Dell gets Superfishy by shipping PCs with self-signed root certificates

— 4:31 PM on November 23, 2015

Remember the Superfish debacle, when Lenovo shipped computers with a preinstalled rogue root certification authority (CA)? Dell seems to think that was a good idea, as it's shipping laptops and desktop PCs with a similar self-signed "eDellRoot" root CA. An attacker can use this root CA to issue valid-looking certificates for any website. In turn, those certificates will be accepted by any affected Dell machines as legit, leaving the user none the wiser.

For the unitiated, secure connections to websites (among other things) rely on a chain of trusted certificates to guarantee the safety of data in transit. Operating systems and web browsers come preinstalled with a set of certificates for commonly-used root certification authorities. These preinstalled root certificates are used to verify websites' credentials. This preinstallation saves browsers and other programs from wasting time and bandwidth by retrieving them over the network.

The problem with Dell's (and Lenovo's) preinstallation of a self-signed rogue CA is simple. An attacker can easily issue a fake certificate for any website on the internet and digitally sign it with the eDellRoot CA. From this point on, he can lead a person with an affected Dell computer to a fake Google or online banking page. The browser will show the padlock icon confirming both the (fake) website's identity and the use of a secure connection.

This problem was discovered by several Dell users. One was programmer Joe Nord, who bought a Dell Inspiron 5000 last October. Another was reddit user "rotorcowboy," who owns a Dell XPS 15. Both noticed their machines had the eDellRoot CA preinstalled. An Ars Technica user confirmed the problem extends to some Dell desktops, too. To illustrate the problem, security researcher Ken White put up a fake website that affected Dell users will see as completely legit when using Chrome, Edge or Internet Explorer. Firefox uses its own list of CAs, so it dutifully raises an alert.

At this point, it's not known exactly how many machines are affected by this problem, or what Dell's reasoning is for including this rogue CA. In fact, the company's DellCares Twitter handle downplayed the problem. Dell users wanting to check their machines can do so using Windows' Certificates MMC snap-in.

Tip: You can use the A/Z keys to walk threads.
View options

This discussion is now closed.