Sharing Your Secrets With Superfish and Other Strangers

Blog Post created by todb Employee on Feb 20, 2015

aquaman-is-also-a-superfish-sort-of.jpeg.jpgThe Lenovo/Superfish scandal reported this week was certainly a shocking revelation - the installation of a self-signed certificate to the trusted root store of personal computers with the express purpose of decrypting otherwise private HTTPS user sessions is an unbelievable violation of trust. While software and hardware vendors sell their products based on specific metrics such as performance, usefulness, or ease of use, what is often unsaid -- trust -- is really at the core of every network-capable product.

The Internet is an inherently unsafe, insecure environment. As users, we need to be able to trust that the equipment we use is not actively or passively spying on us, is not controlled or controllable by unknown actors, and is keeping our personal information personal. We do this, in a large part, by trusting that our devices are designed with our interests in mind. When a vendor ships an intentional backdoor into this trust model, that vendor is violating this contract with users.

The trust model of HTTPS - specifically the role that Certificate Authorities play in protecting against Man-in-the-Middle (MITM) attacks - is itself, though, very brittle. Today, stock, unpoisoned operating systems ship with dozens to hundreds of trusted root certificates, and the vast majority of users have no idea that they exist at all. Microsoft, for example, provides 25 pages of currently trusted certificate authorities, Apple's list is similarly gigantic, and both lists include several governments with varying levels of friendliness to civil and privacy rights. Possibly, that list may even include the once-mighty Atlantis. Have you checked?

So, while Lenovo made a business decision to trust Superfish on behalf of their users, all major operating system vendors make a similar decision on behalf of their users as well. While the operating system vendors do not today appear to be actively intercepting HTTPS sessions as Superfish reportedly was, I would expect that many users would find it concerning that, by default, they are implicitly trusting so many authorities across such a broad spectrum of jurisdictions.

My hope is that the Superfish scandal will bring some attention to this system of trust that we land-dwelling humans are by default opting into today. There are simply too many sources of truth, any one of which can be compromised or otherwise display malicious intent.

For a more detailed discussion of the CA trust brittleness and a possible solution, see Moxie Marlinspike's 2012 BlackHat talk, SSL and The Future Of Authenticity.