EFF fears crims are getting smart to Superfish SSL flaws
Certificate flaws spotted in variety of important sites
The Electronic Frontier Foundation (EFF) says it has found evidence that the security problems with Superfish could be much worse than first thought.
Superfish caused such a stink when it was discovered last week because the Komodia software it used borks SSL connections. But EFF researchers have found that the Komodia library also accepts false certificates that it should have rejected.
The EFF runs the Decentralized SSL Observatory, which is designed to pick up on dodgy software certificates and found there were over 1,600 examples detected that the Komodia engine would have passed as OK, enabling an untraceable man-in-the-middle attack.
"Because of the way Superfish operates there's no way to know for sure if all of these were used for man-in-the-middle attacks," Jeremy Gillula, a staff technologist at the EFF, told The Register. "All we know is that the vulnerability definitely did expose people; it goes from being a theoretical attack to a practical one."
It's possible that some of the 1,600 certificate found are simply badly formed, and weren't used in an attack. But there are some big names on the list, including Google, Yahoo!, Outlook and eBay.
Gillula said that the ease with which Komodia's own encryption could be compromised (it took security researchers two hours to crack the password) also means that if malware authors had similar access then attacks could be carried out on people who bought Lenovo PCs containing Superfish without any indication of a problem.
Lenovo told El Reg that there was no indication that malware authors were using this attack vector but said that its security team is monitoring the situation very closely. On Friday the Chinese firm will release a statement on how it plans to deal with future software installs in a way customers can trust.
Gillula said such a system would be welcomed, but is concerned that many other companies may be using other software similar to Superfish to break into PCs.
Hardware vendors load a lot of software onto their systems and Lenovo is a very big name," he said. "If it wasn't vetting the software properly then what are other firms doing? Unless the Lenovo affair acts as a wake-up call to the industry then it's inevitable that we'll find more of this stuff." ®