Web browsers are also to blame for Lenovo's Superfish fiasco

lenovo
Credit: TAKA@P.P.R.S

The time has come to unmask the identify of Certificate Authorities vouching for secure websites

Lenovo pre-installing Superfish software was a security disaster. Whether Lenovo was evil, or, as they eventually claimed, merely incompetent, it's hard to trust them going forward. If nothing else, their initial denials that anything was wrong, leave a lasting impression. Of course, Superfish, along with the software that they bundled from Komodia, also deserve plenty of blame for breaking the security of HTTPS and SSL/TLS.

Taking a step back however, blame also falls on our web browsers.

Google (Chrome), Microsoft (Internet Explorer), Apple (Safari) and Mozilla (Firefox) enable the security hack that Superfish and others such as PrivDog and Gogo engage in. They do this by omission, not commission. 

Let me explain.

Secure (HTTPS) web pages are required to send the web browser a file called a digital certificate which serves, among other purposes, to insure that you are actually viewing the website you think you are viewing.

This is needed because the underlying design of the Internet makes scam websites possible. That is, you could be looking at somebankingsite.com and instead of it really being a bank, it could be a phony duplicate site designed to trick you in any number of ways.

One defense against this, is the digital certificate file. Just as a postmark proves where and when a letter was mailed, the certificate file is supposed to prove the identity of the website.

To run a secure HTTPS website, you first have to get a certificate file from any of the hundreds of companies in business to sell them. These trust-selling profit-making companies are called Certificate Authorities. They are supposed to check the identity of the person or company making the request.

Pass the identity check, pay a fee, and you get a certificate file vouched for by a Certificate Authority.

Techies refer to the certificate file as "certificate" or, more often, just as a "cert". An article about Gogo at Ars Technica referred to it as an "HTTPS certificate". A recent Bloomberg story about Hilary Clinton's private email system called it an "encryption certificate" referring to another of its purposes - being the basis for encrypting data in transit. Google, in their explanation of the topic below, calls it a "security certificate".

To verify their identity, sites that use SSL present security certificates to Chrome. Anyone can set up a website pretending to be another site, but only the real site has a valid security certificate for the URL you're trying to reach. Invalid certificates could mean that someone is trying to tamper with your connection to the site.

Verbiage like this probably sounds reassuring, to non-techies, but, the system is terribly flawed, so much so, it borders on being a scam.

One of the biggest flaws in the system is that any Certificate Authority (CA) can vouch for any website.

Add to this, the fact that there are hundreds of Certificate Authorities and each one has sub-contractors than can also issue certificates.

Plus, no one knows who these companies are. GeoTrust, Entrust, USERTrust, GTE CyberTrust, Starfield, CertPlus, DigiCert and Thawte are not exactly household names. Steve Gibson is fond of pointing out that the Hong Kong Post Office is a trusted Certificate Authority. Would you trust a website whose identity is certified by the Hong Kong Post Office? Our browsers do.

The companies that produce web browsers did not create this flawed system, but they aid it, by hiding it.

The time has come for web browsers to stop hiding the name of the Certificate Authority vouching for secure websites.

No doubt, Microsoft, Apple, Google and Mozilla will point out that the name of the vouching Certificate Authority is readily available. Technically, it is. Realistically, however, it is not, at least not for the non-techies that need it the most.

To see the name of the vouching Certificate Authority you need to know a secret handshake, a clickstream that's never explained to newbies. And, the handshake differs for each browser.

Limiting myself to just Windows, I found multiple paths to uncovering the name of the vouching CA.

bofa.ff36

With Firefox 36 (above), you need to click on the company name in green, just to the left of the website name in black on the address bar. In the window pops up, "Verified by" is the CA name.



bofa.chrome41

In Chrome 41, the company name is dark green in a light green rectangle. You again need to click on the company name, then on the word "Connection". It is not immediately clear in the window that pops up that there are two tabs, one for Permissions, one for Connections. For whatever reason, the visual design of these tabs is totally different than the browser tabs right above it. In the Connection tab, the CA name is in the first sentence, after "has been verified by".



bofa.ie11

With Internet Explorer 11 you don't need to click, but you do need to shift your focus from the left side of the address bar to the right side. Hovering the mouse over the name of the company, produces a popup window with the CA name displayed after "Identified by".



bofa.opera27

Opera 27 starts off like Firefox, you need to click on the company name displayed in green next to the website name in black. Then, you need to click on the word "details". The name of the Certificate Authority is shown, but it is not identified as such.



bofa.vivaldi

The newest web browser, Vivaldi technical preview 2, offers a secret handshake hint. If you hover the mouse over the company name displayed in green to the left of the website name, a pop-up window says "site info". Another clue that clicking here offers more goodies is the fact that the background color changes from light green to dark green. Clicking on the company name produces a window that looks exactly like Chrome, with a default Permissions tab and a Connections tab.

One operating system, five browsers, four different click trails to learn the name of the vouching Certificate Authority.

Stepping away from Windows, Safari on OS X does not let you click on the company name, you have to instead click on the much smaller green lock to left of the company name.

Two iOS 8 browsers function like Jekyll and Hyde. Chrome does not show the company name, only the URL. In total contrast, Safari only shows the company name and hides the URL.

The worst thing about Safari on iOS 8 is that no matter where you click, press or hover, it won't rat out the Certificate Authority vouching for secure websites. Heck, it doesn't even show full URLs. Then too, Chrome running on Android is also incapable of identifying the Certificate Authority vouching for a secure website.

Strange co-incidence that the most popular browsers on iOS and Android are both missing an important security feature. 

You may have also noticed in the screen shots above that the Certificate Authority is never identified as such. Nerds designed the user interface so they assume everyone on the planet is, like them, already familiar with the system. I guess they don't have mothers.

