"We thank customers such as Hanno Böck, Joe Nord and Kevin Hicks, aka rotorcowboy, who brought this to our attention. If you ever find a potential security vulnerability in any Dell product or software, we encourage you to visit this site to contact us immediately."
That's something a lot of companies could learn from. But besides that the whole reason why they did it seems a bit thin, as if it needs a root certificate to get to a device tag.
At first I didn't find a security contact on the Dell webpage. As I'm a journalist and as I investigated this issue to write an article (for Golem.de), the media contact was my logical next point to contact.
Around a week later without a reply I saw that hackerone had a list of security contacts for large companies and found that there was a contact address for Dell there.
It's the 9th link when searching for 'dell security contact', but it is not on 'dell.com' so I can see how you missed that.
There is a dell.com/security page but it lists all kinds of stuff and does not provide a security contact.
Maybe every company should have a /security page with a contact?
Or even a 'security.x.com' website as a first point of contact?
Dell should probably instruct their personnel to forward any and all mail relating to potential security issues to the right department, but at the same time I don't feel that contacting their marketing department counts as the day the issue was properly reported.
"It was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers."
Yeah, right. There's no other way to identify the model other than loading a root certificate with the power to certify any site as any domain. They expect people to believe that? Are they incompetent or corrupt?
There is no possible way this is the true reason. Any developer with cursory knowledge regarding the CA trust system would scream with rage if this was given to them.
This oozes management trying to cover up something dirty with enough corporate speak until anyone technical gives up, leaves, or gets fired for attempting to burn the place down.
Hanlon's razor applies here. This shouldn't seem implausible to anyone who has worked in a large company, many of whose employees are mediocre at best, under tight deadlines.
I worked for Dell a few years ago, and this is a complete bullshit response. The service tag takes all of 3 seconds to obtain. The full system specs are revealed once it's entered. At no point is bypassing the customers security a requirement of getting your service tag.
I'm an ex-Dell Support site web developer. This used to work using Java/ActiveX if memory serves me right. Since browsers have started to downgrade the whole Java experience, it appears that Dell now want you to download an EXE which you then have to install.
I really don't understand why they would need to install a root cert to make requests from a client's machine when you already have installed an EXE on the client's machine (which can basically do anything it wants).
Can anyone think of any genuine reason why an installed executable would need a CA root cert?
I was wondering why they did it... Now I think I'd prefer not knowing. Not only was it a terrible idea, apparently there was nobody to tell the programmer it's a terrible idea, and even QA (if they have it) didn't do their job.
Basically all the way from the idea to release, they had no person who knows what root certificates are.
Sometimes I wonder if this stuff gets added initially because of the need for manufacturing testing. And then some nitwit VP of engineering, decides having it installed in production would be super for some deranged reason. And no one can tell him no because the management culture prevents pens from throwing sh*t back upwards.
I had my fair share of being forced by higher management to commit insecure code, obfuscations and encryption security theater despite vehemently protesting. They seriously don't give a single shit. For them it's acceptable risk.
With this root cert anyone could decode SSL traffic between you and a supposed secure web server. These kind of accidental security blunders seem to be a regular occurrence. Are people that incompetent or is there a more sinister reason.
Is that true? I may be off base with this, but as I understand it if the encrypted traffic you're trying to crack was encrypted using a certificate chain not descended from this root certificate I wouldn't have thought having this root CA would help.
As I understand it the vulnerability is that anyone who can obtain this root CA from a Dell machine can sign their encrypted traffic to appear to be trusted and secure, even if it's not, to other Dell machines with the same root CA. You can pretend to be someone you're not to those other Dell machines, but it doesn't give you a backdoor into chains of trust that don't descend from the same root CA.
I suppose this might allow you to do a MITM attack, but not decode traffic you've passively snooped. Otherwise this root CA would have just totally compromised all internet security.
Good point. A lot of parallels are being drawn with Superfish, but the Dell issue appears at first look to be just incompetence. Further investigation might finger Dell for more than that, but it's clear that Lenovo/Superfish was intentional subversion of customer privacy and security in full knowledge of exactly what they were doing and what the consequences were for customers.
That's something a lot of companies could learn from. But besides that the whole reason why they did it seems a bit thin, as if it needs a root certificate to get to a device tag.