Superfish doubles down, says HTTPS-busting adware poses no security risk

Following security professionals' near-unanimous condemnation of adware that hijacked encrypted Web connections on Lenovo computers, the CEO of the company that developed the finished product is doubling down on his insistence that it poses no threat to end users.

The statement, e-mailed to Ars by a Superfish spokeswoman and attributed to company CEO Adi Pinhas, is notable for making no reference to secure sockets layer, transport layer security, HTTPS, or any other form of encryption. Those technologies are at the core of security researchers' criticisms. They say the self-signed certificates, registered to Superfish and installed in the root level of every PC's SSL/TLS folder, makes it easy for malicious hackers and even script kiddies to build websites that trick affected browsers into behaving as if they're connected to servers for Bank of America, Google, or any other HTTPS-protected website on the Internet. In fact, there's near-universal agreement about this. Earlier today, the US CERT joined the growing chorus of critics with an advisory headlined "Lenovo Computers Vulnerable to HTTPS Spoofing."

Despite all of this, Pinhas's statement doesn't address the criticism. Instead, it attacks an argument that no one has made—that Superfish somehow shares personal information without users' permission. Here is the statement in full:

Read 4 remaining paragraphs | Comments