Windows 10: Lenovo PCs ship with man-in-the-middle adware that breaks HTTPS Connec

Page 3 of 3 FirstFirst 123
  1.    19 Feb 2015 #21

    Going off on a bit of a tangent, but in addition to the above post, although the Ars Technica article says certificate pinning in Google Chrome will do nothing to alert users that something is amiss, IF you're techie minded and don't mind experimenting/reading up on headache inducing techie subjects, you could possibly use the Certificate Pinning feature in EMET 5.1 for the main websites that you care about logging into securely (If you use Internet Explorer). Details on Certificate Pinning can be found in the EMET User Guide (the 'Download' button HERE will give you the option to download the User Guide on it's own).

    With EMET Certificate Pinning you can manually add (pin) a root certificate to be used for a particular website. For example, I could tell it to only allow VeriSign root certificate (Serial Number:18DAD19E267DE8BB4A2158CDCC6B3B4A) for signin.ebay.co.uk. Although EMET wouldn't prevent me from visiting and using signin.ebay.co.uk, if the certificate for that domain was signed by a different root certificate (such as Superfish), it should display a small notification in the bottom right corner of the screen telling me the root certificate is different to the one I specified.

    As an example, for the purpose of this post, in the below screenshot I specified a different root certificate in EMET to the one that was actually used to sign the current signin.ebay.co.uk SSL certificate, and you can see the EMET warning in the bottom right notifying me of the certificate mismatch (which needs to be bigger really and a different colour, as it's too easy to miss on a big screen).

    Click image for larger version. 

Name:	EMET-Cert-Warning.jpg 
Views:	75 
Size:	124.7 KB 
ID:	12948


    Obviously, if you're being MITM'd, before specifying which root certificate to pin you need a way to check a websites certificate to know what the correct certificate should actually be. One way to do this is Steve Gibson has a lookup on his website (https://www.grc.com/fingerprints.htm) that will show what the correct thumbprint for the website certificate should be. Bear in mind, these GRC thumbprints are for the website certificate, not the root certificate at the top of the tree which is what you actually specify in EMET. And also, as mentioned at the bottom of the GRC page, you still need to be vigilant because if the MITM is able to intercept your encrypted traffic, it could potentially also modify the GRC page contents. It's turtles all the way down... FYI, root certificate is shown in Certification Path tab.

    Click image for larger version. 

Name:	Root.jpg 
Views:	212 
Size:	42.7 KB 
ID:	12949


    Now, EMET Cert Pinning is way overkill and isn't something a normal user would do, as it's a manual process (which is a pain), you need to learn how to use it (which is a pain) and it also needs to be updated manually (which is a pain). Even I got fed up with manually updating it every time a certificate expired, so now-a-days I just set all the expiry dates to 2016. Therefore I only get notifications if the root certificate changes now. It's also not something that you can roll out to other users either because they'll just ignore the warning anyway. Now, if there was a way that Microsoft could automate certificate pinning in Windows 10 though, so that no user interaction is required...
    Last edited by ARC1020; 22 Feb 2015 at 04:36.
      My ComputerSystem Spec

  2.   My ComputerSystem Spec

  3.    20 Feb 2015 #23

    It appears Microsoft have now added Superfish / Visual Disc​overy to Windows Defender definitions:

    Source: https://twitter.com/FiloSottile/stat...00260111388672

    Click image for larger version. 

Name:	Defender.jpg 
Views:	163 
Size:	60.6 KB 
ID:	12971
      My ComputerSystem Spec

  4.    24 Feb 2015 #24

    Lenovo is facing legal repercussions over the Superfish software.
    Lenovo hit by lawsuit over Superfish adware - CNET
      My ComputersSystem Spec


  5. Posts : 964
    dual boot W10 10586th2/14291 rs1 Win. Insider since Jan. 2015
       25 Feb 2015 #25

    I read (somewhere ) today or yesterday Lenovo is going to start emphasizing clean PC's *something kinda like Microsoft signature PC's in their marketing . ofc nothing beats a clean install on a new box ☺
      My ComputerSystem Spec

  6.    27 Feb 2015 #26

    It looks like from today Ten Forums have HTTPS throughout their site with an EV cert now. No idea who this 'Superfish' CA is though... I'm joking!!!

    Click image for larger version. 

Name:	Supafisssssh.jpg 
Views:	40 
Size:	226.5 KB 
ID:	13407
      My ComputerSystem Spec


 
Page 3 of 3 FirstFirst 123

Related Threads
Update breaks Bluetooth. in Drivers and Hardware
Don't know if anyone else has suffered this problem, but an update earlier today (Toshiba RFBUS) has broken Bluetooth on my PC. Bluetooth is showing (without errors) in Device Manager but it does not work. A search for 'bluetooth settings' in Win...
I have read in a couple of different places that Windows 10 will ship with Outlook straight out of the box. If this is true, then there will be no incentive for me to buy Microsoft Office Professional. Does anybody know if this is true. ...
Have been dual booting Win 7 and Win 10 previews on two Samsung ssd's. I've had no problem with updating each build then extracting the Iso with ESD to Iso then doing a clean install until the switch from 10074 to 10122. Let it update on fast...
Hi I just installed build 10061 on my laptop, after creating an ISO from the ESD file downloaded in the update and using it to make a clean install, when it rebooted and I went through OOBE, i then obviously went to install drivers, but when...
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 02:34.
Find Us