Lenovo Is Breaking HTTPS Security on Its Recent Laptops so They Can Inject Adware

The EFF:

News broke last night that Lenovo has been shipping laptops with a horrifically dangerous piece of software called Superfish, which tampers with Windows’ cryptographic security to perform man-in-the-middle attacks against the user’s browsing. This is done in order to inject advertising into secure HTTPS pages, a feature most users don’t want implemented in the most insecure possible way.

I don’t know how anyone at Lenovo thought this was a good idea, let alone how it actually got approved and put into use. This has to result in a serious class action lawsuit, right?

See also: This piece by Robert Graham at Errata Security, explaining how he decrypted the software and extracted the certificate.

Thursday, 19 February 2015