Superfish Admits to Certificate Installation, Didn’t Realise Security Flaw

The CEO of Superfish, the company behind the software of the same name that has been central to a recent scandal surrounding Lenovo, has admitted to his company intentionally installing the root certificate authority as part of the software, but says that they did not realise the potential consequences.

Speaking to The Next WebSuperfish CEO, Adi Pinhas, said that the software had useful intentions, but that they purposely utilised the root certificate authority to “enable a search from any site.” Superfish’s intent is to scan websites for products for which it can display ads offering users alternatives they may be interested in. This means it could circumvent SSL on sites like Google so it could continue doing what it intended to do – display ads.

Now Pinhas says that the certificate was “not installed without the users opting in”, but he also said that the company did not realise the potentially devastating consequences of utilising such a certificate and that the company didn’t know about the vulnerability until everyone else did. While that’s fine, it does seem a little hard to believe that the software developers who apparently spent four years developing Superfish didn’t realise the insecure nature of the software.

Nevertheless, it’s pretty clear that Superfish isn’t something you want on your computer.

Source: The Next Web