Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

According to various reports, this Superfish adware uses the same certificate across Lenovo computers. It should be easy to grab the private key out of the proxy binaries. And then... all these computers are vulnerable to arbitrary HTTPS man-in-the-middle attacks. Uh oh.


You're assuming that the proxy is on the laptops, no?


Well, the other possibility is that Superfish is routing and MITMing all traffic through its own servers, which is arguably worse.


arguably? That's orders of magnitude worse


Well, I dunno. In one case Superfish can see all your data and store it on their servers, in the other case _anyone on the internet_ can spoof any site (as soon as someone extracts the key). Either way is pretty bad.

But proxying all traffic from all Lenovo laptop owners through a third-party server without someone immediately noticing a problem is just not feasible, so I think we can assume that's not what they're doing.


Are you sure? Android Chrome proxies all non-HTTPS traffic through a third-party server, by default. So it isn't like the traffic volume is impossible.


It's not by default, you have to enable it.

https://support.google.com/chrome/answer/2392284


Yes but that's Google. I'd be surprised if Superfish had resources like that, or could generate that much traffic from their servers and not be noticed (by, say, Google). I could be wrong.


Superfish might have "benefactors" with deep pockets who want a scapegoat who won't squeal on them.


Wow, really? I never knew that and some googling didn't find any decent sources. do you have one?


https://developer.chrome.com/multidevice/data-compression


Many thanks, easy when you know the right keywords >.<




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: