Superfish doubles down, says HTTPS-busting adware poses no security risk

Following security professionals' near-unanimous condemnation of adware that hijacked encrypted Web connections on Lenovo computers, the CEO of the company that developed the finished product is doubling down on his insistence that it poses no threat to end users.

The statement, e-mailed to Ars by a Superfish spokeswoman and attributed to company CEO Adi Pinhas, is notable for making no reference to secure sockets layer, transport layer security, HTTPS, or any other form of encryption. Those technologies are at the core of security researchers' criticisms. They say the self-signed certificates, registered to Superfish and installed in the root level of every PC's SSL/TLS folder, makes it easy for malicious hackers and even script kiddies to build websites that trick affected browsers into behaving as if they're connected to servers for Bank of America, Google, or any other HTTPS-protected website on the Internet. In fact, there's near-universal agreement about this. Earlier today, the US CERT joined the growing chorus of critics with an advisory headlined "Lenovo Computers Vulnerable to HTTPS Spoofing."

Update: It turns out the vulnerability is easier to exploit than previously known. As this post was being prepared, a security researcher published new findings showing that a malicious hacker doesn't need the easily-extracted Superfish private key to perform a man-in-the-middle attack on PCs that have the Komodia proxy installed. That's because the proxy will re-sign invalid certs and make them appear valid to the browser.

Read 5 remaining paragraphs | Comments