Web Browsers Also to Blame for Lenovo's Superfish Fiasco

The time has come to unmask the identify of Certificate Authorities vouching for secure websites

Lenovo pre-installing Superfish software was a security disaster. Whether Lenovo was evil, or, as they eventually claimed, merely incompetent, it's hard to trust them going forward. If nothing else, their initial denials that anything was wrong, leave a lasting impression. Of course, Superfish, along with the software that they bundled from Komodia, also deserve plenty of blame for breaking the security of HTTPS and SSL/TLS.

Taking a step back however, blame also falls on our web browsers.

Google (Chrome), Microsoft (Internet Explorer), Apple (Safari) and Mozilla (Firefox) enable the security hack that Superfish and others such as PrivDog and Gogo engage in. They do this by omission, not commission. 

Let me explain.

Secure (HTTPS) web pages are required to send the web browser a file called a digital certificate which serves, among other purposes, to insure that you are actually viewing the website you think you are viewing.

This is needed because the underlying design of the Internet makes scam websites possible. That is, you could be looking at somebankingsite.com and instead of it really being a bank, it could be a phony duplicate site designed to trick you in any number of ways.

One defense against this, is the digital certificate file. Just as a postmark proves where and when a letter was mailed, the certificate file is supposed to prove the identity of the website.

To run a secure HTTPS website, you first have to get a certificate file from any of the hundreds of companies in business to sell them. These trust-selling profit-making companies are called Certificate Authorities. They are supposed to check the identity of the person or company making the request.

Pass the identity check, pay a fee, and you get a certificate file vouched for by a Certificate Authority.

Techies refer to the certificate file as "certificate" or, more often, just as a "cert". An article about Gogo at Ars Technica referred to it as an "HTTPS certificate". A recent Bloomberg story about Hilary Clinton's private email system called it an "encryption certificate" referring to another of its purposes - being the basis for encrypting data in transit. Google, in their explanation of the topic below, calls it a "security certificate".

To verify their identity, sites that use SSL present security certificates to Chrome. Anyone can set up a website pretending to be another site, but only the real site has a valid security certificate for the URL you're trying to reach. Invalid certificates could mean that someone is trying to tamper with your connection to the site.

Verbiage like this probably sounds reassuring, to non-techies, but, the system is terribly flawed, so much so, it borders on being a scam.

One of the biggest flaws in the system is that any Certificate Authority (CA) can vouch for any website.

Add to this, the fact that there are hundreds of Certificate Authorities and each one has sub-contractors than can also issue certificates.

Plus, no one knows who these companies are. GeoTrust, Entrust, USERTrust, GTE CyberTrust, Starfield, CertPlus, DigiCert and Thawte are not exactly household names. Steve Gibson is fond of pointing out that the Hong Kong Post Office is a trusted Certificate Authority. Would you trust a website whose identity is certified by the Hong Kong Post Office? Our browsers do.

The companies that produce web browsers did not create this flawed system, but they aid it, by hiding it.

The time has come for web browsers to stop hiding the name of the Certificate Authority vouching for secure websites.

No doubt, Microsoft, Apple, Google and Mozilla will point out that the name of the vouching Certificate Authority is readily available. Technically, it is. Realistically, however, it is not, at least not for the non-techies that need it the most.

To see the name of the vouching Certificate Authority you need to know a secret handshake, a clickstream that's never explained to newbies. And, the handshake differs for each browser.

Limiting myself to just Windows, I found multiple paths to uncovering the name of the vouching CA.


With Firefox 36 (above), you need to click on the company name in green, just to the left of the website name in black on the address bar. In the window pops up, "Verified by" is the CA name.


In Chrome 41, the company name is dark green in a light green rectangle. You again need to click on the company name, then on the word "Connection". It is not immediately clear in the window that pops up that there are two tabs, one for Permissions, one for Connections.

1 2 3 Page 1
Page 1 of 3
Discover what your peers are reading. Sign up for our FREE email newsletters today!