243 comments

[ 2.7 ms ] story [ 340 ms ] thread
Is it good or bad that they made no attempt at all to obfuscate the cert and password? I mean, obviously this whole stupid MitM attempt is stupid, but by leaving this stuff totally in the clear, can they claim to have done all this out of stupidity rather than out of a callous disregard for the security of their customers?
They added a password to the private key which they didn't have to, so it's not true that they didn't attempt to obfuscate it at all. In practice that only bought them a couple of hours at most, but why add a password unless you're trying to stop people from using it?
They didn't "buy hours" - they didn't really have a defense line there. They cashed in the day they signed the contract with Lenovo.

Someone should sue to see these contracts open in the public.

If you subscribe to the idea that you shouldn't assume malice when stupidity suffices, maybe the programmer in question just saw somewhere that it's good practice to use a password on private keys, and didn't understand why you do it or how it helps.
Yeah that's another point for the "don't blame us because we're stupid" argument. They're actually so stupid that they use a password, that's stored in the same place as the cert. If they used any of the standard anti-reversing techniques, that would have implied enough sophistication to be expected to know how TLS certs work, thus enough sophistication to know to just generate new certs on first use. One would have expected Commodea to make this automatic for their poor stupid customers, however.
The implementation may be mostly stupidity/laziness as they probably just used Komodia's ad injection SDK:

http://www.komodia.com/ad-injection-sdk/

But if you look at what Komodia says on that page regarding anti-virus:

"The SDK has anti virus capabilities and each compiled version generates a totally new version."

it's pretty clear they know this is something that most people would consider to be malware rather than just run of the mill adware. So the blatant disregard for users appears pretty malicious.

Why are operating systems letting third party software modify TCP/IP traffic? Maybe their SDK can be installed only via root privileges?
It runs a proxy and configures the OS proxy settings (used by most web browser) to use that proxy. Nothing at the TCP/IP level.
Useless. What would have been valuable would have been to generate a random private key at installation time. As it stands, it seems like the private key extracted can be used to mitm all Lenovo users.
Yes. There are a bunch of legit proxies that do this already, and they know that when they mess with SSL they need to be careful.
Legit? Care to elaborate? I am really interested.
Debugging proxies like Fiddler (Windows) or Charles (Mac) generate a certificate if you want to inspect HTTPS.
Some ad-removing proxies (basically the exact opposite of Superfish?) and antivirus need to do MITM on SSL as otherwise they would be completely ineffective against ads or malware served via SSL.
Is it true that an antivirus program like Microsoft Security Essentials installs a cert into the system cert store in order to MITM all network traffic?
> otherwise they would be completely ineffective against ads or malware served via SSL.

That's certainly false. HTTPS does not encode the routing headers, so it's still possible to block all traffic foreign to the host (or coming from a list of suspected malaware/add domains) without decoding the packets.

You're going to block all of AWS?
>You're going to block all of AWS?

a) You block post and get requests that go to external domain's which are either blacklisted or non-whitelisted.

a) services hosted on AWS still have specific ips or ip ranges tied to domain names, so even if doubleclick is hosted on AWS there should be no problem ban-listing it.

example: HTTPSwitchboard works quite well with some tuning without any MiTM proxying - as a matter of fact, I'm not sure what you would even gain from MiTM proxying, if an authenticated host wants to serve you malicious content they don't need to cross-domain reference, and you won't be able to distinguish it from non-malicious content.

Proxying and decoding content at some point prior to final destination may be useful in certain very specific cases, but generally it's unnecessary and leads to more dangerous failure modes. So far I haven't seen a typical use-case for it explained, which cannot be achieved with other methods.

if an authenticated host wants to serve you malicious content they don't need to cross-domain reference, and you won't be able to distinguish it from non-malicious content.

The point is that the MITM proxy can scan the traffic for malicious content and block it before e.g. it reaches a browser. HTTPSwitchboard works only in the browser, but that might be too late if it's a browser exploit on a new domain... or a browser that you cannot modify easily, like the embedded ones in various "smart" devices.

> The point is that the MITM proxy can scan the traffic for malicious content and block it before e.g. it reaches a browser.

The difficulty is identifying the malicious traffic in an automated way, your own machine can scan it to - but most likely your browser is already patched for known vulnerabilities (maybe if someone is still running old IE versions in your office this could be beneficial).

Secondly, you don't need to proxy to scan malicious sites, if you have a dedicated machine (or third-party service) that sees an outgoing request and if the address is not in it's safe-list, it tests that request by duplicating it (you can have a netfilter hook in your firewall blocking packets from 'non-safe' sites or delaying for validation from the dedicated device/service). This doesn't require a MiTM proxy in the SSL connection.

The SSL connection MiTM as far as I understand is only necessary if you want to check for malicious data being injected into an authenticated, non-publicly accessible site or form. Having one dedicated device which is re-routing office traffic through it's own SSL cert means that if that single device is compromised, so is the entire network.

I thought ad-removing worked by just blocking requests to any site that's been blacklisted.
(comment deleted)
It was obfuscated. The "product" uses an obfuscating executable packer. It was extracted from a memory dump not from reversing the program.
>[strings] is an ancient (mid-1980s) program that simple extracts human readable strings out of a binary file, discarding the rest. It's really a stupid simple program.

No it isn't.

http://lcamtuf.blogspot.se/2014/10/psa-dont-run-strings-on-u...

Then again, he did let the 'malware' infect himself. (Ghetto reversing as he calls it.) I'm pretty sure it wouldn't be a big deal if strings failed... but you still have a good point!
My guess is that he ran in a vm, at least that is what I would do.
No it isn't, what?

Nothing he said discounts what you added. You should have just said "be careful with strings" and linked your link, rather than making some vague hand waving correction which wasn't...

It isn't a dumb and simple program. It does a lot of complicated stuff under the hood, and it is good to be aware of that.
It's simple in what it does, which is what the OP was going for. He never really made any claims of it being simple in how it does it.
It's not a complicated thing it does at all: it uses the standard system facilities for opening an object file to scan through the data section instead of the entire file. In the '80s, it used a.out format, which was dead simple. Today, GNU strings uses the GNU libbfd library, which is quite a bit more complicated, although the fundamental process of parsing an ELF file is also not that complicated.

