The recent Superfish debacle is yet another reminder that as security professionals we live in an inherently post-prevention world. Increasingly everyone must assume that despite all our best efforts, users on our networks are may already compromised. While the focus is often on the many ways that a user can be infected with malware, Superfish is a reminder that a device can be compromised before it ever comes out of the box.
As a quick recap, Superfish is software that acts as an SSL man-in-the-middle in order to control the ads a user sees while browsing the Web – it’s “adware” which pretends to provide a service you would want. To break SSL encryption without triggering a browser warning, Superfish installs a signed root certificate on the machine. More specifically, the software installs the exact same root cert on a series of laptops, and researchers (and attackers) are able to quickly extract the cert. Rob Graham at Errata Security provides a nice write-up on how he was able to do this.