Dell installs self-signed root certificate on laptops, endangering users' privacy

PC World ^ | 11/23/15 | Lucian Constantin

[markomalley]

Dell laptops are coming preloaded with a self-signed root digital certificate that lets attackers spy on traffic to any secure website.

The reports first surfaced on Reddit and were soon confirmed by other users and security experts on Twitter and blogs. The root certificate, which has the power of a certificate authority on the laptops it's installed on, comes bundled with its corresponding private key, making the situation worse.

With the private key, which is now available online, anyone can generate a certificate for any website that will be trusted by browsers such as Internet Explorer and Google Chrome that use the Windows certificate store on affected laptops. Security experts have already generated proof-of-concept certificates for *.google.com and bankofamerica.com.

The certificate, which is called eDellRoot, was added to Dell consumer and commercial devices starting in August with the intention of providing better customer support, Dell said in an emailed statement: "When a PC engages with Dell online support, the certificate provides the system service tag allowing Dell online support to immediately identify the PC model, drivers, OS, hard drive, etc. making it easier and faster to service."

[Gene Eric]

Yup, good hardware. And a data center won’t get metal with pre-installed OSs.

[Stentor]

My two year old dell 1500 series laptop does not have the cert

Inspiron 5558. There it sits in the console like a turd in the punch bowl.

[Qiviut]

I bought a Dell fall a year ago with Windows 8.1. Now, I have the option of converting to Win 10 at no expense & had signed up to do it, but then started reading about all the privacy issues. I use Classic Shell to make Win 8.1 look like 7 (which is what my old laptop was on before it crashed) & I've gotten used to it. I decided I wasn't going to 10 & cancelled out. Evidently, you can disable a lot of the Win 10 features that affect privacy, but it's not an easy thing to do and not all in one place. Here's the article that changed my mind about going to 10:

Everything You Need to Disable in Windows 10

[TChad]

Thanks for that link. Good article.

[dayglored]

Dell security error widens as researchers dig deeper (Earlier problem is worse than was thought)

Duo Security researchers found a second weak digital certificate on a new Dell Inspiron laptop

The fallout from a serious security mistake made by Dell is widening, as security experts find more issues of concern.

Followup thread on the expanded problem:

http://www.freerepublic.com/focus/chat/3364271/posts

[grey_whiskers]

That's Obama-level stupid.

[dayglored]

> That's Obama-level stupid.

Yeah, but give the man credit for effort -- it takes a lot of hard work to consistently be that stupid.

[maine-iac7]

fl

[Fresh Wind]

Dude, you’re getting a cell!

http://www.cnn.com/2003/LAW/02/10/dell.dude.arrest/

[ImNotLying]

bfl

[ShadowAce]

[TomGuy]

FYI

Majorgeeks.com has an eDellRoot Certificate Fix, apparently released by Dell:

http://www.majorgeeks.com/files/details/edellroot_certificate_fix.html