The actual problem here is that such a dumb simple task as parsing an ELF file isn't something you'll do without vulnerabilities, if you're not paying attention to vulnerabilities. Run `man elf` on your favorite Linux system, and you'll see docs of <elf.h>, which you can use to read ELF files. Write something to just dump the text section -- it shouldn't take you more than like 30 lines of C. Then tell me how many integer overflows you managed to squeeze in those 30 lines. :)

It's worth noting though that this article used the MS/Sysinternals version of strings and not the binutils version in most Linux distros. The Sysinternals version is unlikely to be parsing ELF and the like.

(One quick test: try "strings -n 2 cmd.exe" and see if the output starts with MZ.)

This is incredibly interesting. I was like cheering at this point:

>I could just use the file super.txt as my dictionary!

Funny how I just bought a Lenovo yesterday, then read about this MitM issue and today it's cracked :-/
Time to wipe and install a fresh OS then.
That is normal protocol for any new PC I buy. The crapware that PC manufacturers don't even bother trying to hide like antivirus, photo management, browser helpers etc... always warrants an OS wipe after unboxing.

If my next laptop isn't from Apple it will be one I can buy from Microsoft directly where they don't install any of that garbage.

ANother reason to install your own OS is that SSDs are much cheaper from Newegg than as laptop upgrades.
To be honest if you purchased a consumer grade Lenovo machine then malware is the least of your concerns. That thing will be a paper weight within a year.

They're like the "Gateway" laptops of yesteryear. Thinkpad is still "fine" but Lenovo's consumer stuff is utter junk of the highest order.

Source: Worked at a startup which purchased consumer laptops (shudder). Asus were "fine," Acer/Dell was "ok," Lenovo were horrifying, only being beaten by an unbranded laptop we had.

So I'd highly recommend avoiding Lenovo's stuff unless it is a Thinkpad.

What about Toshiba's
Not sure about current practices, but their support here in Australia was awful in the late 2000s. They wouldn't even talk to you on the phone unless you fronted $55. "All I want ask is if you have online documentation and where, I don't want troubleshooting" -> Nope, $55 before we answer that. Screw supporting that model.
(comment deleted)
What year would "yesteryear" be? My much-abused 2008 Gateway is still running like a champ.
Definitely wipe the OS and reinstall from known-clean media. Consider a return, depending on their return policy.
Looks like Superfish (and Lenovo) are using this malware -

http://www.komodia.com/products/komodia-redirector/

Yeah, they even have a page specifically geared toward people who want to use it for ad injection:

http://www.komodia.com/ad-injection-sdk/

Edit: spelling

That page is scary reading. They’re actively selling their product as resistant to AV software and warning that it might be targeted by Google/Microsoft in the future.
Technically they're saying that their competitors might be targeted by Google/Microsoft. But yes, it's messed up that a company is openly advertising their malware product like this.
Yep, I was just thinking the same thing. Pretty horrifying to read "The SDK has anti virus capabilities and each compiled version generates a totally new version" and realize that a major PC OEM knowingly installed this on new systems. It's malware in every sense of the word.
No honor among criminals. They also:

   Actively remove global proxy injected JS by
   either removing the JS from HTML or blocking
   the requests to the ad server.
So if someone else injects JS, they remove it before injecting their own.
Wow, how is this even legal to advertise?

"... allows you to get/modify/inject all SSL traffic decrypted and without any warning messages to the user."

Sadly it allows anyone, not just "you" to modify SSL/TLS traffic since the Superfish MitM proxy is validating any cert. I have a screenshot here: http://defaultstore.com/four.png of it validating my transparent network MitM proxy provided cert and showing the lock in the address bar.
There is even a Facebook 'like' button at the bottom.
>Site is offline due to DDOS with the recent media attention.

Interestingly that site got DDOS'd.

Do they sell in USA? Are their products even legal??
SSL interceptors are typically marketed for corporate use, where the company installs a Root CA certificate into it's employee's computers (the company owns the computers after all). Nothing illegal about a company modifying a computer they own and/or monitoring traffic on their own network.
Looks like the technology used by Superfish is SSL Digestor by Komodia.com
It will be interesting to see where (and in which applications) this particular cert shows up now people start looking for it.
Question for the more legally-minded among us: Can Lenovo face consequences over this? I mean, they deliberately crippled the security systems of their consumer goods, presumably without properly notifying their customers. That sounds like the kind of thing a company could, or should, get sued for.
Well anybody can file a class action lawsuit.
Anybody that is in the class. Not all of us have Lenovo laptops.
Anybody can file any kind of lawsuit. If you can't demonstrate harm to the person filing (with a few exceptions) that lawsuit will be tossed right out, though.
AIUI, the only people who could claim damages in a civil suit are ones that could demonstrate actual costs as a consequence for Lenovo's action.

Maybe the cost of a security audit required as a consequence of this issue might qualify - I don't know. But there would have to be actual costs involved.

"AIUI"? What's that now?

Ok, googled it, wait for it... "As I understand it".

Whew!

Thank you. IRDUTPOTOA (I really don't understand the point of these obscure acronyms).
That's because you find them obscure. If your community used them more frequently you would just read them in place, like people do with IANAL, LGTM, AFAIK, etc.

Incidentally, I didn't understand this one, but I don't blame OP (oops, I mean 'original poster') for misunderstanding the linguistic norms of HN (hacker news).

Incidentally, first time I've seem LGTM, had to google it.
.lgbt as a gTLD? LGTM.
I agree. Nowdays I read things like "IANAL" or "AFAIK" as words, not acronyms. When one reaches this point, such acronyms are pretty convenient.
They're faster to type, and I suspect I find them more pleasant to read (this is hard to test). AIUI, IIRC and similar are good disclaimers to make, but they're basically boilerplate, and don't need to take up lots of space.

