Windows 10: Lenovo PCs ship with man-in-the-middle adware that breaks HTTPS Connec

That is probably a ssl certificate from a shopping site Go Daddy is a privately held Internet domain registrar and web hosting company. Yep, and probably a site he has shopped at goes through go daddy


SSL-Zertifikat | mehr Schutz für Ihre Daten - GoDaddy DE

 

Godaddy also sell/issue ssl,the ones we use from time to time are listed as godaddy.

 

Never been to a Go Daddy site. I used this as an example.
Is there any way to tell if any of these certificates, going by any name, should be deleted ?

 

But godaddy sign the certificates it could be any old random site, you wouldn't know unless you checked every sites SSL when you visited it.

I think they also do shared SSL that would also show their name.

 

Official [and insufficient at the moment] Lenovo Visual Disc​overy/Superfish removal instructions can be found at the following link:
Removal Instructions for VisualDiscovery Superfish... - Lenovo Community

Note text at the bottom, which reads "...this article will be updated with additional instructions on clean up of deactivated files and removal of certificate shortly". (Athough it's been like that for quite a while now).

------

You can however find unofficial removal instructions at the following link:
How to remove Superfish

 

Please do not go randomly deleting things without first having some idea whether you should or not. Clearly, the superfish cert should be removed, but don't go removing other ones because you think "I don't use those". You may or may not, but you wouldn't know if you did.

Those are "Root Certificates", and are the public key certificates that root certificate authorities issue that allow you to decode the encrypted traffic (HTTPS) from banks, shopping sites, or pretty much anything that uses HTTPS from an authority. They purchase their certs from GoDaddy or other vendors who sign those certficates with their private keys. This gives you the ability to decode those keys for sites that have bought certificates from them, and they could literally be anyone.

So unless you want to suddenly start getting certificate errors and/or not be able to use random sites on the internet for no apparent reason, don't just go deleting these without very good knowledge of what you are doing.

 

Not that I'm aware of. One of the weaknesses with Public Key Infrastructure is that you have to trust Certificate Authorities.

Which as previously seen with breaches of Comodo CA, DigiNotar CA, etc. that isn't always the case.

 

Going off on a bit of a tangent, but in addition to the above post, although the Ars Technica article says certificate pinning in Google Chrome will do nothing to alert users that something is amiss, IF you're techie minded and don't mind experimenting/reading up on headache inducing techie subjects, you could possibly use the Certificate Pinning feature in EMET 5.1 for the main websites that you care about logging into securely (If you use Internet Explorer). Details on Certificate Pinning can be found in the EMET User Guide (the 'Download' button HERE will give you the option to download the User Guide on it's own).

With EMET Certificate Pinning you can manually add (pin) a root certificate to be used for a particular website. For example, I could tell it to only allow VeriSign root certificate (Serial Number:18DAD19E267DE8BB4A2158CDCC6B3B4A) for signin.ebay.co.uk. Although EMET wouldn't prevent me from visiting and using signin.ebay.co.uk, if the certificate for that domain was signed by a different root certificate (such as Superfish), it should display a small notification in the bottom right corner of the screen telling me the root certificate is different to the one I specified.

As an example, for the purpose of this post, in the below screenshot I specified a different root certificate in EMET to the one that was actually used to sign the current signin.ebay.co.uk SSL certificate, and you can see the EMET warning in the bottom right notifying me of the certificate mismatch (which needs to be bigger really and a different colour, as it's too easy to miss on a big screen).






Obviously, if you're being MITM'd, before specifying which root certificate to pin you need a way to check a websites certificate to know what the correct certificate should actually be. One way to do this is Steve Gibson has a lookup on his website (GRC | SSL TLS HTTPS Web Server Certificate Fingerprints  ) that will show what the correct thumbprint for the website certificate should be. Bear in mind, these GRC thumbprints are for the website certificate, not the root certificate at the top of the tree which is what you actually specify in EMET. And also, as mentioned at the bottom of the GRC page, you still need to be vigilant because if the MITM is able to intercept your encrypted traffic, it could potentially also modify the GRC page contents. It's turtles all the way down... FYI, root certificate is shown in Certification Path tab.






Now, EMET Cert Pinning is way overkill and isn't something a normal user would do, as it's a manual process (which is a pain), you need to learn how to use it (which is a pain) and it also needs to be updated manually (which is a pain). Even I got fed up with manually updating it every time a certificate expired, so now-a-days I just set all the expiry dates to 2016. Therefore I only get notifications if the root certificate changes now. It's also not something that you can roll out to other users either because they'll just ignore the warning anyway. Now, if there was a way that Microsoft could automate certificate pinning in Windows 10 though, so that no user interaction is required...

 

Lenovo says Superfish not a 'security concern', own advisory marks it highly severe

 

It appears Microsoft have now added Superfish / Visual Disc​overy to Windows Defender definitions:

Source: https://twitter.com/FiloSottile/stat...00260111388672

 

Lenovo is facing legal repercussions over the Superfish software.
Lenovo hit by lawsuit over Superfish adware - CNET

 

I read (somewhere ) today or yesterday Lenovo is going to start emphasizing clean PC's *something kinda like Microsoft signature PC's in their marketing . ofc nothing beats a clean install on a new box ☺

 

It looks like from today Ten Forums have HTTPS throughout their site with an EV cert now. No idea who this 'Superfish' CA is though... I'm joking!!! *Biggrin *Biggrin *Biggrin