Dell shipped computers with a preloaded CA, and left the private key in, Superfish style. ANYONE can MitM ANYTHING. http://arstechnica.com/security/2015/11/dell-does-superfish-ships-pcs-with-self-signed-root-certificates/ …
-
-
Replying to @FiloSottile
Here are the official, easy instructions to remove the eDellRoot certificate. Converted to pdf from Dell's docx: https://filippo.io/Badfish/eDellRootCertRemovalInstructions.pdf …
5 replies 9 retweets 9 likes -
Replying to @FiloSottile
@FiloSottile But the cert can be used for more than just MiTM of HTTPS though, right? e.g. Authenticode signing, S/MIME, etc?1 reply 0 retweets 0 likes -
Replying to @FiloSottile
@FiloSottile Any value in moving the offending certificate to "Untrusted Certificates" ? e.g. to prevent (un)intended reinstallation of it?1 reply 0 retweets 0 likes -
Replying to @FiloSottile
@FiloSottile I've confirmed that a cert present in both "Trusted Certificates" and "Untrusted Certificates" is... TRUSTED. This seems bad!1 reply 0 retweets 0 likes
@FiloSottile Or not, it seems. I blame overzealous IE caching.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.