Similarly, compare "(c) 2015 philh" to "this post is copyrighted by philh, as of 2015".

<trivia> Interestingly enough, (c) 2015 philh does not meet the requirement. You need either the word, copyright, or the actual copyright symbol. </trivia>
IIRC you don't need any of this, you will still hold copyright to what you have produced. This is just a friendly reminder to your readership.
IANAL but I believe you are correct although you get some extra legal protections by including the notice (which only need include the word or symbol and the name and year). Namely, an infringer cannot claim they did so accidentally... or something like that. FWIW.
Correct. The Berne Convention did away with 'formalities' like having to register your copyrights in order to hold them. You still need to have a registered copyright to sue for statutory damages in the USA, though.
No, you do not. Any work you do is automatically under copyright as long as that is a reasonable expectation (given a site's TOU, etc.)
They're a significant indicator that you're reading a message from someone who doesn't mind inconveniencing an unknown number of people to gain a negligible benefit for themselves. :) Or, at least, this is what I remind myself when I catch myself using them. Typing is not a hardship. I spend time trying to come up with the absolute clearest way of writing what I'm trying to say, so why would I then take a step backwards (potentially) in clarity just to save myself three seconds of typing?
> AIUI, the only people who could claim damages in a civil suit are ones that could demonstrate actual costs as a consequence for Lenovo's action.

So, basically what you're saying is that I can secretly take nude photos of you (when you're not in a public place), and "enjoy" them (in whichever manner) but not share them with the public, and you can't sue me unless you can demonstrate my actions actually costed you money?

In general, that's correct.

However, depending on your jurisdiction that may be a crime. In that case, I or the state might be able to prosecute you under criminal law. I don't generally understand that to be within the meaning of "sue" though. And, again in general, criminal conviction leads mainly to punishment rather than reparations to the victims.

Oh, and exceptionally, if I'm your "model" then without me signing an appropriate release I own copyright on your photos, so I may be able to sue you for losses (probably to the value of you buying an equivalent market-rate DVD or something).

> if I'm your "model" then without me signing an appropriate release I own copyright on your photos

You sure about that? AFAIK the copyright is with the creator, i.e. the photographer. Model release is required on for privacy purposes, not for copyright.

That is correct, at least in the USA. Photog owns the copyright upon creation. Model release is required for (certain) uses in publication, but not all - for example, newspapers do not have to get model release from people in photographs used for editorial purposes.
In the United States it's actually the photographer who owns the copyright not the subject. Not positive if this is the case everywhere but I believe it is.
In the United States it's actually the photographer who owns the copyright not the subject. Not positive if this is the case everywhere but I believe it is.
(comment deleted)
You don't own the copyright without a model release, but, in many (but not all circumstances), you can sue for renumeration if your likeness is used without your permission. With the exception of some work-for-hire scenarios, copyright is always with the creator (but the creator must be human; monkeys don't count[1]).

1.http://www.theguardian.com/technology/2014/aug/22/monkey-bus...

There's a distinction between civil and criminal law, and the post you responded to was only talking about civil law.

I'm no lawyer, but as I understand it, you sue people under civil law for some kind of compensation - for financial loss, loss of reputation, psychological consequences, etc. Your voyeur example would hopefully fall under criminal law, which deals with the things society considers morally wrong. But a criminal trial would be prosecuted by the government, not by you suing.

What about knowingly putting consumers at risk? Suppose you buy a new car from GM and you later find out they've installed worn-out second hand brakes (on purpose, knowingly, and for profit motivation). But you're an old lady that only used the car to drive once a week, at 15mph to a church five blocks from home, so no damage happened. You're telling me that GM couldn't be punished for anything?
In the US, at least, you must have "standing" to sue someone. That means that you have to demonstrate damages.

Those damages may be minor -- you don't have to have killed anyone -- but they have to exist.

If, in your example, GM only installed the worn out brakes on that one car, and the worn-out brakes never caused any damages, then no, GM cannot be sued for it.

Note that "I had to pay a mechanic to replace the brakes" is damages.

I am not a lawyer, this is not legal advice, I may be wrong, etc.

Since you mention cars, there is a lot of regulations and laws regarding the production, selling and importing of cars. As such, producing unsafe car is likely a criminal offense, and it would likely be NHTSA who would go after GM.

But in this case, there is good precedence for claim of damages. People has used time it have taken a engineer to investigate, clean, and fix a computer system after a computer intrusion. Even a few hours work will result in several thousands, much more than the laptop itself is worth.

Dutch IT lawyers [1] say that Lenovo could be breaching European and Dutch Law. More specifically the "cookie law" which says that explicit permission is needed to change and read data from a user's computer (Lenovo never asked explicit permission). I also hear mentions of breaching the "computer intrusion" law (classifying this as a hack) and even the "communications tapping" law (Lenovo is not licensed to MitM your connections). I do not think a EU class-action or private citizen lawsuit will follow, but perhaps the official institutions can hand out a big fine. However, if Lenovo MitM'ed your connections and you can prove that, that would in principle be enough to get this case in front of a tort judge.

[1] http://tweakers.net/nieuws/101472/lenovo-overtreedt-wet-met-... (lang:nl)

I don't know Dutch law but I'm interested you say "tort judge" - unauthorised access to computing systems is made a crime in EU. It should be a criminal prosecution.
Didn't they come that way? It's not like they secretly snuck into your house and changed your computer. They sold something broken. It's the difference between going to your house and breaking the latch on your window, vs selling you a window that won't latch.
If I sell you a window that only appears to latch, and then come by later and rob your house, I might face criminal charges.

Lenovo didn't just sell something with broken security. It purposely broke the security, and profited from it.

(comment deleted)
Adware is not a broken product, it is an illegal scheme to earn profit on other peoples hardware by deliberate deception.

Did they inform their customers in advertisements, in the stores, or in any way that sold devices was being used by Lenovo after sale? Were there a meeting of minds where customers agreed to have their traffic MiTM and have advertisement of Lenovo choice on their device in return for fair compensation? That could have made it legal, but as it stand, no aspects of consumer protection laws, advertisement laws, contract laws, computer crime laws, or data protection laws seemed to have be followed.

They secretly snuck into peoples private property, used a backdoor, and earned profits doing so. They didn't tell anyone for obvious reasons. Had it been a one-man company doing this, then that person would be facing jail time.

Lenovo actively circumvented your security and sold access to your computer to Superfish. If you want to compare it to windows, it's like a security door salesman who sells extra keys to organized crime on the side.
I'm sure they might claim that the user agreed to it, but it's important to remember that EU Data Protection law places limits on what people can agree to. You can store person data if it's proportionate for a cause. MitMing all SSL connections? No way is that proportionate.
IANAL;

In the Lenovo case, probably not. But in the case of an employer-provided system and network intended for business purposes which performs SSL interception for security and data leak prevention? I think it can clearly be considered reasonable for the company to do that, and the user's expectation of privacy is significantly different. I do feel it's important that Acceptable Use Policies, Employee handbooks, etc. disclose the activity though.

Definitely, but no way Lenovo can even get close to the same sort of justification. It's reasonable that my workplace monitor and manage how their network bandwidth is being used. It's not reasonable that Lenovo gets to spy on my specifically encrypted traffic just because I bought a computer from them for personal use.
In this case, Lenovo hardly is spying or even interested. The bad thing is they are

a) selling capability to advertise to you, without your real consent, and

b) when the do it, the implementation is so horribly broken that it exposes end users to be exploited by just about anyone.

I see little malice, I see a lot of incompetence and outright, unforgivable stupidity. This opens door to the malice of others.

The demonstration of harm is what would be key in this case. Showing that things have the potential to cause harm often isn't enough.
In UK, as I understand it, unauthorised access to computers and networks/communications under the Computer Misuse Act is a strict liability situation: you only have to do it to break the law, no harm needs to be shown. MitM-ing my connection would be unauthorised access. It's a crime.
Should there be some form in intention, I wonder?
According to the CMA [0];

The offence of unauthorised access requires proof of two mens rea elements, (see section 4 CMA):

    (1) there must be knowledge that the intended access was unauthorised; and
    (2) there must have been an intention to obtain information about a program or data held in a computer - section 1(2) CMA.
[0] http://www.cps.gov.uk/legal/a_to_c/computer_misuse_act_1990/
There is also negligence. Like in the original case [1] where a woman got ill and suffered emotional distress after drinking bottled ginger beer with a decomposing snail in it. Even though the manufacturer had no intent to sell "snail beer" -- a consumer has a trust relationship with them: in exchange for money they can reasonably expect the manufacturer to take enough care not to bug them.

[1] http://en.wikipedia.org/wiki/Donoghue_v_Stevenson "it was reasonably foreseeable that failure to ensure the product's safety would lead to harm of consumers."

@JustinBrookman just linked[0] to this FTC ruling against HTC in a similar case in 2013: http://www.ftc.gov/news-events/press-releases/2013/02/htc-am...

Choice quote: The settlement requires HTC America to develop and release software patches to fix vulnerabilities found in millions of HTC devices. In addition, the settlement requires HTC America to establish a comprehensive security program designed to address security risks during the development of HTC devices and to undergo independent security assessments every other year for the next 20 years.

[0] http://twitter.com/JustinBrookman/status/568466666771910657

Crippled isn't the word. They broke browser cryptography. The Superfish MitM proxy on the host is validating any cert it gets, even patently bogus ones. As a result it's possible for a networked MitM who is actively going after SSL/TLS traffic to see all traffic with no need to have the Superfish private.

Here's a screenshot of what their MitM proxy provides back to the browser for a compromised connection to Bank of America:

https://defaultstore.com/four.png

Note that my MitM proxy cert is one gen'd with OpenSSL and is not the Superfish private! While it's cool that the private can be extracted, given the failure of the Superfish software to properly validate the public in the SSL/TLS handshake, the Superfish private isn't something a bad guy needs to get in the middle of encrypted traffic.

Once Lenovo was bought by a chinese company... didn't everyone kind of assume the state of China would use this opportunity to do what the NSA does for American hardware? The extent of the NSA's actions weren't known at the time, but you had to assume China would be less bound by restrictions.
SuperFish is based in Palo Alto and funded by DFJ.
Lenovo has always been a Chinese company. I think what you are recalling is that they bought the PC part of IBM (thinkpads and whatnot).

    | sort | uniq > super.dict
why not

    | sort -u > super.dict
Muscle memory.
Easier to remember?

You have to remember switches for every command, while commands like sort only need to be remembered once.

'cause I'm a Windows user who don't know the advanced flags of Unix command-line tools
Code is not the only sort of thing with an optimal chunk size. Languages and APIs (such as sets of library or system calls) run up against the same sorts of human cognitive constraints that produce Hatton's U-curve.

Accordingly, Unix programmers have learned to think very hard about two other properties when designing APIs, command sets, protocols, and other ways to make computers do tricks: compactness and orthogonality.

http://www.catb.org/esr/writings/taoup/html/ch04s02.html

Why would they voluntarily distribute their own private key?
It's a local proxy, meaning the certificate needs to be deployed locally.
Ah - I'd assumed they had a box in China somewhere that was MITMing and injecting the ads. Thanks.
Taking away the legal aspect, that would be incredibly slow and easily noticeable.
It wouldn't delay the page load time, so it doesn't seem like it would be slow or very noticeable. As a user, at most you'd notice ads popping up a few seconds after the page loaded. But users without adblock are used to such things. And as long as the adware reserves a blank space on the page to display ads, the ads won't mess with the layout of the page when they load.

EDIT: Why has this been downvoted twice? It's absolutely correct.

It's a strange day when you post something unambiguously true to HN and it gets summarily downvoted.

The only part that isn't unambiguously true is that "most users without adblock are used to such behavior already." But I stand by that phrase, because "most users" are people who understand almost nothing about about computers.

Remember, downvotes are reserved for trolls and people you disagree with, not something which you think is "maybe untrue but I don't know whether it's true." I've complained in the past about having to write epic edits because people don't follow this so I have to explain myself further.

Maybe you want more explanation about how precisely the above MITM would work? Here's how: The page loads. This completes normally, and the user doesn't see anything differently. In the meantime, Superfish reads the network traffic that has loaded. It also has injected some javascript in order to reserve a spot on the page to display ads. This would be a big blank space where the ads go after they load.

Now the network traffic is sent off to China or wherever. It's analyzed on a server, then the server sends back commands to Superfish about what to do, like "Display ad 91234128 at X,Y spot on the webpage."

The total roundtrip time would be no more than a few seconds. China isn't the moon. Half the speed of light is fast.

Your post is off topic and misses the point entirely which is why you are being down voted. Routing all http traffic to China and back would certainly introduce noticeable delay in page load times.
(comment deleted)
(comment deleted)
It's a proxy, so every request and response is routed through it. Not just the ads. Every element of every page would have this delay added.
Superfish is a local proxy. It doesn't introduce load time delays, because it's local to the machine.

The page would load normally, then Superfish would be shipped off to China, then it would receive a command back from China about what to do.

nailer specifically said the box in China was doing the MITM.
I specifically said it was an assumption I had - after it was proven incorrect.
That wouldn't avoid storing the key on the local machine, since the MITM server still needs to be on the local proxy.

I have no idea why you're chasing this thing. The gist of nailer's original post was asking why the private key was accessible. Whether the local proxy talked to a box in China or not seems completely irrelevant.

Yeah, I see in hindsight that I did little more than pollute the thread. Sorry, everyone. I'll shut up.
Thank you for the lecture on downvotes. You are 100% wrong because we are discussing the presence of the private key. Your scenario imagines an intelligent proxy that interacts with China intelligently. In that scenario the private key remains on the end user machine to enable low latency as you describe. The upthread poster presented the scenario wherein the key is not distributed on end user machines for security reasons, but that then means the key must live on the theoretical server in China (otherwise how else would you encrypt a connection against your certificate), which would require passing the entire TLS connection through that server to perform the MITM.

This subthread is about private key distribution. It's really poor form for you to react to being downvoted (as legitimately wrong) by lengthening your comment by a factor of 5 and lecturing people about downvotes.

No, you don't need to pass the TLS connection to China to perform an MITM. Superfish would generate a cert at installation time, unique to the specific user that was being targeted. The channel back to China would be protected by TLS too, but it wouldn't be MITM'able by anyone except Superfish HQ, unless they lose their private key.

I disagree that it's poor form to react to downvotes when they're wholly unjustified. Maybe I did a bad job explaining myself. In that case, I should explain myself better. That's a positive thing, not a negative. Reddit has this stupid trope like "Complaining about downvotes? That's a paddlin'." Which if you think about it just a self-reinforcing culture of bandwagoning. But I imagine that this is now entirely offtopic and boring, so let's focus on the tech.

Again, irrelevant. This thread isn't "sillysaurus3 imagines how he would implement the perfect proxy," it's correcting an assumption about the actual existing proxy. I suggest if you want to pursue your off topic study of how to implement a proxy that doesn't introduce latency while performing the functionality, you do it elsewhere.

You should also read the HN guidelines before explaining downvote etiquette to me, because they will surprise you, apparently.

Why should I do it elsewhere? This is a thread about an interesting tech topic, and maybe some people might find that aspect interesting. This is the last comment I'm going to write to you because this is now wholly uninteresting to readers. I'll never understand this mindset of "Oh, well, there might be a misunderstanding here, but rather than clarify it calmly and rationally, I'll take this as a license to be angry and mean."

Who cares if someone thought that the proxy was going to work like X, but it turned out to work like Y? What matters is that if it can work like Z, then Z should be pointed out, especially if it enables some interesting aspect that people previously hadn't noticed. Anyway, you've successfully killed the fun of HN for me for the day, so see you later.

It says a lot about you that you think a calm explanation of your downvotes, as you are plainly in hysterics over them, is me being angry and mean. I meant elsewhere in the thread. You corrected someone who was correcting someone else, and you were wrong about the spirit of your correction. I was calmly suggesting that if you want to think through such a hypothetical you shouldn't do it as a misplaced correction.

You really need to unplug for a bit. I'm dead serious.

Okay, I see. Thank you for the explanations. You're probably right.

EDIT: Yeah, I was being an idiot. Thanks for the reality check.

From your statements about bandwidth, I think you're probably assuming just HTML and no images/video - which used to be fine a few years ago.

However these days insecure images/video etc in a page served over HTTPS will trigger mixed content warnings in most browsers.

(comment deleted)
(comment deleted)
There is a way how to identify MITM on HTTPS connection. If you are using SSL cert authentication via HTTPS, than it stops working, because browser (at least my FF) will not know that it should send a client cert to server and you can not 'login' (not analyzed it deeply)...

I discovered it when I'be bought Lenovo Yoga2 Pro in December, and I could not login to my site that is using SSL cert authentication. Google than recommended me to remove SuperFish...

I think what you are referring to is Cert Pinning.

[1]: http://security.stackexchange.com/questions/29988/what-is-ce...

I believe the intent of the parent poster was actually correct. SSL client certificates [1] are a way to securely authenticate (i.e. login) by using a certificate which you control the key to in addition to the normal SSL certificate for the website.

An over-simplified example: if Alice (A), a client with web browser on a compromised computer, wants to access the BigCorp website (B) she sends a challenge, such as a random string, to B, and B sends back the challenge encrypted with the BigCorp SSL certificate. Alice's browser verifies that the signature corresponds to a valid certificate, which it does because BigCorp's certificate is legitimate and signed by a legitimate CA, and then Alice's web browser and the web server negotiate a session key to use for SSL.

If we introduce an attacker, Eve (E), to this, who has the key to a trusted certificate on Alice's machine, Eve can intercept Alice's original challenge and send back an answer to that using the trusted certificate, which Alice thinks is genuine because the certificate is valid in her browser. This is where certificate pinning helps, since if Alice has visited the site before, the certificate does not match and she gets an error. After the negotiation, Eve then has a session key to both A and B, and any data that A sends, Eve decrypts and re-encrypts with the session key for B, passing it seamlessly onto B, and vice versa for traffic going the other way.

SSL client certificates break for a MITM attack for a different reason. When Alice is using an SSL client certificate to authenticate herself, she has her own certificate on her machine which she knows the private key to (it can even be self-signed). The web server knows Alice's public key (stored like a password hash in a database), and can therefore perform a similar challenge for Alice. When Eve intercepts this challenge, she cannot send a valid response back to the server, as the only valid key for Alice's account is stored on Alice's computer. Therefore, sites that let you sign in with an SSL client certificate often just stop working when you are being MITM'd.

[1] http://www.symantec.com/connect/blogs/client-certificates-vs...

Interesting, from komodia's website:

"Barak Weichselbaum founded Komodia, Inc. in 2000, following his military service as a programmer in the IDF’s Intelligence Core." https://twitter.com/idfspokesperson

Surely, Intelligence Corps. "Intelligence Core" is rather self-refuting.

As another poster says, this likely means nothing as all Israelis are forced to go through a military brainwashing program.

Question: how does it work if user goes to the page which has invalid / self-signed certificate? Does proxy sign the altered page with the same certificate as others, thus making the warning go away? This would leave you open to other parties' MITM attacks too (because warnings are silently ignored).

Or do they leave the page intact if the page certificate is not legit?

And people scoff at the idea of buying an Apple laptop.

Lenovo used to be championed around as the best competitor because of it's hardware, but this comes to light: What do you say to that? For the past 5 years Apple has had the best laptops in the world hands down.

Except quite a few of us can't stand them for various reasons:

* the os does not feel practical (menu bar on only one screen? No universal home/end? No universal way to jump/select words like (ctrl + ->, ctrl + shift + -> on Windows and Linux) * non-standard keyboard layout, no way to adjust it (specifically fn/end)

Mind you, I am a fan of Macs and recommend friends trying them but I don't want one as long as I cannot afford one laptop for work and another for photos and stuff.

(btw: I didn't downvote you)

FWIW, OS X has a menu bar on every screen since 10.9, and you can indeed jump/select words, just substitute Option in place of Control (always been that way AFAIK).

What's "the standard" keyboard layout? Looking forward to that one. :)

> FWIW, OS X has a menu bar on every screen since 10.9,

Good. About time should we say? I left Apple three years ago.

> and you can indeed jump/select words, just substitute Option in place of Control (always been that way AFAIK).

Except if you use another application, then you have to use CMD or fn. But careful, cause in a third application that is a substitute for home/end.

> What's "the standard" keyboard layout? Looking forward to that one. :)

It's easier to tell when someone breaks it:

* Adding shortcut keys on the sides of the keyboard so that I end up starting 5 calculators. (my wifes hp compaq)

* Not putting ctrl in the lower left corner, nor letting me remap it, causing frustration every time I move from the full size Apple keyboard to the laptop or between almost any other machine and an Macbook. (Some thinkpads fails here but at least then you can change it in bios.)

* not having home and end keys nor any consistent way of replacing them.

Again I'm an Apple fan and I am happy that they saved us from older Windows phones but it is not for everyone.

Plus the macbooks get stupidly hot. Closest I've felt was some junk HP. The keyboard is a joke. The clickpad is annoying. It's obviously all form over function.

The screen's fantastic, and I guess some people like the shiny metal look. It's got decent hardware, and lots of video out ports. Except, no TPM or other secure storage. And they don't see to take the "let's expose PCIe on outside ports" problem seriously.

Unfortunately, Lenovo is running after them blindly, destroying the work IBM has done on the ThinkPad. I suppose there just aren't enough users with $$$$ to spend to counter the trendy shoppers.

And people scoff at the idea of buying an Apple laptop.

They do? Seems to me that buying an Apple laptop is the most fashionable thing at the moment.

For the past 5 years Apple has had the best laptops in the world hands down.

But don't put those hands down too hard, because the needlessly sharp edges cut into your hands if you do.

Seriously, is it that hard to allow people to have their own preferences?

Apple hardware is pretty solid but I have never really gotten used to OSX. I do most of my work in the terminal, Chrome and Sublime Text, and each time I bring up Finder I am sorely reminded of how much I miss Explorer.
There's an ongoing discussion with some members of the Chrome team on Twitter involving whether or not they should revoke the cert: https://twitter.com/matthew_d_green/status/56843703790644428...
https://twitter.com/agl__/status/568443835841261569

Thanks for making HTTPS non-mandatory in HTTP/2, IETF!!

>Thanks for making HTTPS non-mandatory in HTTP/2, IETF!!

You're shitting me!?! Who, specifically, do we have to blame for that?

That is fucking infuriating. What was their reasoning for removing it?

http://lists.w3.org/Archives/Public/ietf-http-wg/2013OctDec/...

>To be clear - we will still define how to use HTTP/2.0 with http:// URIs, because in some use cases, an implementer may make an informed choice to use the protocol without encryption. However, for the common case -- browsing the open Web -- you'll need to use https:// URIs and if you want to use the newest version of HTTP.

Someone explain to me when "an informed choice" would ever come to the conclusion of, "Encryption? Not Necessary!"

> Someone explain to me when "an informed choice" would ever come to the conclusion of, "Encryption? Not Necessary!"

I've been informed that encrypted web traffic costs money for the certificate and for additional server hardware. Thus I made the informed choice to use HTTP/2.0 without encryption.

They should have made the secure channel for encryption over HTTP/2 use DNSSEC, then you could roll your own keys, no CA authority needed (beyond DNS)
>encrypted web traffic costs money for the certificate and for additional server hardware

1.) You can make and self sign your own cert. As another poster pointed out, there's also distributed solutions.

