Not just Lenovo: Dell ships computers with self-signed root certificates


#1

[Read the post]


#2

#3

At least Dell is not MS-centric :smile:

from the Register article

We're also chasing up claims that its Ubuntu Linux laptops ship with the same dodgy root cert installed.

#4

Stop complaining and start making use of this valuable intel.


#5

Shouldn’t it be a criminal matter to hide these things in a computer?


#6

This story misses a point that Ars Technica identified as being worse than the Lenovo/Superfish debacle.

…
Both are signed with the same private cryptographic key. That means anyone with moderate technical skills can extract the key and use it to sign fraudulent TLS certificates for any HTTPS-protected website on the Internet.

Their recommendation is to use Firefox until Dell mea culpa’s out a patch for their oopsie, because Firefox, at least, throws up a warning dialog when a website is spoofed using this cert.


#7

Why does anyone use the shovelware-laden preinstalled OS, especially one that can be had for free? (Free with caveats in Win10’s case.)

Come to think of it, most people leave all those manufacturer/advertiser stickers that their laptops came with, so I shouldn’t be surprised. SMH.


#8

I “inherited” a few of such machines. My laser controller laptop arrived after couple years of “civilian” use (and with busted batteries and power connector harvested to repair another machine) and with such stickers still there.


#9

I know this is going to sound like a wall of jargon…

Buy if a researcher wants to know what domains are being MitM’ed you can set up a local Burp proxy. It won’t decode the traffic, but it will give you domains.

If you want to see decoded traffic, play their game. Set up a double proxy for domains discovered on Burp and tcpdump that traffic. Which is basically what they are doing.

#This shit gives people like me a bad name
I want to bust the next gen RBN, not… Dell.


#10

Another fun thing to watch for are DNS queries.

ARP also tells a lot. Fun to watch the broadcasts on hotel wifis.


#11

OS licenses - not everyone can or wants to buy a new license to replace the one that came “free” with the OS…


#12

Technically, all root certificates are self-signed.

The real problem is somewhere else - they installed a certificate to the root trust store and then stored the private key on the PC itself, effectively making it public for anyone to abuse.


#13

Dell apparently will/has provided an update to remove the cert. Also there are instruction to manually remove it:


#14

Meanwhile, in today’s news, Dell has released an uninstaller for the faulty certs, with a promise that they won’t come back.


#15

I don’t understand why they didn’t provide a solution when Lenovo shipwrecked with superfish.


#16

Ostensibly, because these were “good guy” phony certs – making it easier for Dell to glean service tag info. In reality, who knows…p’bly for the same reason roaches in the kitchen don’t scurry when the bathroom lights go on.


#17

Dell is serious about your privacy
Worried about Superfish? Dell limits its pre-loaded software to a small number of high-value applications on all of our computers. Each application we pre-load undergoes security, privacy and usability testing to ensure that our customers experience the best possible computing performance, faster set-up and reduced privacy and security concerns.


#18

yes yes, I know - selective quoting is unfair. but still :smile:


#19

This topic was automatically closed after 5 days. New replies are no longer allowed.