{"id":1906,"date":"2015-02-27T13:15:15","date_gmt":"2015-02-27T21:15:15","guid":{"rendered":"https:\/\/blog.mozilla.org\/security\/?p=1906"},"modified":"2016-09-30T02:49:59","modified_gmt":"2016-09-30T09:49:59","slug":"getting-superfish-out-of-firefox","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2015\/02\/27\/getting-superfish-out-of-firefox\/","title":{"rendered":"Getting Superfish out of Firefox"},"content":{"rendered":"<p>First things first: If you are reading this post on a recent Lenovo laptop, please click the lock icon in the URL bar, then click \u201cMore Information\u2026\u201d. \u00a0If you see \u201cVerified by: Superfish, Inc.\u201d, you are infected with Superfish, and you should follow <a href=\"https:\/\/support.lenovo.com\/us\/en\/product_security\/superfish_uninstall\">these instructions<\/a> to remove it.<\/p>\n<p>The <a href=\"http:\/\/thenextweb.com\/insider\/2015\/02\/19\/lenovo-caught-installing-adware-new-computers\/\">Superfish adware distributed by Lenovo<\/a> has brought the issue of SSL interception back to the headlines. \u00a0SSL interception is a technique that allows other software on a user\u2019s computer to monitor and control their visits to secure Web sites &#8212; however, it also enables attackers to masquerade as secure websites, in order to spy on users or steal personal information. \u00a0Firefox is affected by Superfish, but Mozilla is deploying a hotfix to Firefox that works with other disinfection software to ensure that Firefox is disinfected as well.<\/p>\n<p>Like other SSL interception software, Superfish seeks to add functionality to the Web by intercepting secure Web connections and injecting content into Web sites. \u00a0In order to be able to inject content into secure connections, it adds a trusted root certificate to the Windows and Firefox root stores. \u00a0With this trusted authority in place, Superfish can effectively create a fake ID for any website, so that it can convince Firefox that the browser is connected to the real website &#8212; even though it\u2019s actually connected to Superfish.<\/p>\n<p>This would be no worse than garden-variety adware if not for the fact that Superfish uses the same root certificate for all infected computers, and the private key for this certificate has been extracted and published to the Internet.\u00a0 Using this private key, <strong>anyone on the Internet<\/strong> (not just Superfish) can create a fake ID that a Superfish-infected browser will accept.\u00a0 So if you\u2019re using a Superfish-infected computer to connect securely to your bank, you might actually be\u00a0 connected to a criminal that is presenting a fake ID for your bank.<\/p>\n<p>It appears that on affected systems (e.g., Lenovo laptops pre-loaded with Superfish), Superfish infects Firefox by adding its root certificate to the root store. \u00a0The good news is that according to research by <a href=\"https:\/\/www.facebook.com\/notes\/protect-the-graph\/windows-ssl-interception-gone-wild\/1570074729899339\">Facebook<\/a> and <a href=\"https:\/\/www.eff.org\/deeplinks\/2015\/02\/further-evidence-lenovo-breaking-https-security-its-laptops\">EFF<\/a>, it appears that relatively few Firefox users have been infected. \u00a0The bad news is that some of the current disinfection tools do not disinfect Firefox.<\/p>\n<p>For users that wish to ensure that they are disinfected, the best thing to do is to follow <a href=\"https:\/\/support.lenovo.com\/us\/en\/product_security\/superfish_uninstall\">Lenovo\u2019s instructions for removing Superfish<\/a>. \u00a0This will remove Superfish entirely from the computer, including removing it from Firefox.<\/p>\n<p>Some other disinfection tools will remove Superfish from Windows, but not from Firefox. \u00a0In order to ensure that these users are not vulnerable, we\u00a0are deploying a hotfix today that detects whether Superfish has been removed, and if so, removes the Superfish root from Firefox. \u00a0We do not remove the root certificate if the Superfish software is still installed, since that would prevent the user from accessing <b>any<\/b> HTTPS websites.<\/p>\n<p>Finally, a word to software authors who might be considering SSL interception: If you want to add features to the Web, don\u2019t intercept, make an extension. \u00a0All of the major browsers offer extension frameworks (see these links for <a href=\"https:\/\/developer.mozilla.org\/en-US\/Add-ons?menu\">Firefox<\/a>, <a href=\"https:\/\/developer.chrome.com\/extensions\">Chrome<\/a>, <a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/aa753587%28v=vs.85%29.aspx\">IE<\/a>, <a href=\"https:\/\/developer.apple.com\/programs\/safari\/\">Safari<\/a>, and <a href=\"https:\/\/addons.opera.com\/en\/extensions\/\">Opera<\/a>). \u00a0\u00a0Using these toolkits helps you avoid violating users\u2019 security, while also giving you more powerful, and easier-to-use tools than you can get from an interception system. \u00a0The Web works better when we build it together.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>First things first: If you are reading this post on a recent Lenovo laptop, please click the lock icon in the URL bar, then click \u201cMore Information\u2026\u201d. \u00a0If you see &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2015\/02\/27\/getting-superfish-out-of-firefox\/\">Read more<\/a><\/p>\n","protected":false},"author":998,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[69,45499],"tags":[],"coauthors":[282900],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Getting Superfish out of Firefox - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2015\/02\/27\/getting-superfish-out-of-firefox\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Richard Barnes\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2015\/02\/27\/getting-superfish-out-of-firefox\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2015\/02\/27\/getting-superfish-out-of-firefox\/\",\"name\":\"Getting Superfish out of Firefox - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"datePublished\":\"2015-02-27T21:15:15+00:00\",\"dateModified\":\"2016-09-30T09:49:59+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/07606285eceef4058a743f3f8ec2e290\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2015\/02\/27\/getting-superfish-out-of-firefox\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2015\/02\/27\/getting-superfish-out-of-firefox\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2015\/02\/27\/getting-superfish-out-of-firefox\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Getting Superfish out of Firefox\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/07606285eceef4058a743f3f8ec2e290\",\"name\":\"Richard Barnes\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/6070530fd061c73fde0bc242f38e16cb\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/a8148a9fe438c0b63cd06d650c6104f3?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/a8148a9fe438c0b63cd06d650c6104f3?s=96&d=identicon&r=g\",\"caption\":\"Richard Barnes\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Getting Superfish out of Firefox - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2015\/02\/27\/getting-superfish-out-of-firefox\/","twitter_misc":{"Written by":"Richard Barnes","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2015\/02\/27\/getting-superfish-out-of-firefox\/","url":"https:\/\/blog.mozilla.org\/security\/2015\/02\/27\/getting-superfish-out-of-firefox\/","name":"Getting Superfish out of Firefox - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"datePublished":"2015-02-27T21:15:15+00:00","dateModified":"2016-09-30T09:49:59+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/07606285eceef4058a743f3f8ec2e290"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2015\/02\/27\/getting-superfish-out-of-firefox\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2015\/02\/27\/getting-superfish-out-of-firefox\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2015\/02\/27\/getting-superfish-out-of-firefox\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Getting Superfish out of Firefox"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/07606285eceef4058a743f3f8ec2e290","name":"Richard Barnes","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/6070530fd061c73fde0bc242f38e16cb","url":"https:\/\/secure.gravatar.com\/avatar\/a8148a9fe438c0b63cd06d650c6104f3?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/a8148a9fe438c0b63cd06d650c6104f3?s=96&d=identicon&r=g","caption":"Richard Barnes"}}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/1906"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/998"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=1906"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/1906\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=1906"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=1906"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=1906"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=1906"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}