在「Download.com and Others Bundle Superfish-Style HTTPS Breaking Adware」這邊看到的 tweet,講的相當經典,把他找出來:
Adware is malware with a legal team.
— InfoSec Taylor Swift (@SwiftOnSecurity) January 14, 2015
文章裡面提到,Superfish 這種插入 CA root certificate 的軟體攔截 HTTPS 內容,不僅僅是 Superfish,這根本是目前免費軟體的「趨勢」,包括了十大裡面的前兩名:
Two of the top ten downloads on CNET (KMPlayer and YTD) are bundling two different types of HTTPS-hijacking adware, and in our research we found that most other freeware sites are doing the same thing.
在 Facebook 的「Windows SSL Interception Gone Wild」提到了 Facebook 自己觀察到的情況:(SSL traffic 被 Superfish 換掉的百分比,中國地區因為廣為人知的原因,是沒有偵測到的...)
另外「Beyond Superfish: Turns out SSL-trashing spyware is widespread」也提到問題的嚴重性。
甚至有些也偽裝成遊戲:「'Superfish'-style vulnerability found in games and parental control software」:
Rogers cites products including parental control software and IP-cloaking technology as containing the weakness, while Richard says Facebook discovered the certificates being issued by a number of adware vendors disguised as games or search assistants.
實際用 Google Chrome 下載 CNET 上的 KMPlayer,發現直接擋了下來:
在之後的新版則會更明顯的顯示出來:「More Protection from Unwanted Software」。
然後是訴訟的問題,在美國已經有消費者決定對聯想與 Superfish 打集體訴訟了,後續的判賠與和解可以繼續追蹤:「Lenovo hit with lawsuit over Superfish snafu」。