This is a serious problem. In
order for cryptography to work, there must be two keys — a public key
and a private key. The public key is used to encrypt messages
transmitted to the server, while the private key is used by the server
to decrypt those messages. The entire concept of public-key
cryptography relies on the private key remaining private. Because it’s
computationally impractical to derive the private key from analyzing
public keys, public keys can be distributed everywhere, while the
private keys used to decrypt the information remain under lock and key.
Shipping
a computer with a private key already installed means that the key can
be extracted and used to sign fraudulent websites. Dell computers with
the eDellRoot certificate installed will not recognize that these
websites are fraudulent, because the key that they rely on to do so has
told the system that they aren’t.
What’s missing from this picture is any sense of why
the eDellRoot key is installed on Dell laptops in the first place. In
Lenovo’s case, it compromised user security and broke the entire HTTPS
model to ship a lousy bit of adware that supposedly enabled “Visual
search.” Lenovo later claimed that the revenue it earned from Superfish
was tiny, which made sense, but didn’t explain why the company had
broken HTTPS security in order to earn a trifling bit of cash.
Dell’s eDellRoot certificate
doesn’t seem tied to any specific service or capability. It’s not linked
to malware or customer complaints the way Superfish was, and it’s not
clear how many systems have shipped with the certificate installed. So
far, we’ve seen reports that at least some Inspiron 5000 models are
affected. These are Windows 10 machines shipping nine months after Superfish.
The
world of OEM systems is cutthroat, with thin margins and aggressive
product positioning, but this isn’t exactly a feature anyone asked Dell
to copy from Lenovo. It’s not clear yet how large the problem is, but
testing has shown that systems with the eDellRoot certificate installed
will establish connections to clearly fraudulent sites.
Wondering if your own Dell machine has this problem? This test site
is designed to test if your system has eDellRoot installed — if your
Dell connects to the link without error when using IE or Chrome, you’ve
got an eDellRoot problem. According to Ars Technica,
Firefox still reports that the site has certificate issues. Researchers
have also apparently told Ars that this certificate can be used to sign
applications, bypassing malware checks.
We’ve reached out to Dell, who provided the following statement:
Customer
security and privacy is a top concern for Dell. We have a strict policy
of minimizing the number of pre-load applications and assessing all
applications for their security and usability. Dell has an extensive
end-user security practice that develops capabilities and best practices
to best protect our customers. We have a team investigating the current
situation and will update you as soon as we have more information.
0 comments:
Post a Comment