Original article published at Infosecurity Magazine on August 25, 2015: http://www.infosecurity-magazine.com/opinions/superfish-one-step-closer/
Earlier this year Lenovo got caught installing Superfish adware on its laptops. Superfish breaks open SSL/TLS encryption using forged digital certificates and unwittingly allows bad guys to exploit the digital trust they provide. Unfortunately, man-in-the-middle (MITM) attacks with forged certificates are nothing new.
The SSL/TLS trust model is designed to protect communications end-to-end. But Lenovo inserted the Superfish CA certificate as trusted, meaning that all of the MITM certificates were trusted within the browser, thereby exposing users to insecure sites or interception of private communications. Whilst Lenovo admitted its mistake and claims to no longer ship adware, it is clear that the system of trust established by keys and certificates is under attack.
Read the full article at: http://www.infosecurity-magazine.com/opinions/superfish-one-step-closer/