2.) When we let standards that are going to be in-place for at least a decade be manipulated by the hardware costs at their inception, it's a bad standard.

90% of the time the desirable quality of TLS traffic is authentication of the server, not encryption. Encryption only really comes handy when confidential information and authentication credentials get exchanged.

Now if you provide authentication by other means, and confidentiality of the traffic not important, plain text protocols make sense because it enables caching proxy.

Typical use case: software updates distributed as signed packages. The information isn't very confidential, and using plain HTTP enables the usage of a caching local proxy.

> 90% of the time the desirable quality of TLS traffic is authentication of the server, not encryption.

Authentication of the server is not sufficient, you also have to authenticate every message as having a valid checksum and signature.

>Typical use case: software updates distributed as signed packages

This is a specific use-case because the package checksums are verified before any of the code is executed (unlike injected javascript to webpages). Also the checksum is usually obtained from the package server, so if SSL is broken the checksum can be spoofed as well.

> encryption is necessary for there to be any meaning to authentication.

Could you elaborate on why that is the case? Do you perhaps mean cryptography rather than encryption?

> Do you perhaps mean "cryptography" rather than "encryption"?

That's true the poster said authentication of the server, if you sign every message cryptographically, you'll be able to detect message tampering. I should edit that.

You know you can use MAC and a NULL cipher right? Even in IPsec there is a whole mode, AH where messages are authenticated but not encrypted...
>Encryption only really comes handy when confidential information and authentication credentials get exchanged.

It's 2015 and we have quad-core processors in phones that are faster than my laptop. What reason can anyone possibly have to not at least strive to encrypt everything? When is it advantageous to not encrypt?

Localhost connections? Watching your own traffic on a LAN for debugging purposes?
The danger of allowing unencrypted traffic to dominate the web for another decade is not worth the convenience to developers.
Unencrypted HTTP/2 is for host-internal communication, ie. between app servers and public endpoints. Firefox and Chrome are both only going to support HTTPS for HTTP/2.
Interestingly, for users who are running the Superfish software there's no need for a MitM to have the private certificate as the Superfish MitM proxy is validating any cert. I have a screenshot here: http://defaultstore.com/four.png of it validating my MitM proxy cert. To be clear, I'm in the middle of the TLS connection from Bank of America thanks to Superfish not denying the bogus cert I provided.

If you have Superfish and want to validate this behavior for yourself, you can visit https://defaultstore.com/ and watch it accept an expired cert. Given this situation the Chrome team and others should without a doubt treat the cert as revoked.

It's likely a lot of people are still running that software. I bought a Lenovo Yoga 2 11 today and it had Superfish installed by default and all my connections are MitM'd on that machine.

UPDATE: if the cert is revoked, it will likely leave a lot of people unable to browse the web. It would be nice if the revocation process in Chrome could provide users with instructions on how to remove the software.

What charming casual racism. "It's pretty ghetto" ... "The ghetto way is just to run this on a machine" ... "The ghetto reversing is to run strings."
Is that racist? I thought ghetto just meant poor/inelegant, across all colors and nationalities.
(comment deleted)
When sbi sees the word "ghetto", she thinks of a particular race. So this is a case of the pot calling the kettle...

Whoops! Never mind...

Racism? Webster's definition[0] of ghetto (and that of any other respectable dictionary) makes no reference to any particular race. Would the phrase "the poor man's solution is to run strings" also be racist, by your logic?

[0] a part of a city in which members of a particular group or race live usually in poor conditions; the poorest part of a city

That's only one of the definitions in Webster. It also includes:

> 1: a quarter of a city in which Jews were formerly required to live

http://www.merriam-webster.com/dictionary/ghetto

(Note: I'm not calling the article's author racist, just noting that the above claim about Webster is factually mistaken.)

Webster's Dictionary does not discuss the pejorative use of the word "ghetto" and in any case is not an arbiter of racism.
Well I'm glad that you seem totally qualified to be our great arbiter of racism. What would we do without you?
Be very careful accusing people of racism. When you get it wrong, you undermine complaints about real racism.
Move along, nothing to see here. Lenovo said there are no security concerns.
I hope the people in IT departments who like to pretend things like Websense or Cisco Web Security are good things are reading this.
I've been hoping for years people would wake up to the risks of these things.

I presented on the topic at Blackhat Europe a few years back, where I disclosed several certificate validation flaws in Cisco Ironport. I understand there's legitimate reasons for enterprises to want to decrypt and inspect TLS connections, but it's not without it's risks and downsides.

If you're curious about my past work, see: http://www.secureworks.com/cyber-threat-intelligence/threats... http://media.blackhat.com/bh-eu-12/Jarmoc/bh-eu-12-Jarmoc-SS...

Good set of slides. Companies are more likely to be afraid of the other risk, which is why SSL interception is used - when malware makes use of it to avoid detection.

Security cuts both ways. I think the most important point is that the user should be in control of the traffic, which means knowing whether or not interception is being used.

Yeah, it's a balancing act, and there's certainly a desire (and probably even a legitimate need) to monitor encrypted comms for malware C&C channels, data exfiltration, etc.

Your view seems to reflect a similar nuance as my own. Administrators need to weigh the risks and benefits as it relates to their own environment, and users should at least be aware that such monitoring is taking place. Beyond that, there's some technical challenges, but I see the bigger issues as political and expectation vs. reality alignment.

There's also a video of my talk online, which I'd honestly forgotten about. Maybe someone will find it interesting; https://www.youtube.com/watch?v=7TNdHzwTNdM

Those kind of monolithic network security systems see to be intrinsically pointless. If a user can run code on the machine then they can probably get around the network level security. So any implementation is dependant on AV software preventing circumvention. At that point you might as well install the tracking/filtering software on the local machine.
No. Network level security, if correctly installed, cannot be avoided by just running some code on your local workstation. If you have it installed on the station itself, then it is easier to avoid by just shutting it down. Also network based security can isolate workstations that are suspicious.

