SuperPhish ⇥ blog.erratasec.com

Robert Graham of Errata Security has more details on that crazy Lenovo adware story:

Note that the password “komodia” is suggestive — that’s a company that makes an SSL “redirector” for doing exactly the sort of interception that SuperFish is doing. They market it as security software so you can spy on your kids, and stuff. A description of this component, their “SSL Digester”, is here. They market it for “ad injection” here. That site teaches us a lot about what SuperFish can do.

Meanwhile, Lenovo’s PR department is really working for their paycheques today:

We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns.

Bullshit. Anything that intercepts or falsifies an SSL certificate is a security concern. Period.

The relationship with Superfish is not financially significant; our goal was to enhance the experience for users.

Bullshit. Lenovo thought they could fatten their per-unit profit by installing this software.

Lenovo does provide uninstall instructions, but…

Superfish will be removed from Program Files and Program Data directories, files in user directory will stay intact for the privacy reason. Registry entry and root certificate will remain as well.

The emphasis is mine, but the words are all theirs. They’re actually going to leave the enormous security hole — their root self-signed security certificate — installed on machines. That’s super sketchy.