Superfish Hasn’t Been Caught Yet: SSL Hijacking Explained
Lenovo’s Superfish malware has caused quite a stir in the past week. Not only did the laptop manufacturer ship computers with adware installed, but it made those computers highly vulnerable to attack. You can get rid of Superfish now, but the story’s not over. There are a lot more apps out there to worry about.
Lenovo has released a tool that gets rid of Superfish, and Microsoft has updated its anti-virus software to catch and remove the nuisance. Other anti-virus software providers are sure to follow quickly. If you own a Lenovo laptop and you haven’t taken steps to get rid of Superfish, you should do so immediately!
If you don’t get rid of it, you will be much more susceptible to man-in-the-middle attacks that make it look like you’re communicating with a secure website when you’re in fact communicating with an attacker. Superfish does this so that it can get more information about users and inject ads into pages, but attackers can take advantage of this hole.
How Does SSL Hijacking Work?
Superfish uses a process called SSL hijacking to get at users’ encrypted data. The process is actually quite simple. When you connect to a secure site, your computer and the server go through a number of steps:
- Your computer connects to the HTTP (insecure) site.
- The HTTP server redirects you to the HTTPS (secure) version of the same site.
- Your computer connects to the HTTPS site.
- The HTTPS server provides a certificate, providing positive identification of the site.
- The connection is completed.
During a man-in-the-middle attack, steps 2 and 3 are compromised. The attacker’s computer serves as a bridge between your computer and the secure server, intercepting any information that’s passed between the two, potentially including passwords, credit card details, or any other sensitive data. A more complete explanation can be found in this great article about man-in-the-middle attacks .
The Shark Behind the Fish: Komodia
Superfish is a piece of Lenovo software, but it’s built on a framework that already exists, created by a company called Komodia. Komodia makes a number of different tools, most of which are built around the goal of intercepting SSL-encrypted internet traffic, quickly decrypting it, and allowing the user to do various things, such as filter data or monitor encrypted browsing.
Komodia states that their software can be used for things like parental control, filtering potentially revealing information from encrypted emails, and injecting ads into browsers that restrict the sorts of extensions that are added. Obviously, good and some bad potential uses for this software exist, but the fact that it’s decrypting your SSL traffic without giving you any clue that you’re no longer browsing securely is very worrying.
To make a long story short, Superfish used a single-password security certificate , meaning that anyone who had the password to that certificate would have access to any traffic being monitored by Superfish. So what happened after Superfish was discovered? Someone cracked the password and published it, leaving a huge number of Lenovo laptop owners vulnerable.
A security researcher reported in a blog post that the password was “komodia.” Seriously.
But Superfish isn’t the only software using Komodia frameworks. A Facebook security researcher recently discovered over a dozen other pieces of software use Komodia tech, meaning that a huge number of SSL connections could be compromised. Ars Technica reported that over 100 clients, including Fortune 500 companies, are using Komodia as well. And a number of other certificates were also unlocked with the password “komodia.”
Other SSL Hijackers
While Komodia is a big fish in the SSL hijacking market, there are others. PrivDog, a Comodo service that replaces ads from websites with trusted ads, was found to have a vulnerability that could allow man-in-the-middle attacks as well. Researchers say that the PrivDog vulnerability is even worse than Superfish.
This isn’t all that uncommon, either. A lot of free software comes bundled with other adware and other things that you don’t actually want (How-To Geek posted a great experiment on this), and many of them use SSL hijacking to inspect the data that you’re sending over encrypted connections. Fortunately, at least some of them are a bit smarter about their security certificate practices, meaning that not every SSL hijacker causes security holes as big as those created by Superfish or PrivDog.
Sometimes there are good reasons for giving an app access to your encrypted connections. For example, if your anti-virus software can’t decrypt your communications with an HTTPS site, it wouldn’t be able to prevent malware from infecting your computer over a secure connection. Parental control software also needs access to secure connections, or kids could just use HTTPS to bypass the content filtering.
But when adware is monitoring your encrypted connections, and opening them to attack, you should be concerned.
What to Do?
Unfortunately, many man-in-the-middle attacks need to be prevented by server-side measures, which means you may be exposed to these sorts of attacks without knowing it. However, you can take a number of measures to keep yourself safe. Filippo Valsorda has created a web app that looks for Superfish, Komodia, PrivDog, and other SSL-disabling software on your computer. That’s a good place to start.
You should also pay attention to certificate warnings, double-check for HTTPS connections, be careful on public Wi-Fi, and run up-to-date antivirus software. Check which browser extensions are installed in your browser and get rid ones you don’t recognize. Be careful when downloading free software, as a lot of adware is bundled with it.
Beyond that, the best thing that we can do is to communicate our anger to the companies that are producing and using this technology, like Komodia. Their website was recently taken down, purportedly by a distributed denial-of-service attack , suggesting that many people were quick to express their displeasure. It’s time to make it clear that SSL hijacking is completely unacceptable.
What do you think of SSL hijacking adware? Do you think we should call upon companies to stop this practice? Should it even be legal? Share your thoughts below!