to control and sign these digital certificates to decrypt the HTTPS connection and show advertisements to the user. This then leaves the user open to packet sniffing and man-in-middle attacks where an attacker (Superfish) will be able to obtain private information such as banking details.
Additionally, it’s important to remember that your web browser relies on the trustworthiness of these CA’s when issuing certificates.
Where and When Does Superfish Install It’s Own Certificate?
Lenovo in 2015 been given some bad press about its bundled software (more commonly called bloatware) which is being shipped with Lenovo systems. The software which is causing a large concern is Superfish. An add-on which is supposedly designed to enhance our online shopping experience and provide suggestions about products and services which we don’t want to purchase to begin with. In short, it may seem like another form of typical adware which is bundled with most OEM released computers. However, there is a rather nasty twist to Superfish, it actually conducts a man-in-middle attack by creating it’s own security certificates for connections encrypted over the HTTPS protocol.
Basically, Superfish is able to decrypt our encrypted connections and gain any information which they wanted to, as well as, bombard us with advertisements about absolute rubbish!
How Does Superfish Work?
Since most websites will establish a secure connection using HTTPS and SSL, then the website will need to obtain a security certificate and establish itself as who claims to be. Before I delve deeper into the details about Superfish, its important to explain what is HTTPS, SSL and certificates for those who do not know.
HTTPS (Hypertext Transfer Protocol Secure) is a amalgamation of the standard HTTP protocol and the SSL/TLS protocol to provide encrypted communication over a network. Ironically, the main purpose of HTTPS is to prevent man-in-the-middle attacks, but from the Superfish perspective, this is being largely ignored for the sake for being able to add more ads to secure connections.
HTTPS requires websites provide a valid security certificates, and that is certificate be signed by from a trustworthy certificate authority. We can view the certificate authorities which issue the digital certificates through Certificate Manager (certmgr.csc).
The digital certificate is used to establish the ownership of a public key within a public-private key pair which can be used to establish a secure and encrypted connection between a server and the user. It is vitally important that the Certificate Authority (CA) is trustworthy, since they’re responsible for validating the credentials for the digital certificate issued match the details of the website.
To ensure that the Public Key wasn’t stolen or being used by a malicious party, we need to use a Digital Certificate to verify the user. The CA will sign this certificate verifying that it is correct. However, if the CA owns the Public Key, then it will self-sign itself as trusted. This is known as a self-signed certificate or a Trusted Root Certificate. When this has been verified, then the Private Key can be used securely by the user to complete Public-Private Key Pair to encrypt and decrypt information.
Superfish creates it’s own Trusted Root Certificate for itself, and then uses that certificate to issue digital certificates to websites. From here, it is able to control and sign these digital certificates to decrypt the HTTPS connection and show advertisements to the user. This then leaves the user open to packet sniffing and man-in-middle attacks where an attacker (Superfish) will be able to obtain private information such as banking details.
Additionally, it’s important to remember that your web browser relies on the trustworthiness of these CA’s when issuing certificates.
Where and When Does Superfish Install It’s Own Certificate?
Superfish will install it’s self as CA to the Trusted Root Certification Authorities folder of the Certificates Manager as shown earlier. Superfish will then issue digital certificates which impose that website your visiting, and self sign that digital certificate to gain access to your encrypted connection. Superfish will apply this mechanism to all websites which you visit.Lenovo’s Superfish Scandal Is One of the Worst Consumer Computing Screw-Ups Ever
Also in Slate:
slate.com
Last edited: