Did you buy a Lenovo? You may be fucked.

That’s blunt, but it’s really about the size of it. Lenovo included a particularly shitty form of ad-ware called Superfish on some of their laptops that watches what you do online and serves ads targeted based on that data. The trouble with that approach — and I mean that from the perspective of the ad people, not you — is that secure browsing sessions can’t be watched, and for privacy reasons MANY sites are going to https-only. (This is a good thing, unless you’re a creepy ad person.)

Well, Superfish decided to “solve” this “problem” by fundamentally breaking certificate security. The mechanism here is fairly technical, but I break it down for you in lay terms, I think.

  • When you use a secure web site (i.e., https and not http), you’re using a technology called “SSL”.

  • SSL relies on special bits of data called “certificates”.

  • SSL certificates do two things: They encrypt your traffic between your browser and, say, Chase.com; and they verify to you that the site you think is Chase.com really is Chase.com. This second part sounds insignificant, but it’s a HUGE deal because, for technical reasons, it’s terribly feasible to masquerade as a site on the Internet. Or, potentially worse, pretend to be the real site while watching the traffic for interesting bits (e.g., credit card numbers and passwords) while still sending the traffic on to the “real” destination. This approach is called a “man-in-the-middle” attack. (More about this from Ars Technica, if you’re interested.)

  • Certificates are issued by generally-trusted security authorities, though there can be a chain of trust, from A to B to C.

What Superfish did was insert its own certificate as a trusted authority on affected laptops. This is absolutely worse than the Sony rootkit fiasco of a few years ago. It’s mind-bogglingly stupid and awful, and the situation is made worse by both Lenovo’s and Superfish’s utter refusal to recognize how badly they’ve fucked up. Lenovo’s initial response even included a line about how their analysis showed no security vulnerability, which was manifestly untrue and they knew it. It’s since been edited.

Superfish, on the other hand, still says they create no vulnerability. Honest to God, every single person involved with the decision to do this deserves to be drummed out of the software and IT industries at a bare minimum. Absolutely blackball these fuckers.

If you’ve got a Lenovo, you should absolutely remove the Superfish software AND the certificate. Just zapping the software won’t do it alone; you have to kill the cert, too.

If you do not do this and you are affected, it’s the same as not using encryption at all, so every banking session, every shopping session, and everything else you do on your computer is effectively public. I am not exaggerating.

If all this seems technical, you’re in luck: Lifehacker has an “am I infected?” test link up.

Comments are closed.