[cabfpub] Lenovo installation of malicious root.

Bruce Morton bruce.morton at entrust.com
Mon Feb 23 18:41:50 UTC 2015

Have we just come across an issue with operating systems/browsers and private roots?

I suppose an attacker can install proxy software with their private root and examine all secured traffic. We don't need Lenovo to install this software, this could easily be done by any corner-store computer shop.

Should private roots get the same trust indication as public trust roots?

Public key pinning didn't even catch this issue as the private root seems to be trusted more than the public trust roots are.

Thanks, Bruce.

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Phillip Hallam-Baker
Sent: Thursday, February 19, 2015 1:53 PM
Subject: [cabfpub] Lenovo installation of malicious root.

I am sure many of you have seen this. If not you will, I have had a dozen people ping me about it in the past hour.


Someone has to draw the line here or the politicians will do it for us.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150223/a6ba37d5/attachment-0003.html>

More information about the Public mailing list