“SSL hijacker” behind Superfish debacle imperils large number of users

Thursday's revelations that Lenovo PCs ship with adware that intercepts sensitive HTTPS-protected traffic has focused intense scrutiny on Superfish, the company that markets the intrusive software. But lost in the furor is the central role a company called Komodia plays in needlessly exposing the passwords and other sensitive data of not just Lenovo customers, but also a much larger base of PC users.

As this post was being prepared, Komodia's website was only sporadically available, with its homepage saying it was under distributed denial of service attacks. There's never a legitimate reason for people to carry out DDoS attacks, but the underlying anger directed at Komodia is understandable. The company proudly markets HTTPS-decrypting and interception software that's used by more than 100 clients, including Fortune 500 companies. "With a simple-to-control interface, you can intercept website traffic and network applications from any program language," a promotional video boasts. The company's website brazenly refers to one of its software development kits as an "SSL hijacker."

The fake secure sockets layer certificate found on Lenovo machines preinstalled with Superfish came from none other than Komodia. It was bundled with a password-protected private encryption key, presumably to prevent it from being used by malicious hackers to create websites that spied on users as they visited HTTPS-protected pages. But as Ars reported Thursday, the measure was laughably easy to bypass, since it took Errata Security CEO Rob Graham just three hours to discover that the password was, you guessed it, "komodia."

Read 9 remaining paragraphs | Comments