Now that we’ve had a few days in which the Twitteratti have lashed Lenovo to the rack for shipping computers with something called “Superfish,” it’s time to unravel all of this and decide what’s really going on here.
First of all, Superfish isn’t in and of itself malware. What Superfish does is keep track of things you look at on the Web and then find ways to inject ads for those things into your browser sessions.
What this means is that when I go online to shop for something –for example, a new monitor –Superfish or some other program that does the same thing, will notice this activity and then push ads for those items into my browser.
When I went to the LL Bean website to buy some new flannel shirts a few days ago in a concession to the endless cold here on the East Coast, I got flannel shirt ads from LL Bean and elsewhere.
Other than the fact that these ads are annoying, especially if they’re for an item I’ve already purchased, they don’t really cause a lot of harm on their own. In fact, every now and then they present something useful.
The problem comes with finding out what it is that you’re searching for on an ecommerce site. After all, these sites are supposed to be using SSL encryption, so there shouldn’t be any way to actually know what you’re browsing for. But of course there are several ways to do this.
The easiest way is that the ecommerce sites don’t keep your activities a secret, especially from their own advertising teams. This means that when I buy those LL Bean flannel shirts, the company itself sends me ads to buy more. An ecommerce site may also sell the information to partners or to other advertising services.
But there’s another way to do that and that’s what concerns people. This happens when the adware, whether it’s Superfish or some other similar service, looks inside your supposedly secure browsing session to gather that information. To do that they have to be finding a way to get past the encryption and that, obviously, is a security breach.
Superfish used the services of another company, Komodia, which actually handled the chore of gathering that encrypted data. It did that by installing a self-signed security root certificate into the networking software of installed Windows computers. While there are other products that also do this with a legitimate purpose, Komodia did this in a particularly insecure manner that reused the certificates and passwords. Cracking it was trivial.
By cracking the certificate of authority, Komodia made it so that the computer would trust nearly anything, and that allowed bad websites to gather personal information from computers that reached them.
It’s worth noting here that Superfish could have used something besides Komodia. Why the company chose this insecure solution is unknown, but if I had to guess, I’d say it was because using Komodia was easy and the folks at Superfish simply didn’t think about it beyond that.
Clearly, even if you don’t mind getting ads that may occasionally be useful, Komodia is too much of a security hole and has to go.
Superfish Only Adds to PC Users’ Sense of Insecurity on the Web
But then there’s the next question: Does Superfish belong on a computer in the first place? And if it does, should the manufacturer have placed it there without their customers’ consent?
Lenovo’s statement about Superfish and the subsequent apology by the company’s CTO say that this was all about providing a better experience for customers. Perhaps that’s what the folks at Lenovo thought when they OK’d the idea. It’s worth noting that this only happened on consumer laptops and that neither Superfish nor Komodia were installed on business products such as ThinkPad laptops.
But for laptops that weren’t sold strictly for business, Lenovo installed a bunch of random software packages that apparently the company assumed that its customers would find useful. Superfish was one of those and Komodia was installed as a way to enable Superfish.
“While Komodia is described as a ‘third party add-on’ to Superfish, the problem remains the same for the end user that has bought a Lenovo computer,” said senior security researcher Jerome Segura from Malwarebytes.”
Komodia was clearly the bigger issue because of poor implementation and a flawed idea of intercepting encrypted communications as a man in the middle, which is the same thing that malware deployed by cyber-criminals does to break into computers. However, Superfish itself is a source of concern because while the technology looks great on paper, the application is often bundled with many ‘free’ programs and has been called Adware by some people.”
Apparently at least part of the problem was indeed a flawed implementation.
“We’re working on fixes for the Komodia SDK,” said Komodia founder Barak Weichselbaum in an email.
Clearly it would be an improvement if Komodia were to fix its software so that doesn’t present the gaping security hole it does now. But that still begs the question of whether Komodia or any other such software should be installed by default on a computer.
When I bought a new computer from HP last year, it did come with some of that free software, but it was included in the box on a set of DVDs. If I wanted the aftermarket video player software it was there for my use, but it wasn’t on the computer when I fired it up for the first time. What was there was a limited time antivirus package and a couple of HP-specific management and maintenance packages.
In my case the reason may have been that I bought a business computer, not one of those sold to consumers at the local big box store. But shouldn’t it be this way for everyone? There was a time when installing software on the hard disk had a reason, but with the ubiquity of the Internet those times are gone.
Now all that’s really required are links and a description of what’s available to download and install as you would find in an online app store. If the customer wants software, downloading and installing it is trivial. But regardless of whether the computer is for business or consumer use, the process has given users a chance to decide what kind of software they want to install and how much personal information they want to divulge online.