Computer World has an interesting article on Superfish, an “adware” program that shipped with certain versions of Lenovo laptops. As the article points out:
But it gets worse. It turns out Superfish relied on a third-party component for the HTTPS interception functionality: an SDK (software development kit) called the SSL Decoder/Digestor made by an Israeli company called Komodia.
The “smart tech” side: the article refers to a very interesting and well-written description of how Robert Graham at Errata Security extracted the private key used by this product. This article is a must read.
The “dumb tech” side: everything else about this situation. Superfish installs its own self-signed certificate into the the Microsoft certificate cache, and then re-signs the certificate for every site the browser sees.. It is beyond me how anyone with even the barest knowledge of network security thought this was a good idea. It completely subverts the entire trust system on which X.509 certificates, and thus SSL encryption, are based.
This also speaks very poorly of Lenovo’s judgement. I do understand that they cannot fully vet every library used by every piece of software they pre-install. I also understand that pre-loading software is one of the tools vendors use to keep their prices down (thank you Microsoft); no one should have any illusion that software is there for the customer. But I sincerely hope that Lenovo pays a severe market penalty for this incident; if we want any change to vendor crapware, this is how it’s going to have to happen.
For the consumer though, the lesson is clear: no matter whether or not you think it might useful, delete every single piece of software shipped on a new computer that you didn’t ask for. Companies have their own computer images for a reason, and now you know why. It’s sad that individuals need to be concerned with supply chain management.