広く普及している SSL/TLS のオープンソース実装を、最新バージョンに更新する必要があります。
広く普及している SSL/TLS のオープンソース実装を、最新バージョンに更新する必要があります。
Se recomienda a los usuarios hacer la actualización a la última versión de SSL / TLS
Users advised to update to latest version of popular open source implementation of SSL/TLS.Read More
Internet users with basic security knowledge are aware that they should look for the padlock icon in the address bar or the HTTPS in a web address to indicate that a website is secure. We have gotten used to seeing it on bank sites or shopping carts where we input our credit card information. More […]
最近報告された FREAK 脆弱性を悪用すると、攻撃者は、セキュア接続に対して強度が弱く、簡単に復号可能な暗号方式を強制的に使用させることができます。
A recently reported flaw lets attackers force secure connections to use a weaker, breakable form of encryption.Read More
Uma falha divulgada recentemente permite que atacantes forcem conexões seguras a utilizar uma forma mais fraca de criptografia, que pode ser quebrada.
Una falla reportada recientemente permite a los atacantes forzar las conexiones seguras a usar un método de cifrado más débil y quebrantable.
A security flaw was discovered in software that was pre-installed on some Lenovo laptops. Lenovo has issued the following Press Release. The story has been reported on multiple sites (for example, here and here). We applaud Lenovo for quickly publishing details on affected models and instructions for removing the flaw. The problem lies in the software from a company called Superfish that was pre-installed by Lenovo on certain computers. The main function of the software was to intervene when the user performed web searches in IE or Chrome browsers, and insert Superfish’s content into the search result page. Lenovo enabled this software to “help users find and discover products visually”, by incorporating relevant search results not offered by the search engine.
Interjecting content in web pages is not new (for example, via browser add-ons), but Superfish’s approach was novel, and didn’t use a browser add-on. Instead, the software intercepted all traffic between the browser and the network external to the computer. But since most large search engines (such as, Google, Bing, and Yahoo) now serve all content over https, the Superfish software couldn’t read (and more importantly, modify) any of that encrypted traffic. To get around this, an SSL Man-in-the-Middle (MITM) was set up in the computer itself, creating fake SSL certificates with the domain name of the intended web site. These certificates were signed by or chained up to Superfish’s private root certificate. Ordinarily, browsers would display a prominent warning that such a certificate wasn’t trusted, so that was addressed that by injecting Superfish’s root certificate into the Windows trusted root store during manufacture. To make all this work, of course, the private key corresponding to that root certificate had to be pre-installed on all of these computers. Superfish took steps to encrypt that private key, but the encryption was trivial and quickly broken.
The result is that attackers now have the private key corresponding to a root certificate that is trusted in these Lenovo computers, and that can be abused in too many ways to describe here.
In some ways, this is similar to the recent incident with Gogo inflight wifi service. Both make use of an SSL MITM technique to insert themselves into the otherwise secure connection between a browser user and the websites they visit. See our recent blog post to learn how SSL MITM attacks work. In Gogo’s case, the MITM (the actor generating certificates on the fly) was in Gogo’s network; in Superfish’s case, the MITM is in the computer itself.
As we’ve said before, SSL Man-in-the-Middle solutions can be justified within an enterprise, for example, to monitor employees’ web traffic. But the well-intentioned inclusion of Superfish had unintended consequences far beyond web searching, and created a potential for malicious MITM attacks. Pre-installing any root that does not belong to an audited Certificate Authority and marking it as trusted undermines the trust model created and maintained by platform vendors, browser vendors, and Certificate Authorities. Platform and browser vendors go to great lengths to validate the Certificate Authorities whose roots they include in their trusted root store. Microsoft provided the ability for an enterprise to add additional roots to the Windows trusted root store, and Google Chrome explicitly avoids performing public-key pinning checks for such added roots. As a result, Chrome users receive no warning of the MITM, as they did in the Gogo incident.
If you think you may have an affected Lenovo computer, visit this web site to check. Uninstalling the Superfish software isn’t enough to remove the vulnerability – you must also remove the Superfish root from the Windows trust store. The instructions provided by Lenovo achieve both objectives.
More than one billion people nowadays use smartphones devices and this number is growing rapidly. With the growing numbers of mobile users accessing the internet on Android smartphones and tablets, and iOS iPhones and iPads, the number of mobile threats and attacks is rising progressively. Mobile users store sensitive data, and engage in online banking operations, […]