Science and Tech

Actions

Dell's Security Certificate Debacle Sure Looks Familiar

Dell's pre-installed security certificates leave certain computers vulnerable to man-in-the-middle attacks, just like those Lenovo shipped.
Posted

Dell is now dealing with the same type of certificate troubles that rocked Lenovo earlier this year. (Video via Dell)

Some Dell computers ship with eDellRoot, a pre-installed root certificate that uses the same private cryptographic key each time.

Websites present these certificates to your Web browser as proof they are who they say they are. Each one is signed with a private key, but they're supposed to be different for each certificate.

An attacker who extracts this shared key can use it to impersonate a secure website, like a bank or online shopping destination, in what's known as a man-in-the-middle attack. Your browser will see the supposedly valid key and assume nothing's wrong.

Where Lenovo's certificate served to enable pre-installed adware — its Superfish application — Dell makes a point of saying its certificate is not adware or malware. (Video via Lenovo)

Dell says "it was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model."

But otherwise, the two situations are very similar. Like Lenovo's certificate, the bigger trouble isn't what it was designed for but how else it might be used: those man-in-the-middle attacks.

Also like Lenovo, the Dell certificate appears to only be present in a few machines. (Video via Dell)

Dell has acknowledged the problem and will issue automatic updates to remove the certificates from affected systems.

For what that's worth. That it happened in the first place, while Superfish is still fresh in people's minds, is — as Ars Technicaput it — a spectacular failure of security process.

It appears that, much like Lenovo, Dell will now have to win back a measure of user goodwill.

This video includes images from Getty Images, Dalpat Prajapati / CC BY 3.0Olivier Guin / CC BY 3.0 and Anbileru Adaleru / CC BY 3.0.