Lenovo laptop owners were rightly upset last week when it was discovered their computers were designed to trust software from a less-than-reputable company called Superfish. But it's not just Lenovo owners who should have cause for concern: Most Macs and Windows PCs are set up to trust hundreds of organizations, from telecom companies to the Hungarian government.
Zit Seng, a Singaporean blogger who manages IT security for the National University of Singapore School of Computing, looked at just a few of the more than 200 sources trusted by Macs right out of the box—just like Lenovo laptops were set up to trust Superfish—and concluded that the risk of interception by a malicious party could be about the same.
Those automatically trusted authorities include the US government, the Japanese government, and the China Internet Network Information Center—a branch of the Ministry of Information Industry of the People's Republic of China that was caught distributing malware by Microsoft and antivirus company Panda.
Seng only looked at Macs, but there are also more than 400 certificates trusted by Windows by default. Those include the government of Tunisia, France's Secretariat-General for National Defence and Security, the Saudi Arabian government, and more.
This practice could theoretically leave users open to Superfish-style interception—rendering an encrypted connection useless and leaving communications open to interception—according to Filippo Valsorda, a system engineer for cyber security firm CloudFlare who designed an online test for Superfish.
"There are some cases where they would be harder or detectable—but the bottom line is that most Certificate Authorities have unlimited trust," Valsorda wrote in an email, meaning that once a certificate is loaded onto your computer, it can be used for nefarious purposes without being questioned. "So it's technically possible."
Let's take a step back: before your computer can establish a secure connection with a website or service, both your browser and the website you're trying to connect to need to make sure that both parties are who they say they are. The site sends a certificate issued by a trusted organization, known as a Certificate Authority (Symantec, for example). This "handshake" is the basis for a secure connection with your bank, for example, and hinges on the trustworthiness of the Certificate Authority.
The practice of automatically trusting certain sources isn't inherently bad. It makes it easy for users to connect securely to, say, Facebook or their bank, without having to verify the identity of the server on the other end. But the risk that comes with trusting these organizations is the same as trusting Superfish. Your encrypted connections can be intercepted if that trust is abused.
Superfish's software injected ads into web pages by hijacking a user's supposedly secure connection with a website. The software faked the proper credentials needed to start an encrypted session with the other server, called a certificate, effectively breaking the encrypted connection. This surreptitious action is called a man-in-the-middle attack. Though it wasn't Superfish's intention—the company just wanted to serve ads, not spy on you—faking a secure connection allowed the software to effectively make HTTPS encryption useless.
The same risk applies to all organizations trusted as Certificate Authorities.
The trusted status of government certificates leading to man-in-the-middle attacks on unsuspecting users may be more than merely technically possible, as Valsorda said, however.
In 2013, Google found that a certificate issued by the French National Agency for the Security of Information Systems (ANSSI) had been used "in a commercial device, on a private network, to inspect encrypted traffic with the knowledge of the users on that network," according to a Google blog post. The certificate was revoked by Google Chrome at the request of ANSSI once they were alerted to the issue.
So why do our computers trust so many certificate issuers in the first place? It's better than a more centralized alternative, according to Valsorda, which could allow for a handful of trusted—and hence powerful—entities to run amok. "How do you decide who to trust? Nobody knows," he wrote. "If you trust only a few entities, you give them disproportionate power—including market power. They would sell HTTPS certificates for high prices because they would be the only ones allowed to."
Removing a local Certificate Authority like Superfish or those provided by governments is difficult—not just technically, for most people, but because a lot of online activity assumes that everyone has a certain amount of pre-installed certificates. The certificate system itself, a relic of 90s internet security, is too ingrained to move past now. But there are ways to make it more secure.
Key pinning asks a browser to remember the certificate it was provided after connecting to a website for the first time, ensuring that any future fakes are rejected. This approach wouldn't stop Superfish-style interception, however, since key pinning isn't capable of validating pre-installed certificates. Another option, the idea of certificate transparency, championed by Google and the Electronic Frontier Foundation, validates certificates by keeping track of them in a public log.
How much should you worry about any of this, really? Governments already have plenty of ways to circumvent encryption, and won't stop short of stealing millions of encryption keys, like NSA and Britain's GCHQ did in the case of SIM card manufacturer Gemalto. Moreover, there are plenty of good reasons to stick with HTTPS—encryption works. Even so, the Superfish fiasco is a reminder that who we trust online, and whom we're forced to trust in the case of pre-installed certificates, matters.