Facebook Twitter Instagram YouTube LinkedIn
    Facebook Twitter Instagram LinkedIn YouTube
    Trending
    • IDS Alliance Raises Awareness of IAM Fundamentals with the ‘CISO Chronicles’
    • Building Digital Accessibility: AI Requires Human Oversight to Cut Down on Algorithmic Biases
    • BlackBerry Ivy: Enabling a New Age of Electric Secure Autonomous Vehicles
    • Security Automation Cuts Down Expenses and Saves Time for IT Teams
    • IBM Think 2022 – Embracing the Present, Preparing for the Future
    • A Game of Numbers: The Correlation Between Technology and Sports Betting
    • Software-based Enterprise Solutions for Navigating the “Too Much Information” Age
    • A Look At The Last Generation Of Internal Combustion Engines
    TechSpective
    • RSS
    • Facebook
    • Twitter
    • Google+
    • LinkedIn
    • Instagram
    • Pinterest
    • Technology
      Featured
      March 1, 20216

      Could Home Study Be Better for Education? Using Technology to Craft a Better Tomorrow

      Recent
      May 20, 2022

      Building Digital Accessibility: AI Requires Human Oversight to Cut Down on Algorithmic Biases

      May 20, 2022

      BlackBerry Ivy: Enabling a New Age of Electric Secure Autonomous Vehicles

      May 15, 2022

      A Look At The Last Generation Of Internal Combustion Engines

    • Reviews
      Featured
      March 4, 20211

      Dell’s UltraSharp 40 – Improving Work and Workplaces with Monitor Innovations

      Recent
      April 7, 2022

      Dell’s Latitude 5430 Rugged – Redefining the Extremes of Mobile Computing

      October 12, 2021

      Innovating Home Video Conferencing: Dell’s New 27 Video Conferencing Monitor – S2722DZ

      September 22, 2021

      Review: Intrusion Shield

    • Podcasts
    • Security
      Featured
      March 7, 20212

      Pandemic Unmasks Vulnerability to Automated Bot Attacks

      Recent
      May 23, 2022

      IDS Alliance Raises Awareness of IAM Fundamentals with the ‘CISO Chronicles’

      May 14, 2022

      Ransomware is Indiscriminatory – Prepare for Everything to Fail

      May 5, 2022

      Cybersecurity Myths that are Compromising Your Data and How to Address Them

    • Microsoft
      Featured
      September 12, 20201

      The Microsoft Surface Duo: The Communications Device for Those That Think Different

      Recent
      April 8, 2022

      AI and Why Windows 12 Could Be a Far Bigger Advance than Windows 95 Was

      October 11, 2021

      The Surface Laptop Studio: Building a Windows 11 Targeted Laptop

      August 28, 2021

      Why Microsoft’s Hardware Baseline for Windows 11 Is Important

    • News & Analysis
      Featured
      March 6, 20212

      Fixing The World One Person At A Time: Cisco Networking Academy

      Recent
      May 20, 2022

      BlackBerry Ivy: Enabling a New Age of Electric Secure Autonomous Vehicles

      May 20, 2022

      IBM Think 2022 – Embracing the Present, Preparing for the Future

      May 14, 2022

      Apple vs. Dell: Choosing Which Company to Work For

    • Business
      Featured
      March 6, 20212

      Fixing The World One Person At A Time: Cisco Networking Academy

      Recent
      May 20, 2022

      Building Digital Accessibility: AI Requires Human Oversight to Cut Down on Algorithmic Biases

      May 20, 2022

      Security Automation Cuts Down Expenses and Saves Time for IT Teams

      May 18, 2022

      Software-based Enterprise Solutions for Navigating the “Too Much Information” Age

    TechSpective
    You are at:Home»Security»Adware»Superfish – Breaking the trusted HTTPS connection

    Superfish – Breaking the trusted HTTPS connection

    3
    By Jeff Harrell on February 23, 2015 Adware, Malware, Man-in-the-Middle, Phishing, Security, Security Awareness, Spyware

    Sometimes a piece of news comes across your desk that is too amazing to believe. You read it and think to yourself, “That can’t be true. No one with any professional savvy would ever make such an obvious mistake.” But of course, in the inevitable chase to shore up profits, poor decisions are made.

    This latest chapter in “Most Shocking News” is the discovery that Lenovo, one of the largest laptop manufacturers in the world, has been pre-installing software on its laptops that breaks one of the most basic trust models of secure Internet browsing.

    “It must be a pretty bad bug,” I thought when I first saw the headlines. Turns out it wasn’t a bug; it was a feature. That’s right – the software installed on these laptops was designed that way and installed on purpose.

    The software, called Superfish, installed trusted root certificates that allowed it to essentially perform man-in-the-middle attacks on secure web traffic to and from the computer it is installed on. The stated purpose of which was to inject ads into web pages as users surfed. Oh, great. That seems a LITTLE overkill, but okay.

