It’s hard, I believe, to work up more contempt than this:
Lenovo is selling computers that come preinstalled with adware that hijacks encrypted Web sessions and may make users vulnerable to HTTPS man-in-the-middle attacks that are trivial for attackers to carry out, security researchers said.
The critical threat is present on Lenovo PCs that have adware from a company called Superfish installed. As unsavory as many people find software that injects ads into Web pages, there’s something much more nefarious about the Superfish package. It installs a self-signed root HTTPS certificate that can intercept encrypted traffic for every website a user visits. When a user visits an HTTPS site, the site certificate is signed and controlled by Superfish and falsely represents itself as the official website certificate.
But that’s merely heinous and reprehensible. From there, it gets worse:
Even worse, the private encryption key accompanying the Superfish-signed Transport Layer Security certificate appears to be the same for every Lenovo machine. Attackers may be able to use the key to certify imposter HTTPS websites that masquerade as Bank of America, Google, or any other secure destination on the Internet. Under such a scenario, PCs that have the Superfish root certificate installed will fail to flag the sites as forgeries — a failure that completely undermines the reason HTTPS protections exist in the first place.
So Lenovo bows its head, quietly admits to not having thought this through, and regrets its actions, right? Wrong:
The company this morning issued an oddly tone-deaf statement addressing the controversy with equal parts innocence and chutzpah. The Superfish software, Lenovo says, was “to help customers potentially discover interesting products while shopping” — apparently by throwing up related ads while visiting encrypted retail sites, which would otherwise be invisible to the adware.
This might sound like garden-variety horse manure, but Lenovo doubles down with the claim that this purported consumer benefit was the primary reason for installing Superfish on its laptops. It wasn’t — as cynics might suspect — about the cash at all! Well, not much, anyway.
“The relationship with Superfish is not financially significant,” the statement says. “Our goal was to enhance the experience for users. We recognize that the software did not meet that goal and have acted quickly and decisively.”
“Throwing up related ads.” The users I know would throw up a hell of a lot more than that if you inflict crapware — excuse me, “potentially unwanted programs,” as the antivirus guys say — upon them. The idea that someone might actually want that crap is so utterly improbable that one almost suspects it came from Washington.
LENOVO CUSTOMERS: If you can see this website, your computer is vulnerable. Instructions on how to fix are provided. https://t.co/ODBLQI4oir
— InfoSec Taylor Swift (@SwiftOnSecurity) February 19, 2015
A sprint over there with a Dell produces “Untrusted Connection,” exactly as it should.