I’ve been sitting on this information for some time, waiting to get more research done before I publish a post. But since word has come out about how Lenovo preloads what amounts to very bad spyware on their PCs, I thought I should also just go right ahead to spill the beans on the Mac.
Yes, that’s right. Superfish is bad. The problem with the Mac is only slightly related in that it also involves SSL certificates. It’s also bad, in a different way. I haven’t found out how the situation got to be like this, but I’ll just tell you what is happening.
By now, you should know what SSL is all about. HTTPS, which uses SSL, encrypts your network communication to a server somewhere else on the Internet so that no one can eavesdrop and discover the contents of your communication. You trust that your communication is private, the contents of which is unknown to anyone except yourself and the server you’r communicating with. SSL encrypts the communication and “authenticates” the server.
There is, of course, one more bit to that story. It’s about the Certificate Authority, which certifies the SSL certificates presented by the websites as truly belonging to them. How do you know that the certificate that https://google.com/ presents to you really belongs to Google, and not a fake certificate presented by a random attacker who has managed to intercept your Internet communication? Well, it’s signed by a Certificate Authority, GeoTrust Global CA, in the case of Google. Only the real Google would have such a certificate, because the Certificate Authority will not issue random SSL certificates to anyone else.
Do you see a small problem here? You’ve got to trust the Certificate Authority. The problem with Lenovo’s Superfish is that it installed its own Certificate Authority certificate so that you computer will trust it. (Subsequently, their certificate was also hacked, but that’s another matter altogether.)
Normally, this is all fine, Superfish’s certificate aside. The Certificate Authorities are usually trustworthy. Usually. Except, when you look into the list Certificate Authorities trusted by the Mac. There are the usual big name Certificate Authorities like Verisign, GeoTrust, Symantec and Thawte. But how about these ones:
- Subject: C=US, O=U.S. Government, OU=FPKI, CN=Federal Common Policy CA
- Subject: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD Root CA 2
- Subject: C=JP, O=Japanese Government, OU=ApplicationCA
- Subject: C=CN, O=China Internet Network Information Center, CN=China Internet Network Information Center EV Certificates Root
To be clear, the U.S. government has several more Certification Authority certificates installed in the Mac. The Japanese government has at least one more. China Internet Network Information Center doesn’t sound like the Chinese government themselves, but if you check, they are responsible for Internet affairs under the Ministry of Information Industry of the People’s Republic of China. That sounds like an extension of the Chinese government to me.
But governments are the good people right? Erm, I don’t know. There are people who don’t trust their own government. For example, U.S. citizens may be concerned about their NSA (or FBI) spying activities. They are afraid about the NSA being able to break encryption codes.
Well, it turns out that NSA’s job is a lot easier. There are no codes to break. They just intercept your communication, carry out a man-in-the-middle attack, and what else do they need? You think your HTTPS connection is securely encrypted, but wait, couldn’t the U.S. government generate a brand new fake certificate, give it to the NSA, and then serve that to you? Your web browser won’t raise any alarm bells. The SSL certificate is valid, and it is signed by a Certificate Authority that is trusted by your computer.
So, just to get this straight. Not only does the U.S. government have the privilege of intercepting any of your HTTPS connections and present valid, trusted, SSL certificates to you, the Japanese government and the Chinese government have the same privileges.
Let me make this clearer. Any Certificate Authority can generate fake SSL certificates for any website. It’s not very useful unless they are working together with a network operator to get into a position to easily intercept your communication. Or, if they themselves are also a network operator. Are there Certificate Authorities who are also in the network operator business? Yes, yes, just from a cursory glance at the company names, I can see:
- Subject: C=TW, O=Chunghwa Telecom Co., Ltd., OU=ePKI Root Certification Authority
I’ve listed 5 different Certificate Authorities as examples. None of them appear in my Windows PC (Windows 7).
Are these Certificate Authorities, which are found in the Mac, necessary? I highly doubt so. One thing for sure is that it won’t disrupt your web browsing activities, seeing that Windows PCs, without these Certificate Authorities, work just fine. I can appreciate Apple wanting to embed a bunch of their own Certificate Authority certificates (five of them, to be exact), not dissimilar from how Microsoft also embeds their own in Windows PCs.
Sidenote: A Windows 7 PC has 38 Certificate Authority certificates installed. My Mac OS X Yosemite has 217 Certificate Authority certificates installed. (Update: Noted some commenters have said their Windows have a shipload more CA certs.)
However, I cannot understand why Apple has facilitated the embedding of these government-linked Certificate Authorities in Mac OS X.