Lenovo, Superfish, and SSL: How Adware Broke the Browser
The recent revelations about the Superfish adware expose one of the critical vulnerabilities of SSL: you’re only as secure as your browser configuration. Superfish acts as a proxy, also known as a man-in-the-middle, intercepting all web traffic to modify the content that you’re receiving while browsing. To make sure that it can continue intercepting traffic, even if the connection is over https, Superfish installs a new root certificate into your trust store. Superfish also installs the private key for that certificate so that it can generate and sign certificates on the fly to match any website that you’re trying to visit. For example, if you were to try to visit securesite.com with Superfish installed, it would intercept the connection and make its own secure connection to securesite.com, then generate and sign a certificate for securesite.com to return to your browser. Since it added its certificate to your trust store, the browser will consider that a completely legitimate certificate, displaying the lock icon as if nothing was wrong.
Correctly implemented, Superfish would have been an annoying intrusion, but unfortunately it contains a fatal flaw. Superfish uses a single, static certificate for all installations instead of dynamically generating one at install time. The implications of that mistake are that if anyone compromises that certificate, they can intercept any web traffic from any infected machine, reading sensitive information and potentially injecting malicious code to further compromise that machine. Unfortunately, the Superfish signing certificate was not well protected and has been compromised and made widely available on the Internet.
As a result of the backlash against Superfish, Lenovo has promised to stop installing it on new laptops and is providing instructions on removing it. While that combination of actions will eventually eliminate this particular threat, the general class of threat — malicious actors compromising the security infrastructure of browsers — remains. In the face of this omnipresent threat, it becomes clear that we need a way to defend ourselves.
One defense against such threats is to shoulder the entire burden by yourself. You can constantly monitor your trust store for new root certificates or certificates that you don’t trust and frequently test to make sure that system files aren’t modified. If that sounds like a lot of work, that’s because it is a lot of work; browsers trust a great many root certificate authorities, and you can’t easily tell from their name which ones are trustworthy. Even worse, if a zero-day exploit allows an attacker to install a rootkit on your machine, you may not be able to detect modifications.
Another approach to protecting your system is to create a virtual machine with a known-good image, resetting it after each browsing session. This approach has a couple of huge benefits. First, it can make it significantly harder for attacks to affect your system, since a virtual machine that only has to do one thing, without regard for general ease-of-use, can have a drastically smaller attack surface. Second, if a zero-day exploit in the browser does allow an attacker to compromise the virtual machine, it can be easily reset to its known-good state, cleaning up the damage. Unfortunately, to take this approach you have to create a secure virtual machine image to begin with, which requires a significant amount of expertise. Additionally, you have to keep the image up to date with patches, and that’s a very time-consuming prospect, both in terms of staying on top of new vulnerabilities and in generating the machine image.
If you lack the time, patience or expertise to build and maintain a virtual machine image, there are excellent commercial options, like Passages by Ntrepid. The commercial options let you leave the responsibility for creating a secure virtual machine to experts who specialize building systems that are resistant to attack. Additionally, it saves you from having to maintain the configuration, freeing up a lot of time for other endeavors. If security is critical to you and you don’t have limitless time, a commercial solution may well prove to be the best option, both financially and from a security standpoint.