[HackinOut]

"Someone will extract the private key in the next few hours, and then HTTPS will be basically completely broken for all Lenovo users -- anyone will be able to spoof any site to them."

Do you mean the proxy is remote? That is not the impression I have (otherwise having the private key locally makes no sense).

If it's local, then even with the private key extracted, and considering a lot of website force https nowadays, we should still have standard crypto between the lenovo computer and the website. EDIT: As long as the adware checks the website certificate AND doesn't trust it's own self-signed certificate in the store... yeah... a lot of ifs...

Anyway, thanks for the additional details, more helpful than "[...] the certificate allows the software to decrypt secure requests[...]", found in the article...

[lmm]

> we should still have standard crypto between the lenovo computer and the website

Standard crypto using that website's certificate. Which could be legit. Or could be an attacker's certificate, signed with this Lenovo root certificate.

Some criminals are about to make a lot of money.

[HackinOut]

Not if the proxy checks the certificate of the site it's connecting to and doesn't trust it's own self-signed cert (there is no point in doing so if it's pure adware). But yeah... I have no idea what it does...

[makomk]

I honestly doubt that someone who was clueless and lazy enough to use the same self-signed certificate on all machines would put in the extra effort not to trust that certificate. Besides, the certificate is left behind after the software's uninstalled and no longer proxying connections.

[HackinOut]

Komodia, the company behind the tech contracted by the maker of SuperFish, actually (tries) to makes sure invalid and self-signed certificate do generates a warning in the browser. And then they password protect the private key with... the name of their company?!?

http://www.komodia.com/wiki/index.php?title=SSL_Digestor#Cer...

"Also the module tries to verify that the certificate is indeed signed by an approved signer, it will use the CA store of the browser used to verify that (for Internet Explorer the Windows store will be used, and for Firefox the NSS store will be used), if the certificate isn't legit, the created certificate will be created in a way it would raise an alert to protect the user."

A huge ugly hack...

[HackinOut]

Wow...

Now Lenovo is "soon" going to explain how to remove this certificate after the "uninstall" in a buried forum post...

http://forums.lenovo.com/t5/Lenovo-P-Y-and-Z-series/Removal-...

[SixSigma]

Having the private key means you can sign your own certificates to serve HTTPS with, so no MITM required.