The issue here isn't so much the ads as it is being able to authenticate that th...

userbinator · on Feb 19, 2015

if your browser trusts the MITMed certificate, you no longer have the guarantee that your banking website is actually your banking website and nothing nefarious, as the page has been intercepted (maliciously or not) in-flight.

The trust essentially moves from the browser to the proxy - while I don't know what Superfish does, Proxomitron definitely checks the certificate and pops up a warning dialog if there's something wrong.

why MITMing SSL at all without the user's explicit knowledge is bad

I think "without the user's explicit knowledge" is the key point here; if you install a security product then you somehow expect that it be able to inspect all your traffic for any maliciousness... as otherwise the "bad guys" will just make use of SSL to defeat that.

snowwrestler · on Feb 19, 2015

Presumably (hopefully!) when you installed Proxomitron, it generated a new unique private key for your own personal MITM.

Apparently Superfish ships from Lenovo with the same private key on every machine. So all a bad guy needs to do is extract that private key from one machine, and now they can MITM all the Superfish Lenovo machines from basically anywhere on the Internet.

userbinator · on Feb 19, 2015

It does come with its own certificate by default, with instructions for generating your own, but it doesn't trust that certificate for external connections; it uses a separate database of trusted roots which doesn't include the MITM certificate.

Has anyone confirmed the certificate validation behaviour in Superfish? I have a feeling it will be "none at all", which would be really bad...