[lmm]

> we should still have standard crypto between the lenovo computer and the website

Standard crypto using that website's certificate. Which could be legit. Or could be an attacker's certificate, signed with this Lenovo root certificate.

Some criminals are about to make a lot of money.

[HackinOut]

Not if the proxy checks the certificate of the site it's connecting to and doesn't trust it's own self-signed cert (there is no point in doing so if it's pure adware). But yeah... I have no idea what it does...

[makomk]

I honestly doubt that someone who was clueless and lazy enough to use the same self-signed certificate on all machines would put in the extra effort not to trust that certificate. Besides, the certificate is left behind after the software's uninstalled and no longer proxying connections.

[HackinOut]

Komodia, the company behind the tech contracted by the maker of SuperFish, actually (tries) to makes sure invalid and self-signed certificate do generates a warning in the browser. And then they password protect the private key with... the name of their company?!?

http://www.komodia.com/wiki/index.php?title=SSL_Digestor#Cer...

"Also the module tries to verify that the certificate is indeed signed by an approved signer, it will use the CA store of the browser used to verify that (for Internet Explorer the Windows store will be used, and for Firefox the NSS store will be used), if the certificate isn't legit, the created certificate will be created in a way it would raise an alert to protect the user."

A huge ugly hack...

[HackinOut]

Wow...

Now Lenovo is "soon" going to explain how to remove this certificate after the "uninstall" in a buried forum post...

http://forums.lenovo.com/t5/Lenovo-P-Y-and-Z-series/Removal-...