Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dell Accused of Installing 'Superfish-Like' Rogue Certificates On Laptops (theregister.co.uk)

Posted by samzenpus on from the was-that-wrong? dept.

Mickeycaskill writes: Dell has been accused of pre-installing rogue self-signing root certificate authentications on its laptops. A number of users discovered the 'eDellRoot' certificate on their machines and say it leaves their machines, and any others with the certificate, open to attack. "Anyone possessing the private key which is on my computer is capable of minting certificates for any site, for any purpose and the computer will programmatically and falsely conclude the issued certificate to be valid," said Joe Nord, a Citrix product manager who found the certificate on his laptop. It is unclear whether it is Dell or a third party installing the certificate, but the episode is similar to the 'Superfish' incident in which Lenovo was found to have installed malware to inject ads onto users' computers.

5 of 92 comments (clear)

  1. Coming soon in Windows 11 by swb · · Score: 1, Interesting

    ...a root certificate store that is locked and can only have NSA-approved certificates installed.

    1. Re:Coming soon in Windows 11 by Dr_Barnowl · · Score: 5, Interesting

      No chance.

      This "install your own root CA" trick is being used widely in corporate environments to allow proxies to snoop your HTTPS connections ; caused no end of trouble with clients using independent Firefox installs (Chrome uses the system certificate store, Firefox has it's own) navigating to our pages (with properly signed certificates) and being told they were a security risk.

      We also had something that directed traffic while we were out of the corporate network through a third-party proxy that used the same trick (Websense).

    2. Re:Coming soon in Windows 11 by sexconker · · Score: 5, Interesting

      No chance.

      This "install your own root CA" trick is being used widely in corporate environments to allow proxies to snoop your HTTPS connections ; caused no end of trouble with clients using independent Firefox installs (Chrome uses the system certificate store, Firefox has it's own) navigating to our pages (with properly signed certificates) and being told they were a security risk.

      Firefox told them it's an untrusted cert and a security risk because it's an untrusted cert and a security risk.
      What you are doing is bad, evil, and wrong. And it's technically illegal under the DMCA as well, because you're breaking encryption. No, an employee agreement that says you can monitor their computer use doesn't get you past the DMCA.

      Fuck you and all the places that do this. If I were asked to implement such a thing at my job I'd raise all hell and strike.

  2. Re: Let me Guess by Anonymous Coward · · Score: 2, Interesting

    Apparently it reinstalls itself on updates and also is installed onto Ubuntu.

    This is lawsuit worthy IMO. Either maliciousness or gross negligence. One doesn't just accidentally do this.

  3. Re:Its only SuperFish-like by theskipper · · Score: 3, Interesting

    Heh, as pointed out at the bottom of that article someone in Dell marketing needs to eat some serious humble pie:

    http://www.dell.com/us/p/xps-1...
    "Dell is serious about your privacy
    Worried about Superfish? Dell limits its pre-loaded software to a small number of high-value applications on all of our computers. Each application we pre-load undergoes security, privacy and usability testing to ensure that our customers experience the best possible computing performance, faster set-up and reduced privacy and security concerns."

    Youch.