And your 'monolithic' is a symptom of architecture, that is either outdated ("not hipster") or just bad. But that does not mean that someone can't build hipster and good network level security. I guess, Google does not buy that off the shelf.

>> No. Network level security, if correctly installed, cannot be avoided by just running some code on your local workstation.

Don't you have to intercept/reject TLS to make that workable? Otherwise the user (or malware) can upload or download anything and all you see at the network level is a destination IP address. If a user has admin rights (which is common in corporate environments) then they can install software which can mimic a browser using HTTPS.

At the network level it is difficult to identify what program generated a request and which user was running that program. I am very sceptical of the heuristic approaches that try and solve this problem (Palo Alto App-ID for example) that display quite shocking emergent properties.

Surely it is technically preferable to track network requests within the OS and browser where you can actually get at information reliably without any hocus pocus. If a user can avoid it by just "shutting it down" then they can also remove the AV, connect to a proxy and spend the afternoon uploading client lists to a porn site.

Yes, the proxy has to offload the original TLS connection in order to do that. And the network owner must deploy its own certificate to the clients.

The whole X.509 infrastructure is based on trust. You have to trust your certificate store, the certificates, the network and its components and CAs need to trust those who request certificates. If you have to use a network that uses a proxy, you have to trust it aswell. If you do not, then just do not use it or at least don't do your online banking over that network (or use a VPN if allowed (sigh)). So a good network security deployment is not only well maintained, but also transparent to its users on what it does. The user must have a choice on whether a network is trustworthy or not.

The problem with SuperFish is that it shipped not only the root certificate, but the private key to sign new certificates on the fly. And the user was not informed about it and not given a choice. This is the problem here.

Most clients I worked for provided me with a separate network for unfiltered internet access (guest networks) in which I used a VPN to a network which I trusted. I was given a choice.

Edit: A thing that bugs me often is when I see a network proxy that does not use TLS for the proxy connections. Unfortunately that is happening in the majority of networks, I see. And that affects my trust, so I rather avoid accessing certain services when I cannot have my VPN.

I guess that corporations need lots of network level security because they have so much unencrypted sensitive data on their networks which places a lot of implicit trust in that network.
That is true. That is why attackers (like the NSA) would be happy to infiltrate routers (less changes from the outside like administrators) instead of clients (more changes). A proxy is a quality target, too. But a proxy is also more visible and tampering is usually easier/faster to detect. Corporations need to TLS and/or message encrypt everything. But that is often not priced into (project) budgets and a hard thing to do (key exchange, managing certificates).
Why does Superfish sign new certificates on the fly? Why not just use wildcard certificates?
That is possible. But that depends on how TLS clients approve wildcard certificates. Wildcard certificates are considered harmful. And AFAIK, browsers will not accept 'star.star' (correct me if I'm wrong). So if I host a MITM proxy, I at least use FQDNs as subjects. It also works better with revocation lists/protocols.

An example for why wildcard certificates are bad is Microsoft. A couple of years ago, they had problems with subdomains which delivered malicious code through hijacked web pages that were hosted on those domains. Microsoft used a wildcard certificate...

https://tools.ietf.org/html/rfc6125#section-7.2

I don't see a problem with those solutions that protect networks, if the users know about it. The alternative would be to have no Internet access at all in order to lower risks of loading malicious content.
I see problems with them as well. There's the security risk that the products might have vulnerabilities that expose end users. Secondly, they may cause other problems that are not security problems. For instance, I have experience of a solution where HTTPS proxy mangles AJAX stuff that goes over HTTPS. This will cause very weird problems that are hard to debug.

Here the problem is not that the proxy would be trying to insert advertisements to the content. Just changing IP addresses within AJAX content may break functionality in nasty ways. For instance, so that things work with some browser and not another one, or reuiqre a particular engine setting in MSIE11, or some such. There is no problem in the service itself, but the service gets the blame because people can't think that a Cisco product in between might be the cause.

Of course there are security implications with central services like an enterprise-grade proxy. And anyone using such a solution must do the best to keep it secure. It is all a question of probability and of costs. I bet, most vendors of such solutions will do their best to protect them and their customers. So a network security solution that might have a exploitable hole in a period of time is better than none.

I've been working my entire career for large companies. I've experienced many solutions and I cannot remember one technical problem that was caused by network security, other than "InsertYourSocialNetworkOrBinary was denied by SecurityRuleXYZ". At several companies I had to sign a paper that informed me about the security implications and my duties when using the companie's Internet/network access.

I have also worked for larger companies, mostly, and within them I have actually experienced many technical problems caused by network security solutions.

HTTPS man-in-the-middle proxying is one particular scourge that causes weird things - the problem reports being of the kind that in a completely legitimate and intended use case, "Chrome works, MSIE does not".

I'm surprised hashcat doesn't support PEM files and there doesn't seem to be any public GPU based cracker.
If the private key/certificate really is the same for every installation of superfish, it would be interesting to investigate whether the the key is shared by all the other customers of the SSL interceptor as well. Their references mention Barracuda Networks and Astrill, for example.
As someone who used to work for a Barracuda competitor and would love to spill some hot soup on them, I'm very confident in saying: no way. Even if they were dumb and incompetent enough for this (they aren't), enough of their customers are savvy enough to demand they change it.
(comment deleted)
I was just browsing some pages on the Lenovo forums where users were complaining about SuperFish (some from January, one updated complaint from today). I refreshed a page and received a message stating that the forums are down for maintenance. Either this is damage control or the forum provider (Lithium?) was ill-provisioned for the current level of traffic.
Anyone up for decoding the cert used by GoGo Inflight WiFi Service?

https://www.techdirt.com/articles/20150105/09344429597/gogo-...

This is not likely to be possible. Rob Graham was able to do it for Superfish because the SSL interceptor resides on the same machine as the browser, meaning that the private key is accessible to anyone who installs Superfish.

By contrast, the GoGo interceptor is going to be a computer somewhere either on the plane or possibly on the ground (at some GoGo data center), meaning that its private key isn't accessible unless you can somehow gain access to the interceptor system.