Windows SSL Interception Gone Wild

February 20, 2015

Matt Richard

This week researchers found that newer Lenovo laptops shipped with pre-installed software made by Superfish. The discovery is the latest reminder that our collective security depends on one another more than ever. As the news quickly rippled out, our Threat Infrastructure team at Facebook began performing an analysis of the details. Given our strong belief in the value of openness in security and learning from one another, we summarized some of our findings below to help guide future research on the subject.

It's not uncommon for OEMs to ship devices with a number of pre-installed applications. The difference with Superfish is the software's ability to intercept people's connections to websites secured with SSL and then inspect the content. Superfish uses a third party library from a company named Komodia to modify the Windows networking stack and install a new root Certificate Authority (CA), allowing Superfish to impersonate any SSL-enabled site. The new root CA undermines the security of web browsers and operating systems, putting people at greater risk. The stated reason for this inspection functionality is to enable the Superfish Visual Search capability that looks at people's search queries and makes suggestions based on proprietary processes.

Despite the frequency of secure communications inspection by companies like anti-virus software makers, whose products must sit in the middle of connections to provide their service, we see several reasons to be concerned about this practice in the case of Superfish and others. Chief among those is privacy—the Superfish software can see all of the computer user's activity, including banking, email and Facebook traffic. The second problem is the use and installation of a new root CA, especially when that root CA is the same across many different computers. By reusing the same certificate, a bad actor could potentially obtain that CA file and perform “man-in-the-middle” (MITM) attacks on untrusted networks like public WiFi, set up authentic-looking phishing pages, or sign software that makes people vulnerable to other malicious code as they browse the internet. In this case, the certificate used by the Superfish software is relatively easy to extract. Although we are not aware of anyone abusing this certificate in the wild, it's a real risk and would be hard to detect.

Detecting MITM

In 2012, we started a project with researchers from Carnegie Mellon University to measure how prevalent SSL MITM was in the wild ( At the time, one example we observed was that certain deep packet inspection (DPI) devices were using the same private key across devices, which can be exploited by an attacker with the capacity to extract the key from any single device (Tor report: Superfish is similar in that it uses the same private key across all clients, but it's more dangerous because its root certificate is installed on significantly more clients than those behind the vulnerable DPI devices.

With Superfish, we found that the affected OS platforms were limited to Windows—likely due to the fact that the SSL interception library is platform-specific. Roughly 70% of infected people we researched were using Chrome, 27% were using Internet Explorer, and 3% were using Opera. Interestingly, we observed only a tiny percentage of infected people on Firefox. Firefox uses its own NSS root store for SSL certificate verification, which is separate from the operating system's root store used by IE and Chrome, thus it's possible that the software was inconsistent in injecting its root into the NSS root store, but we're still investigating.