So, for those who haven't seen this yet... According to Errata Security[0], The Register[1] and ZDNet[2], it turns out that Lenovo has been shipping a piece of adware/malware called "Superfish" on their Yoga 2 laptops, which includes their own bogus root CA certificate in order to inject ads into HTTPS sites.
Except they've installed the *PRIVATE* key[3] onto every one of these laptops as part of that software, so someone who has extracted this private key could use it to compromise SSL connections made by these laptops. And Lenovo are saying that "we have requested that Superfish auto-update a fix that addresses these issues". Which fills me with deep confidence. What were they thinking? D: Cheers, Hazel [0] http://blog.erratasec.com/2015/02/some-notes-on-superfish.html [1] http://www.theregister.co.uk/2015/02/19/superfish_lenovo_spyware/ [2] "A Google security engineer, Chris Palmer, confirmed on Twitter that Superfish was intercepting SSL/TLS connections and injecting its own self-signed certificates for all sites on a Yoga 2 laptop, including for Bank of America." -- http://www.zdnet.com/article/lenovo-accused-of-pushing-superfish-self-signed-mitm-proxy/ [3] The encrypted (in the same sense DRM is "encrypted") private key -- https://twitter.com/supersat/status/568329299494744065) _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
