NEWS ANALYSIS: Despite the fretting on social media, Superfish isn't actually malware, but whether it should be pre-installed on the PC you paid good money for is another issue.
Now that we've had a few days in which the Twitteratti have lashed Lenovo to the rack for shipping computers with something called "Superfish," it's time to unravel all of this and decide what's really going on here.
First of all, Superfish isn't in and of itself malware. What Superfish does
is keep track of things you look at on the Web and then find ways to inject ads for those things into your browser sessions.
What this means is that when I go online to shop for something --for example, a new monitor --Superfish or some other program that does the same thing, will notice this activity and then push ads for those items into my browser.
When I went to the LL Bean website to buy some new flannel shirts a few days ago in a concession to the endless cold here on the East Coast, I got flannel shirt ads from LL Bean and elsewhere.
Other than the fact that these ads are annoying, especially if they're for an item I've already purchased, they don't really cause a lot of harm on their own. In fact, every now and then they present something useful.
The problem comes with finding out what it is that you're searching for on an ecommerce site. After all, these sites are supposed to be using SSL encryption, so there shouldn't be any way to actually know what you're browsing for. But of course there are several ways to do this.
The easiest way is that the ecommerce sites don't keep your activities a secret, especially from their own advertising teams. This means that when I buy those LL Bean flannel shirts, the company itself sends me ads to buy more. An ecommerce site may also sell the information to partners or to other advertising services.
But there's another way to do that and that's what concerns people. This happens when the adware, whether it's Superfish or some other similar service, looks inside your supposedly secure browsing session to gather that information. To do that they have to be finding a way to get past the encryption and that, obviously, is a security breach.
Superfish used the services of another company, Komodia, which actually handled the chore of gathering that encrypted data. It did that by installing a self-signed security root certificate into the networking software of installed Windows computers. While there are other products that also do this with a legitimate purpose, Komodia did this in a particularly insecure manner that reused the certificates and passwords. Cracking it was trivial.
By cracking the certificate of authority, Komodia made it so that the computer would trust nearly anything, and that allowed bad websites to gather personal information from computers that reached them.
It's worth noting here that Superfish could have used something besides Komodia. Why the company chose this insecure solution is unknown, but if I had to guess, I'd say it was because using Komodia was easy and the folks at Superfish simply didn't think about it beyond that.
Clearly, even if you don't mind getting ads that may occasionally be useful, Komodia is too much of a security hole and has to go.