Superfish is super fishy, alright

Posted by Katie McLaughlin on February 20, 2015

Update: Oh, and the password has been cracked. FUN.

Revelations over the last 24 hours have sent the security world abuzz with the news that Lenovo was shipping laptops whose factory-set operating system contained the CA for Superfish.

If any of those words scare you, let me break it down: Superfish is a company that has roots in visual analytics. Sounds reasonable. They also have a chrome extension that injects ads into google search results for visually-similar projects. Not so reasonable. But on top of this, they have a root CA cert that can, and has been, used by other companies to sign SSL certificates. Since they have the root, they can use that to sniff on encrypted traffic. The root CA is installed on a system when the thirdparty extension is installed. Or, in Lenovo’s case, directly into the factory-shipped version of windows.

So you have two vectors here: third-party chrome extensions, and the stock image of a Lenovo laptop, that can make this Superfish CA appear on your machine, and compromise your connections.

And lenovo doesn’t care.

If you buy a lenovo laptop, or any laptop, and assume that you are safe from malware, be it Norton’s suite of “anti”-virus software, or otherwise, you are very much delusional. However, for most consumers, they run with what they have, and don’t know enough to protect themselves. Stock operating systems are very bad, historically. Especially Windows installatons on laptops. But there’s only time until we can’t even trust the stock on other systems with less openness and more lockdown, like mobile phones, and the malware from telcos. More on this by mjg59

You can check if you are vulenerable by visiting https://canibesuperphished.com/. If you can get through without any security warnings, then you are in trouble. If you are stopped by chrome’s ssl checker, then you should be ok.

More links: