It was recently brought to light that the computer company Lenovo built and sold laptops with an adware program preinstalled between October and December 2014. The program, called Superfish, was designed to inject ads onto secure HTTPS web pages. This sounds bad enough on its own, but it gets worse. To do this Superfish uses a code library, from an Israeli company called Komodia, that installs a self-signing root HTTPS certificate that falsely represents itself as the website’s official certificate.
Why this is Bad
The problem with Superfish, and its komodia code, is that it poorly circumvents HTTPS site certificates are how your browser judges whether the site is legitimate. For example, under normal conditions a fishing site set up to look like a Bank of America site would be flagged by your browser for having a false certificate and a warning would pop up in your browser that the site you were attempting to access had an invalid certificate. [Read more…]