Lenovo pre-installs PCs with HTTPS hijacking adware

Harvy66

Even Homeland Security is "urging" Lenovo customers to remove it

http://yro.slashdot.org/story/15/02/20/2357234/homeland-security-urges-lenovo-customers-to-remove-superfish

BBcan177

The rabbit hole goes even deeper  :o :o

http://www.securityweek.com/superfish-ssl-interception-library-found-several-applications-researchers

kejianshi

Oh how wonderful…

phil.davis

And it would be good if this class action scared other companies into removing some of the pre-installed crapware from their distributions:
http://www.law360.com/articles/623675/lenovo-hit-with-class-suit-over-pcs-preloaded-spyware

Maybe it is time to get serious about jumping from the Windows ship?

kejianshi

I would have expected that you would already have jumped ship for the most part.

You seem like such a smart guy.

mikeisfly

@phil.davis:

Maybe it is time to get serious about jumping from the Windows ship?

Yeah because you can't do this in FreeBSD or Linux? Why would you blame Microsoft for a Lenovo issue? Seems like the Chinese have learned something from us, greed!

kejianshi

I think Microsoft is a known offender by now.  Too many complicated holes for it to be an accident.

Supermule

So is Google, Linkedin, Facebook and all the other almost free shot on the interwebs….

Get off, live your life and give a fuck!

mikeisfly

The real problem is the CA trust model, when we live in a world where you can trust no one. But then you have to trust someone other wise you might as well live on a deserted Island.

kejianshi

I can agree with that - It is an issue.

doktornotor

@mikeisfly:

But then you have to trust someone other wise you might as well live on a deserted Island.

I'd rather trust myself than funding the CAs bullshit business.

kejianshi

Same here

doktornotor

Superfish replaced with McAfee.

;D ;D ;D ;D ;D

P.S. How To Uninstall McAfee Antivirus - featuring John McAfee himself

kejianshi

Which is worse…  McAfee or viruses....  Damn its a tough call...

Guest

I think this article has a good view of the problem.
http://www.computerworld.com/article/2894233/web-browsers-are-also-to-blame-for-lenovos-superfish-fiasco.html

doktornotor

@Phishfry:

I think this article has a good view of the problem.
http://www.computerworld.com/article/2894233/web-browsers-are-also-to-blame-for-lenovos-superfish-fiasco.html

Nah. The browsers need to implement TLSA/DANE. Noone will ponder which CA is supposed to sign which certificate for whom; the server owner should tell the client behind the scenes. The average Joe does not understand the details and does not care.  CAs should provide enhanced validation and that's it. This BS about "oh baaad boy, you are using self-signed certificate/your own CA -> lets nag the shit out of anyone trying to use HTTPS with your website" needs to end.

kejianshi

Its designed to bilk people for as much money as possible…

Guest

He makes good points about how differently certs look across the different browser landscapes, I thought. He didn't have to use the Nerd word so many times.

edit:fixed typo

doktornotor

The BFU's understanding: Green lock == good. Anything else == bad. Cannot see this ever changing. (Frankly, when calling to some banks' helplines, I often have hard time getting someone on phone who knows what certificate fingerprint is. :()

kejianshi

The military and government here also uses self signed certs…  Its actually the way to go.