Superfish = super fun!
Frankly, I think Lenovo is being idiotic for allowing their PR machine to defend Superfish. The problem is bad. REALLY bad. Explosively bad now that it is plastered all over the exactly sort of forums and news sites likely to be visited by ill intentioned hackers.
Prior to everyone being, almost maliciously, made aware of it, the threat was probably rather low. It was a high impact, low probability sort of thing.
But the real problem here is simple. Superfish is unlikely the only such piece of software out there. The type of certs exploited by this software can be given to many organizations. All it requires is that one of the companies either implement something poorly because they don't understand, or implement it poorly because they don't think anyone will notice. I'm not sure which applies to Superfish, and I doubt we'll ever be certain.
And therein lies the problem with any security achieved via encryption. The keys are called keys for a reason. Any one with access to them can "unlock" anything those keys protect. We put those keys into the hands of people. People can misuse them or make mistakes.
Truth is, any encryption is only as strong as the people and software that manage the encryption keys. And is generally far less secure than the resultant encryption. People and bad software are easier to crack than the encryption algorithms themselves.
Prior to everyone being, almost maliciously, made aware of it, the threat was probably rather low. It was a high impact, low probability sort of thing.
But the real problem here is simple. Superfish is unlikely the only such piece of software out there. The type of certs exploited by this software can be given to many organizations. All it requires is that one of the companies either implement something poorly because they don't understand, or implement it poorly because they don't think anyone will notice. I'm not sure which applies to Superfish, and I doubt we'll ever be certain.
And therein lies the problem with any security achieved via encryption. The keys are called keys for a reason. Any one with access to them can "unlock" anything those keys protect. We put those keys into the hands of people. People can misuse them or make mistakes.
Truth is, any encryption is only as strong as the people and software that manage the encryption keys. And is generally far less secure than the resultant encryption. People and bad software are easier to crack than the encryption algorithms themselves.
Comments
Post a Comment