On Windows, Firefox, Chrome and Vivaldi use "verified by", Internet Explorer uses "identified by" and Opera just puts the name out there without a label.

The best explanation I have seen is Safari on OS X which says, in effect: company x has identified website y as being owned by company z. Fairly straightforward. But even this explanation does not identify the Certificate Authority as a Certificate Authority, making it that much harder for non-techies to get with the program.

Adding to the confusion is the name of the Certificate Authorities. In the Bank of America examples above, we saw four different names: VeriSign Inc, VeriSign (without the Inc), Symantec Corporation and my personal favorite: Symantec Class 3 EV SSL CA - G3.

How does one Certificate Authority end up with four names?

In part it comes from the certificate file having multiple embedded names for each CA. Chrome displays the "common name" while Firefox displays the "Organization name". None of the browsers displayed the "Organizational Unit" name, which, in this case, was "Symantec Trust Network".

Multiple names also stem from the use of sub-contractors (techies call them resellers, Registration Authorities or just RAs) by Certificate Authorities.

These sub-contractors, in turn, can have their own sub-contractors. In reality, a single CA never vouches for an individual website, the lowest sub-contractor does. So, what name should the browser show? That of the lowest sub-contractor, an intermediate sub-contractor or the highest level Certificate Authority>

In the Bank of America examples shown earlier, the browsers reporting that VeriSign vouched for the website, got the name from either the mid-level sub-contractor CA or the original contractor CA (known to techies as the root CA). 

And it gets worse.

In the case of the Bank of America, nerds know that Symantec bought VeriSign, so the NSA was not playing tricks on me when I took these screen shots. The two are one and the same.

But, does the Bank of America really use VeriSign? Maybe they use DigiCert or GeoTrust or Thawte. How can we know? The only way to know is if your sister works for the bank.

Still think my earlier use of the term "scam" was too harsh?

With this as background, we can now fully understand how Superfish worked.

MAN-IN-THE-MIDDLE

Simply put, Superfish placed itself between the victim and the rest of the world.

When Lenovo customers thought they had a secure connection to somebankingsite.com they did not. They had a secure connection to Superfish software running on their Windows 8 PC.

Likewise, the bank was also fooled into thinking they were communicating directly with a customer. They were not, they were also talking to Superfish. It's a classic man-in-the-middle attack.

In the old days, only bad guys and spies carried out man-in-the-middle attacks. Now advertising companies do it too.

Classic man-in-the-middle attacks had an insecure HTTP connection between the web browser and the bad guy. If substituting HTTP for HTTPS did not give it away, then the missing lock icon should have. Things have progressed since then.

Superfish was able to hide its presence by providing the web browser with a certificate file. Not the real certificate file, of course, one that Superfish created on the fly. No matter what secure HTTPS website the Lenovo customer visited, Superfish dynamically created a certificate for it.

Another part of the attack involved getting the web browsers to trust certificates from Superfish. Normal computers do not.

Months went by without Lenovo customers noticing that Superfish was vouching for every secure website in the world. This tells me that finding the name of the vouching Certificate Authority is too hard. I'm sure that Gogo was issuing scam YouTube certificates well before a flying Google employee noticed it.

Web browsers need to clearly identify the vouching Certificate Authority in a prominent way. Make us click to remove the name rather than show it. Browsers need to shine a light on a system that functions in the dark.

The late retailer Sy Syms used to advertise that "an educated consumer is our best customer". Not so in the tech world. Keeping non-techies ignorant seems to be a goal.

If the Certificate Authority name was prominently displayed in the browser window, end users could benefit in multiple ways.

For one thing, financial firms might be motivated to publicize the Certificate Authority they use, making scams harder.

And, over time, we will inevitably learn something about the various companies in the business of selling trust.

We'll see the Certificate Authorities used by major companies and come to trust them more than a company whose name we have never seen before. We will know who is supposed to be vouching for the secure sites we frequent. As things stand, the identity of a CA means nothing to almost everyone using the Internet.

Spy agencies would hate educated consumers.

The current system serves them well. They can offer up a scam copy of a website and vouch for it with a certificate from a compromised Certificate Authority. Compromising a single CA, lets them vouch for any website, as long as the CA name is hidden. If we could see that Harveys Certificate Authority was vouching for the Bank of America, the scam wouldn't work.

So, lets see it Google, Apple, Mozilla and Microsoft. I dare you to prominently tell your users the Certificate Authority vouching for the identity of supposedly secure websites.

Certificate Authority identities matter.

-------------------------

UPDATE. March 8, 2015: How might this look? How might a browser provide information on website identity and Certificate Authorities? I would present short information with the option for more details. The initial message would be something like: 

Certificate Authority CA 1 attests that this website, X, belongs to entity Y. If you trust CA 1 then you can assume this is the real website of entity Y

The link for more information should probably be "IDENTITY DETAILS" since this is not an encryption related issue. Here is how I would present this:

CA 1 has presented browsername with an electronically signed certificate file.
CA1 is also known as X and is part of OUname1
Browsername trusts CA 1 because they have, in turn, been vouched for by CA 2.
CA2 is also known as XX and is part of OUname2
Browsername trusts CA 2 because they have been vouched for by CA 3, a company that browservendor trusts.
CA3 is also known as XX and is part of OUname3
You can see the full list of Certificate Authorities that browsername implicitly trusts here URL

OUname is Organization Unit name from the certificate. Obviously the length of this information is not fixed, it would vary with the length of the certificate chain of trust. 

My most important point, however, is not the specific language, but rather that the browser identify the vouching CA by default, without the end user needing to click, press or hover.

5 free apps that add cool Windows 7 features to Windows 10
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies