[nugget]

Just to be clear, Facebook and Google hate any software that allows users to modify content within their walled gardens (whether that's an adblock, ad injector, or other). These companies want a totally controllable user experience in order to maximize their own user metrics and monetization.

My fear is that these companies will use this Superfish debacle to attack and restrict the ability for users to download legitimate software which leverages these technologies. As users and developers, we want to retain this ability.

Adware sucks, and there are dozens of anti-virus companies who should be all over anyone who tries to pull this crap. The problem here is not with MITM, SSL packet inspection or modification. The problem here is that Lenovo allowed themselves to be turned into a distribution channel for a poorly implemented, spammy piece of adware for a few extra pennies.

[madeofpalk]

To be fair, I'm sure any website owner would want to prevent others from modifying their own website and how users view/interact with it.

[userbinator]

For the ones who are pro-DRM, that is probably true; the ones who realise that trying to do that is as futile as forcing one to sit in front of the TV during the adverts, probably not.

Userscripts and userstyles are very popular, and I see no particularly large backlash against them.

[kbenson]

It's not as simple as that though. It's perfectly acceptable to want to have control over how your site is presented while still allowing your data to be accessible. If I spent a lot of time on my site UI, I wouldn't want some third party tweaking it, when that may mean I make changes to my front-end and some percentage of users break which I have no real control over. This remains true whether I replicate every capability in an open REST interface or not.

[bsdetector]

> My fear is that these companies will use this Superfish debacle to attack and restrict the ability for users to download legitimate software which leverages these technologies.

They already have, with HTTP/2. Encryption is mandated for HTTP/2 so something like Privoxy (or even just a caching proxy) has to use a Superfish-like method to bypass the encryption. The only alternative is to modify the browser, which they are also locking down with unchangeable ChromeOS and limiting plugins to only officially sanctioned ones.

...and you won't really even be able to just not use HTTP/2 because the web will be much slower as pipelining is not even implemented in Chrome, and Firefox will no doubt drop it soon. Websites optimized for HTTP/2 could take minutes to load without pipelining.

The real irony is that neither Google nor Mozilla determined what software caused pipelining problems, so guess what, it was Superfish and its like. Instead they made a new protocol that requires Superfish-like MITM interception, to work around problems caused by Superfish-like MITM malware.

[gsnedders]

HTTP/2 doesn't actually require TLS (it got removed because of too many people pushing for it not being required for things like home routers and the like), though none of the major browser vendors intend on supporting HTTP/2 without it.

[mentat]

I'm not sure why a normal user would ever need to add CAs to their root store. Can you clarify?

[dredmorbius]

Adding (or removing) CAs is a fully legitimate activity.

Your own site, work, or vendor / client sites could be added.

Or you could want to remove a Comodo (or Honest Achmed's Used Cars and Certificates).

http://www.livehacking.com/2011/04/25/honest-achmeds-used-ca...

https://bugzilla.mozilla.org/show_bug.cgi?id=647959

Just because your OS / browser vendor "trusts" a cert doesn't mean you should.

[userbinator]

Just because your OS / browser vendor "trusts" a cert doesn't mean you should.

In other words, users should always have the right to control who they (indirectly) trust. That's what the comment above is referring to - it will be even worse if Superfish is used as an excuse to take away this right.

[dredmorbius]

Quite right.

[hamburglar]

Depends on what you mean by "normal user." It's somewhat advanced, for sure, but many companies use private CAs to issue certs for their intranet sites, and the ability to install those certs on client machines is very useful.

[jonah]

Plenty of enterprise users need to. There are other reasons too.

I presume 'nugget is talking about the HTML rewriting aspect of the software. Injecting additional/unwanted tracking code == bad, user-requested re-writing of content == good.

[dingaling]

Oddly Google's Android team took a different approach; on Android 4.0+ there is no way to install additional certificates without a periodic "Network may be monitored by unknown third party" notification being presented.

Very annoying if you wish to use your own CA or add another and it is also dangerous in that it masks any cert installation by malware.

[RDeckard]

Realizing an adblock mechanism, for one. (Similar to InterMute in late 90s, and admucher.com now.)

[duskwuff]

That's a really intrusive, dangerous way of implementing ad blocking, though. Much better to have that functionality live in the browser itself (or an extension).

[Buge]

I add CAs to my root store so that I can view my https traffic using fiddler.

Also if you want to use http://www.cacert.org/ you need to add their cert.

[whytry]

Your going to get hellbanned if you keep talking like that. We love our corporate masters here.