*Dude, you*re catch hell!*
Posted on 11/23/2015 6:44:59 PM PST by markomalley
Dell laptops are coming preloaded with a self-signed root digital certificate that lets attackers spy on traffic to any secure website.
The reports first surfaced on Reddit and were soon confirmed by other users and security experts on Twitter and blogs. The root certificate, which has the power of a certificate authority on the laptops it's installed on, comes bundled with its corresponding private key, making the situation worse.
With the private key, which is now available online, anyone can generate a certificate for any website that will be trusted by browsers such as Internet Explorer and Google Chrome that use the Windows certificate store on affected laptops. Security experts have already generated proof-of-concept certificates for *.google.com and bankofamerica.com.
The certificate, which is called eDellRoot, was added to Dell consumer and commercial devices starting in August with the intention of providing better customer support, Dell said in an emailed statement: "When a PC engages with Dell online support, the certificate provides the system service tag allowing Dell online support to immediately identify the PC model, drivers, OS, hard drive, etc. making it easier and faster to service."
(Excerpt) Read more at pcworld.com ...
For example, see this from CNET back in 2012: What's behind the NY bills to ban anonymous online comments. Or, from 2013, Illinois Politician Seeks To Outlaw Anonymous Comments. Or this from Slate in 2014. Or this ditty from Psychology Today in 2015.
So much for me buying a new Dell laptop.
Lenovo also got caught putting nasty stuff on their computers and they’re paying the price ,no one wants the stuff
“Dude! You’re gettin’ a Smell!”
This had better be true.
Eh, they'll just do another "oops!" if it isn't, at least not until after Black Friday at best, or the New Year at worst.
That is, until after the major selling season...
I just bought one with windows 10. Having a tough time keeping the windows Spyware off.
Ping!
Dude, you're an idiot! 
Thank you for the ping!!
This doesn’t exactly make sense. A cert isn’t trusted unless your system recognizes it as signed by a known certificate authority. Do they mean that Dell accidentally “leaked” a CA cert, and put the cert and the private key on every system? Or is it cert+key signed by a known CA (and therefore not “self-signed”) which is flagged to be able to sign other keys and thus create trusted certs?
A trusted Cert is whatever is authenticated by a “known good” certificate in the browser’s root certificate list. If you add your own root certificate to that list then the browser will accept as authentic any certificate “signed” by that root.
Thus, anyone with enough control of the computer (including any hacker's Trojan, etc.) could use that trusted CA cert to make and sign a cert for any other entity, and the computer would likewise completely trust -it-.
The resulting utter breach of security and privacy should be obvious.
ShadowAce: for your ping list, if you wish.
I’ve been done with Dell for awhile anyway.
Don’t tell Bambi!!!
He’ll sign an XO making them mandatory!!!
I have a Dell monitor, and I guess that’s how far I’ll be going with them.
My two year old dell 1500 series laptop does not have the cert
I run a farm that includes many Dell servers, but they're all at least a year old, and besides I put Linux on 'em. Good hardware, I must say that.
But pre-installing a self-signed root cert on a consumer machine? That's not even a "rookie" error. That's just "too stupid to be let outdoors".
Like someone else said, "That's so out-of-this-world stupid, it doesn't even rise to the level of 'wrong'!"
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.