Dell does a Superfish, ships PCs with self-signed root certificates

In a move eerily similar to the Superfish debacle that visited Lenovo in February, Dell is shipping computers that come preinstalled with a digital certificate that makes it easy for attackers to cryptographically impersonate Google, Bank of America, and any other HTTPS-protected website.

The self-signed transport layer security credential, which was issued by an entity calling itself eDellRoot, was preinstalled as a root certificate on at least two Dell laptops, one an Inspiron 5000 series notebook and the other an XPS 15 model. Both are signed with the same private cryptographic key. That means anyone with moderate technical skills can extract the key and use it to sign fraudulent TLS certificates for any HTTPS-protected website on the Internet. Depending on the browser used, any Dell computer that ships with the root certificate described above will then accept the encrypted Web sessions with no warnings whatsoever.

The crowdsourced discovery came over the weekend, as Dell customers shared technical details of the eDellRoot certificate installed on recently purchased computers. Joe Nord, a self-described programmer, showed the certificate as it appears in the Microsoft Management Console:

Read 6 remaining paragraphs | Comments