Dells ships its own "Superfish"

simple_gifts · Nov 23, 2015

http://arstechnica.com/security/2015/11/...t-certificates/

Quote:

Dell is shipping computers that come preinstalled with a digital certificate that makes it easy for attackers to cryptographically impersonate Google, Bank of America, and any other HTTPS-protected website.

Read it and weep.

Best strategy is not to let untrusted sources install software on your computer

Quote:

Dell issued a statement early Monday morning that said technicians are investigating the reports. Until they and other outside experts weigh in, it's too early to say how widespread and severe this problem is. What is clear now is that the eDellRoot certificate was generated two months after the Superfish debacle came to light and that it poses a risk to at least some Dell customers. Ironically, Dell has publicly capitalized on the Superfish debacle even as it engaged in a blunder that poses the same threat to its own users. People who find this certificate installed on their computer should temporarily use only Firefox to browse to HTTPS-protected sites.

That is ok, people are used to switching to FF to migitate the latest IE blunder.

itguy08 · Nov 23, 2015

Simple and something I've been saying for 20 years in my IT career. Dell = Garbage. Stay away and you will be much better off.

sleddriver · Nov 23, 2015

Wow...I wonder how much coin it will take to counter THAT level of bad publicity??

Geesh....Tango Uniform.

Lyman · Nov 24, 2015

I just bought a new Dell laptop. It looks like I have one that has the eDellroot cert. I am NOT all that great at this stuff. What should I do? Start using FF till it is resolved? I am a Chrome user.

Nick R · Nov 24, 2015

If you use chrome or FF you are fine. This only impacts IE, which generally only people who don't know better, or enterprise (Sadly) are using anywya.

Lyman · Nov 24, 2015

I tried the test site that was posted in the article. Using Chrome it looks normal. Using FF it said untrusted site. It's a good thing I like FF.

Nick R · Nov 24, 2015

Update to this

http://arstechnica.com/security/2015/11/...s-removal-tool/

Sounds like this wasn't as bad as superfish insomuch as it wasn't aimed at making money. It was supposed to make it easier to go to Dells website and get support by way of the system automatically being able to populate it's Service Tag ID, and have immediately released a removal tool.

Unlike Lenovo, Dell's response is at least fast, acceptable, they accepted responsibility and have issued a fix.

Lyman · Nov 24, 2015

Thank You very much for that link!

BigD1 · Nov 24, 2015

Dell is fixing it with the tool, or an automatic update that is being pushed today.

Response to Concerns Regarding eDellroot Certificate

BearZDefect · Nov 24, 2015

As Nick R pointed out, this is a blunder with good intention behind it that Dell is responding to, while the Lenovo Superfish scandal was a money grab at the expense of the privacy and security of their consumers.

ZeeOSix · Nov 24, 2015

I tested the boguslessonslearned.org website link given in the article with IE, Chrome and FF and all 3 said it was an un-trusted site. My Dell is a few years old, so apparently this goof-up isn't on my machine.

simple_gifts · Nov 24, 2015

Originally Posted By: BearZDefect
As Nick R pointed out, this is a blunder with good intention behind it that Dell is responding to, while the Lenovo Superfish scandal was a money grab at the expense of the privacy and security of their consumers.

Please read one of the commenters comments on the link BigD1 provided

Quote:

For the sake of the rest of the industry, please publish an account of why this happened - the security world would like to understand the failures in process and thought that led to the creation of a relatively complex use of cryptographic components in a way that would ring alarm bells for most practiced cryptography users. If it "just seemed like a good idea" to some developer who didn't speak to a security professional, or it was reviewed by a security team, those are different problems, and which one it was will add to the corpus of knowledge used by application security professionals to improve security involvement in development process. Don't let this languish in the realm of "oops, we did a bad thing, and now we made it better".

You have a responsibility to tell us what the bad thing was, and what steps you did to make it better - otherwise, the only responsible conclusion to draw is that you're idiots, you employ idiots, and you'll continue to employ idiots who do idiotic things.

I'm fairly certain that's not the case, but I think the security community needs you to explain why that's not true.

This is 'spot on' and is a serious issue beyond 'just don't use IE'

Dell fundamentally undermined a critical security framework with clearly no understanding of the implications.

It is analogous to ford issuing all their cars keys with identical grinds done for the convenience of the owners. "Hey if you lose your key just use your neighbors" Convenience without a shred of understanding of why the key exists. Scary at many levels from a company that probably employs Phd level mathematicians.

Lyman · Nov 24, 2015

Well I just used Dell's removal tool and it fixed the issue. I retested using the test site in the article and all is well.

rjundi · Nov 27, 2015

Originally Posted By: itguy08
Simple and something I've been saying for 20 years in my IT career. Dell = Garbage. Stay away and you will be much better off.

+1, I had one for a week and after issues and chatting with broken VOIP lines to India money back.

Thinkpad for me or apple. No junk.

Dells ships its own "Superfish"

simple_gifts

itguy08

sleddriver

Lyman

Nick R

Lyman

Nick R

Lyman

BigD1

BearZDefect

ZeeOSix

$100 site donor 2022

simple_gifts

Lyman

rjundi

Similar threads