I suppose we should thank Lenovo. The bald incompetence it has displayed in both concept and execution with the SuperFish fiasco underscores the real problem of Web security -- that is, it’s still quite fragile, and there’s simply no good way to deal with circumstances such as Lenovo's screwup.
If you're not aware, late last week it came to light that Lenovo has been installing adware on some of its laptop lines. By itself, this might be regarded as an odious, yet unfortunately common practice. But Lenovo has gone several steps beyond simply arranging for advertising to pop up in front of its customers -- the company has actually installed man-in-the-middle code that hijacks encrypted communications, ostensibly to deliver more ads.
To put it plainly, Lenovo has installed software that not only spoofs security certificates in use on sites such as banks and government agencies, but it's also implemented a local certificate authority for those spoofed certificates to prevent any warnings that this is occurring from reaching the user. Further, it’s unscoped, so it can be used to intercept literally everything -- and it actively attempts to insert itself in the Firefox certificate store, which is held separately than the main store in Windows.
Further, all of this is signed with the same certificate and key, which have already been uncovered with trivial effort. This means that every Lenovo customer with one of these systems is vulnerable to all manner of security breaches. Anyone can sign a certificate with these easily obtainable keys and that certificate will be accepted without question by an affected Lenovo system. Lenovo has completely undone SSL security for its users an effort to force more ads down their throat.
Of course, it’s been known since the advent of SSL certificates that something like this could happen. All that’s required is the certificate store of a system be compromised and instructed to trust certificates created by a bad actor. Since the basis of SSL security is trust, once the bad guys are trusted, then all semblance of security goes out the window -- and in general, we don’t expect our hardware vendor to be one of the bad guys. Well, that ship has now sailed all the way to the horizon, because Lenovo is also actively intercepting secure traffic on its own systems, not merely compromising the certificate store.
This should be a bellwether event that leads to three events.
- A major lawsuit may well be filed against Lenovo, not only by its customers, but also any institution that has had its security compromised in this manner, such as all banks that were accessed via affected devices. Remember, Lenovo was surreptitiously intercepting their traffic and masquerading as the institution in question. This kind of overreach should result in major repercussions against the company responsible to make it clear it is not acceptable in any way, shape, or form. Sony’s misdeeds installing rootkits on the PCs of those who unwittingly purchased music CDs is another example. That fiasco is still discussed and gave Sony a black eye that persists to this day. Make no mistake, Lenovo will suffer the same fate here.
- Based on what we've seen so far, Lenovo's actions may be criminal under various legal definitions. We know the law is not great at dealing with technology crimes, but actively and covertly subverting security measures designed to protect people will likely fall into more than a few criminal categories.
- We need to completely rethink the concept of SSL communication and certification authorities. There may be no good answers to that question yet, but it’s clear that between utter abominations such as this and the allegations that unknown groups may have keys to major certification authorities and be able to decrypt SSL communications at a whim, the foundation of SSL communications is crumbling. In the short term, if you have something worth protecting with an SSL certificate, you’d probably be best served to sign your own.