Lenovo PCs ship with man-in-the-middle adware that breaks HTTPS Connec

Page 3 of 3 FirstFirst 123

  1. Posts : 487
    Thread Starter
       #20

    Going off on a bit of a tangent, but in addition to the above post, although the Ars Technica article says certificate pinning in Google Chrome will do nothing to alert users that something is amiss, IF you're techie minded and don't mind experimenting/reading up on headache inducing techie subjects, you could possibly use the Certificate Pinning feature in EMET 5.1 for the main websites that you care about logging into securely (If you use Internet Explorer). Details on Certificate Pinning can be found in the EMET User Guide (the 'Download' button HERE will give you the option to download the User Guide on it's own).

    With EMET Certificate Pinning you can manually add (pin) a root certificate to be used for a particular website. For example, I could tell it to only allow VeriSign root certificate (Serial Number:18DAD19E267DE8BB4A2158CDCC6B3B4A) for signin.ebay.co.uk. Although EMET wouldn't prevent me from visiting and using signin.ebay.co.uk, if the certificate for that domain was signed by a different root certificate (such as Superfish), it should display a small notification in the bottom right corner of the screen telling me the root certificate is different to the one I specified.

    As an example, for the purpose of this post, in the below screenshot I specified a different root certificate in EMET to the one that was actually used to sign the current signin.ebay.co.uk SSL certificate, and you can see the EMET warning in the bottom right notifying me of the certificate mismatch (which needs to be bigger really and a different colour, as it's too easy to miss on a big screen).

    Lenovo PCs ship with man-in-the-middle adware that breaks HTTPS Connec-emet-cert-warning.jpg


    Obviously, if you're being MITM'd, before specifying which root certificate to pin you need a way to check a websites certificate to know what the correct certificate should actually be. One way to do this is Steve Gibson has a lookup on his website (https://www.grc.com/fingerprints.htm) that will show what the correct thumbprint for the website certificate should be. Bear in mind, these GRC thumbprints are for the website certificate, not the root certificate at the top of the tree which is what you actually specify in EMET. And also, as mentioned at the bottom of the GRC page, you still need to be vigilant because if the MITM is able to intercept your encrypted traffic, it could potentially also modify the GRC page contents. It's turtles all the way down... FYI, root certificate is shown in Certification Path tab.

    Lenovo PCs ship with man-in-the-middle adware that breaks HTTPS Connec-root.jpg


    Now, EMET Cert Pinning is way overkill and isn't something a normal user would do, as it's a manual process (which is a pain), you need to learn how to use it (which is a pain) and it also needs to be updated manually (which is a pain). Even I got fed up with manually updating it every time a certificate expired, so now-a-days I just set all the expiry dates to 2016. Therefore I only get notifications if the root certificate changes now. It's also not something that you can roll out to other users either because they'll just ignore the warning anyway. Now, if there was a way that Microsoft could automate certificate pinning in Windows 10 though, so that no user interaction is required...
    Last edited by ARC1020; 22 Feb 2015 at 04:36.
      My Computer

  2.   My Computer


  3. Posts : 487
    Thread Starter
       #22

    It appears Microsoft have now added Superfish / Visual Disc​overy to Windows Defender definitions:

    Source: https://twitter.com/FiloSottile/stat...00260111388672

    Lenovo PCs ship with man-in-the-middle adware that breaks HTTPS Connec-defender.jpg
      My Computer

  4.    #23

    Lenovo is facing legal repercussions over the Superfish software.
    Lenovo hit by lawsuit over Superfish adware - CNET
      My Computer


  5. Posts : 963
    dual boot W10 10586th2/14291 rs1 Win. Insider since Jan. 2015
       #24

    I read (somewhere ) today or yesterday Lenovo is going to start emphasizing clean PC's *something kinda like Microsoft signature PC's in their marketing . ofc nothing beats a clean install on a new box ☺
      My Computer


  6. Posts : 487
    Thread Starter
       #25

    It looks like from today Ten Forums have HTTPS throughout their site with an EV cert now. No idea who this 'Superfish' CA is though... I'm joking!!!

    Lenovo PCs ship with man-in-the-middle adware that breaks HTTPS Connec-supafisssssh.jpg
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 18:53.
Find Us




Windows 10 Forums