As if things wouldn’t be grim enough when it comes to privacy
and security, this new case of fatal security breach is going to
mean big trouble not only for Lenovo and their security tool.
The reason is the infestation of the HTTPS-mechanism in common.

While Lenovo has now officially stated that their Computer Antitheft Security tool contains a component, namely Superfish and offered a removal instruction, the problem is way beyond frontiers. HTTPS is usually a quality seal that the connection you’re using, is trusted. A certificate issued by the website owner is identifying an URL/site/connection. Normally.

Superfish however has it’s own certificate key store meaning it can countersign virtually any HTTPS-connection. Even untrusted ones! That means that your browser might be redirected to https://unsecure.com and still it would show you a secure certificate since Superfish simply injects it’s own (trusted) certificate just to please the browsers.

Now as if that isn’t enough, Superfish uses this exact certificate just to replace any type of Adverts on webpages with their very own advertisings (or from their partners.) – Advertisings in common are annoying enough and the fact that advertisers are always seeking for new ways to bring you all these nasty flickering eyesores to your screen is a reason for itself to install and use adblockers.

However even a famous tool, called AdAware, from Lavasoft, comes with Superfish. And since AdAware trusts this secure connection (remember HTTPS and the certificate, right?) – AdAware would kill other Ads on homepages but not those broadcasted unter the flag of Superfish’s certificate. Wouldn’t make sense in any other way if the begger blocks it’s moneysource.

However it’s not only the fact that ads now come via HTTPS, it’s mainly the fact that a program (or host) is blatantly tricking browsers to be on the safe side while Superfish can also be tricked itself to countersign even unsecure sites that might harm your computer (and privacy) in ways you wouldn’t imagine.

If you think now, hey, it’s just one silly certificate to remove from the key store, well, then it’s time to meet PrivDog!

What sounds like a cute little puppy probably caring for your privacy, is exactly the very opposite of that! While Superfish is simply using one and the same certificate with the same keystore, PrivDog generates for EVERY instance and installation its own certificate. A single certificate with a specific keystore (ID) can be simply revoked and declared invalid. But individual certificates such as the ones generated at runtime from PrivDog makes it hard to keep a possible revocation list actual and reliable.

Since declaring an issuer to be insecure could lead into severe lawsuits, the certificate can still be issued at will.

PrivDog however has now officially stated that they’re going to dismantle the malicious HTTPS infestation from their newest plugin and program. Also Comodo and it’s products seem to use an older version of PrivDog that doesn’t interfere with SSL connections and thus also doesn’t issue potentially dangerous SSL certificates for the sake of “Trust all SSL connections”. Since Comodo also is a certification authority, their reputation may have fallen like the titanic sunk.

Lenovo which fears a big lawsuit coming ahead towards them, has already set up a removal procedure to get rid of the malicious piece of software and it’s untrustworthy certificate.

But there are a big number of other tools which also use the very same mechanism to fool users into fake security. Comodo is taking your security at stake while their software is supposed to give you the same. Since their setup doesn’t show any opt-out options from their data collection policy, you’d rather miss on their free goodies and switch to safe ones!