    So you pay your many-hundreds-of-dollars for your Lenovo laptop, but you’re still going to have to look at targeted ads based on your searches thanks to the Superfish software. If that was as bad as it got, it would still be annoying, but not shocking in the least. But it gets worse.

    The technology behind the Superfish problem is from an Israeli company called Komodia. Because of the shortcuts Komodia took to break the user’s trusted HTTPS connection so they could inject advertising into the secure stream, they made it extremely easy for malicious attackers to make use of it as well. Researchers have already shown how easy it is to create fake certificates that look real once the Superfish software is installed. So users may think they were using a secure connection to their bank, or their healthcare organization, when in reality an attacker could be siphoning off all of the interesting information for themselves.

    How likely is that? Well, considering that the Superfish software used the same root certificate across all their devices, and they all had the same password – “komodia” – it’s very possible that a bad actor has noticed this before, and decided to make use of it. After all, the problem was discovered by a security engineer at Google; it could have just as easily been discovered long ago by someone with nefarious plans and simply kept secret.

    The Superfish framework is also apparently used in many other products (more than a dozen, according to Facebook). Thanks to Cloudflare security engineer Filippo Valsorda, you can check to see if it’s installed on your computer.

    After initially claiming there was no problem and users were safe, Lenovo has ceased installing Superfish software on their systems, and to their credit they have apologized and promised to do more careful review of what gets installed in the future. Superfish has insisted that its code is safe and that the flaw was “introduced unintentionally by a third party.” If you ask me, I think they should have flushed that idea to start with.

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous ArticlePassing on your digital legacy
    Next Article Review: Hubsan x4 H107L quadcopter
    Jeff Harrell

    Jeff Harrell has over 15 years of experience in the IT security industry leading product management and product marketing teams to build and market security solutions for businesses of all sizes. He is currently the Vice President of Product Marketing at Norse, a leading threat intelligence company. Jeff’s areas of expertise include cloud technology, threat intelligence, compliance, vulnerability management, configuration auditing, and encryption. Prior to Norse, Jeff worked for security and technology companies including nCircle, Qualys, McAfee, PGP, and eMusic.

    Related Posts

    IDS Alliance Raises Awareness of IAM Fundamentals with the ‘CISO Chronicles’

    Ransomware is Indiscriminatory – Prepare for Everything to Fail

    Cybersecurity Myths that are Compromising Your Data and How to Address Them

    3 Comments

    1. Cre8tive on February 23, 2015 7:14 pm

      Sooo….I have a Lenovo laptop, a T440 provided by my employer. Should I check to see if Superfish is installed, or just let IT handle it?

      • xarophti on February 23, 2015 7:42 pm

        Is that considered an Enterprise (business) model? Supposedly, it was only installed on consumer-level hardware. Lenovo published a list of all models affected (if you trust that)

        • Cre8tive on February 23, 2015 7:53 pm

          I do believe it is Enterprise. I’ll check with IT, thanks!

    Site Sponsors
    Intel
    DevOps.com
    Adobe
    PopSpective
    • Technology
    • Popular
    • Top Reviews
    May 20, 2022

    Building Digital Accessibility: AI Requires Human Oversight to Cut Down on Algorithmic Biases

    May 20, 2022

    BlackBerry Ivy: Enabling a New Age of Electric Secure Autonomous Vehicles

    May 15, 2022

    A Look At The Last Generation Of Internal Combustion Engines

    9.0
    July 14, 2016

    Review: Lenovo Yoga 900S

    9.5
    March 2, 2015

    Review: Asus Zenbook UX305 ultrabook

    8.0
    February 9, 2015

    Review: Burg 12 smartwatch

    9.7
    November 16, 2018

    Review: BlackVue DR900S-2CH Vehicle Dash Cam

    9.5
    September 2, 2015

    Review: Microsoft Band

    May 27, 2014

    Protect your family photos with ScanMyPhotos

    Popular Posts
    9.0
    July 14, 2016

    Review: Lenovo Yoga 900S

    9.5
    March 2, 2015

    Review: Asus Zenbook UX305 ultrabook

    8.0
    February 9, 2015

    Review: Burg 12 smartwatch

    PopSpective
    PopSpective
    PopSpective
    • RSS
    • Facebook
    • Twitter
    • Google+
    • LinkedIn
    • Instagram
    • Pinterest
    About

    TechSpective covers technology trends and breaking news in a meaningful way that brings value to the story, and provides you with information that is relevant to you. We offer in-depth reporting and long-form feature stories, as well as breaking news coverage, product reviews, and community content in plain English terms, and with a unique perspective on technology.

    Adobe

    © 2020 Xpective, Inc.

    • About
    • Privacy
    • Advertise
    • Subscribe
    • Contact
    © 2021 Xpective, Inc.
    • About
    • Privacy
    • Advertise
    • Subscribe
    • Contact

    Type above and press Enter to search. Press Esc to cancel.