Lenovo pre-installs PCs with HTTPS hijacking adware
-
I would have expected that you would already have jumped ship for the most part.
You seem like such a smart guy.
-
Maybe it is time to get serious about jumping from the Windows ship?
Yeah because you can't do this in FreeBSD or Linux? Why would you blame Microsoft for a Lenovo issue? Seems like the Chinese have learned something from us, greed!
-
I think Microsoft is a known offender by now. Too many complicated holes for it to be an accident.
-
So is Google, Linkedin, Facebook and all the other almost free shot on the interwebs….
Get off, live your life and give a fuck!
-
The real problem is the CA trust model, when we live in a world where you can trust no one. But then you have to trust someone other wise you might as well live on a deserted Island.
-
I can agree with that - It is an issue.
-
But then you have to trust someone other wise you might as well live on a deserted Island.
I'd rather trust myself than funding the CAs bullshit business.
-
Same here
-
-
Which is worse… McAfee or viruses.... Damn its a tough call...
-
I think this article has a good view of the problem.
http://www.computerworld.com/article/2894233/web-browsers-are-also-to-blame-for-lenovos-superfish-fiasco.html -
@Phishfry:
I think this article has a good view of the problem.
http://www.computerworld.com/article/2894233/web-browsers-are-also-to-blame-for-lenovos-superfish-fiasco.htmlNah. The browsers need to implement TLSA/DANE. Noone will ponder which CA is supposed to sign which certificate for whom; the server owner should tell the client behind the scenes. The average Joe does not understand the details and does not care. CAs should provide enhanced validation and that's it. This BS about "oh baaad boy, you are using self-signed certificate/your own CA -> lets nag the shit out of anyone trying to use HTTPS with your website" needs to end.
-
Its designed to bilk people for as much money as possible…
-
He makes good points about how differently certs look across the different browser landscapes, I thought. He didn't have to use the Nerd word so many times.
edit:fixed typo
-
The BFU's understanding: Green lock == good. Anything else == bad. Cannot see this ever changing. (Frankly, when calling to some banks' helplines, I often have hard time getting someone on phone who knows what certificate fingerprint is. :()
-
The military and government here also uses self signed certs… Its actually the way to go.
-
I never realized why my browser complained on first hookup to fresh pfsenses install. Then i learned about the CA tab. But only recently because i followed an openvpn setup guide. I had no idea what it was for. Maybe if you said- it is like Microsoft wallet -I would go ahaa. Now i am self signed.
-
Certs are a racket and the most a browser should say about certs its that "the website you are visiting isn't covered by your list of trusted roots".
Thats all it should say. The bullshit "You aren't safe here! Be afraid! Run away!" messages are just stupid.
-
@Phishfry:
I think this article has a good view of the problem.
http://www.computerworld.com/article/2894233/web-browsers-are-also-to-blame-for-lenovos-superfish-fiasco.htmlNah. The browsers need to implement TLSA/DANE. Noone will ponder which CA is supposed to sign which certificate for whom; the server owner should tell the client behind the scenes. The average Joe does not understand the details and does not care. CAs should provide enhanced validation and that's it. This BS about "oh baaad boy, you are using self-signed certificate/your own CA -> lets nag the shit out of anyone trying to use HTTPS with your website" needs to end.
DNSSEC has the same issue as HTTPS when it comes to validation when your cert store has been compromised. Not having the notion of a "CA" makes certs nearly useless except that you know it's the same cert, but you have no way of knowing how much to trust the cert. A web of trust CA that can "route around problems" would be ideal, but it needs to be turn-key simple for the average user.
Without a CA, all a cert can say is "I am me", but you're still left wondering who "me" is. With a CA, there's at least a bit more of hurdle to falsifying who "me" is, or at least pretending to be someone else where someone else is popular, like Google.
With the whole HTTPS everywhere and certs are free movement, we need a better way to indicate to the user what class of cert the remote device has. Is it a free anonymous cert or a well vetted high class cert that requires proper identification from the CA, like your real name, a home address, proof of residence, a copy of your license, etc.
-
we need a better way to indicate to the user what class of cert the remote device has. Is it a free anonymous cert or a well vetted high class cert that requires proper identification from the CA, like your real name, a home address, proof of residence, a copy of your license, etc.
Why? We already have EV.
What we need is a way to secure communications to prevent wholesale, government-scale eavesdropping, which is what I consider to be problem #1, while making it reasonably secure enough and cheap enough so users are NEVER presented with certificate errors. If they are, they should freak out a little and stop immediately and NEVER click through it and call their IT people.
The main problem is people with self-signed certs telling their users "just accept it and store it" conditioning users that that's what's normal. Then it happens at a coffee shop and they click through it there too.
StartSSL reduces the cost for solid, 2-year certificates to about $100/year for a business. However many certificates they need. Very reasonable. Not perfect, but it eliminates cost as the driving factor against obtaining trusted-root-signed certificates for everything.
Let's Encrypt will make it free, as I understand it, though I'm waiting to see what they deliver before deciding it it's acceptable.
