Got Malicious Root Certificates?

You may have heard about a "scandal" involving an adware program called Superfish shipped with high-end laptops produced by Lenovo. Adware isn't great, but it's not scandal-worthy. What makes Superfish so shocking is that it completely subverts SSL by installing a root certificate on the computer, intercepting HTTPS requests, making the request to the real server, injecting some ads, then re-signing the page with its own root certificate, thereby making the HTTPS lock icon appear legitimate. It would only be a shocking violation of privacy if that was it, but Lenovo also used the same root certificate on all the laptops affected (rather than generating a unique one for each computer), allowing hackers in a MITM position to supply a legitimate-looking modification of a secure site to someone with Superfish because Superfish's certificate used a really weak key and was broken easily.

The lesson learned is that malicious root certificates in the trusted root certificate list can seriously subvert web client security. In Windows, you can check your trusted root certificate list by typing "certmgr.msc" in the Run dialog to open the certificates manager. The "Trusted Root Certification Authorities" and "Third-Party Root Certification Authorities" folders together comprise the list of people your web browser ultimately trusts. You might want to check that out if you're suspicious.

This looks suspicious

However, for SSL signing, browsers require that the certificate have the "ensures the identity of a remote computer" purpose. Double-click a certificate to see what it can do.

Uh oh. (Fortunately, I knowingly made this and I have its key.)

You might be surprised who your browsers trust. (Though do be careful - don't just delete a bunch of RCA's because you don't recognize them. Research is important! Some RCA's are critical to the proper functioning of Windows, like the ones for Windows Update or Authenticode.)