First things first: If you are reading this post on a recent Lenovo laptop, please click the lock icon in the URL bar, then click “More Information…”. If you see “Verified by: Superfish, Inc.”, you are infected with Superfish, and you should follow these instructions to remove it.
The Superfish adware distributed by Lenovo has brought the issue of SSL interception back to the headlines. SSL interception is a technique that allows other software on a user’s computer to monitor and control their visits to secure Web sites — however, it also enables attackers to masquerade as secure websites, in order to spy on users or steal personal information. Firefox is affected by Superfish, but Mozilla is deploying a hotfix to Firefox that works with other disinfection software to ensure that Firefox is disinfected as well.
Like other SSL interception software, Superfish seeks to add functionality to the Web by intercepting secure Web connections and injecting content into Web sites. In order to be able to inject content into secure connections, it adds a trusted root certificate to the Windows and Firefox root stores. With this trusted authority in place, Superfish can effectively create a fake ID for any website, so that it can convince Firefox that the browser is connected to the real website — even though it’s actually connected to Superfish.
This would be no worse than garden-variety adware if not for the fact that Superfish uses the same root certificate for all infected computers, and the private key for this certificate has been extracted and published to the Internet. Using this private key, anyone on the Internet (not just Superfish) can create a fake ID that a Superfish-infected browser will accept. So if you’re using a Superfish-infected computer to connect securely to your bank, you might actually be connected to a criminal that is presenting a fake ID for your bank.
It appears that on affected systems (e.g., Lenovo laptops pre-loaded with Superfish), Superfish infects Firefox by adding its root certificate to the root store. The good news is that according to research by Facebook and EFF, it appears that relatively few Firefox users have been infected. The bad news is that some of the current disinfection tools do not disinfect Firefox.
For users that wish to ensure that they are disinfected, the best thing to do is to follow Lenovo’s instructions for removing Superfish. This will remove Superfish entirely from the computer, including removing it from Firefox.
Some other disinfection tools will remove Superfish from Windows, but not from Firefox. In order to ensure that these users are not vulnerable, we are deploying a hotfix today that detects whether Superfish has been removed, and if so, removes the Superfish root from Firefox. We do not remove the root certificate if the Superfish software is still installed, since that would prevent the user from accessing any HTTPS websites.
Finally, a word to software authors who might be considering SSL interception: If you want to add features to the Web, don’t intercept, make an extension. All of the major browsers offer extension frameworks (see these links for Firefox, Chrome, IE, Safari, and Opera). Using these toolkits helps you avoid violating users’ security, while also giving you more powerful, and easier-to-use tools than you can get from an interception system. The Web works better when we build it together.