Skip to content
Naked Security Naked Security

Lenovo “Superfish” controversy – what you need to know

Controversy of the week is "Superfish," an adware program pre-installed on Lenovo computers that has some worrying security problems. Here's what you need to know, in plain English...

Looking for advice on how to remove Superfish? See our instructions here: How to get rid of the Lenovo “Superfish” adware.

The controversy of the week is Superfish, which is the name of a marketing company that, amongst other things, produces software called Visual Discovery.

As far as we can tell, Superfish’s claim to fame is “visual search.”

That seems to involve analysing images that come your way, matching them against a giant database of images in the cloud, and putting in front of you a bunch of similar images.

For example, if you’re looking at an ad for a chest of drawers, Superfish, going by the example on its own website, can help you find a matching sideboard (credenza).

You may be able to guess where this is going.

If you install the Superfish software to monitor which websites you visit, and what’s in them, it can keep its eye out for related sites, all based on images instead of relying on old-fashioned keywords.

So, instead of selling clicks to potential advertisers based on the words you read, Superfish can sell clicks based on the images you see.

That sounds OK, assuming that you are aware that Visual Discovery was installed onto your computer, and assuming that the software keeps track of your browsing in a way that doesn’t put your online privacy and security at risk.

The Lenovo situation

Unfortunately, for many users of Lenovo computers, that wasn’t the case.

From October 2014 to December 2014, Lenovo shipped Superfish on a number of its consumer notebooks…

…and it turns out that the software does indeed represent a security risk.

That’s because Visual Discovery doesn’t just work inside your browser to see what you are looking at.

The product includes what’s known as a proxy: in other words, a component that intercepts network traffic outside your browser so it can keep track of what you are up to.

Visual Discovery is implemented as what’s called an LSP (Layered Service Provider) or a WFP (Windows Filtering Platform) filter, and plugs into the part of the operating system that deals with network traffic.

Pros and cons of filters

LSPs and WFPs aren’t inherently evil: in fact, many security products, including Sophos Anti-Virus, use filters as a way to watch out for the websites you’re visiting.

That means they can warn or block you if you try to go somewhere that is known to be dangerous, such as a website infected with malware.

The advantage of a filter over a browser plugin is that a filter’s processing applies to all software that connects through it, so you don’t need a separate plugin for every browser.

In theory, that means better coverage with less to go wrong.

The disadvantage of an filter is that it sees the content of network before it reaches your browser, so HTTPS (secure) web pages appear as a stream of encrypted data.

A browser plugin, however, sees the content after it has been unscrambled by the browser for display.

The Superfish approach

Instead of treating your HTTPS traffic as sacrosanct, and leaving it alone so it remains end-to-end encrypted all the way from the server to your browser, Superfish uses keybridging, also known as Man in The Middle, or MiTM.

The Superfish MiTM works pretty much as the name suggests.

When your browser connects to, say,, the connection is handled directly by Visual Discovery.

Your encrypted connection actually terminates inside Superfish’s filter.

The filter then connects onwards to and grabs the content on your behalf (that’s why this sort of software is called a “proxy”), using an HTTPS connection of its own.

Of course, that means the HTTPS replies from actually terminate inside the filter, too, so your traffic is unencrypted, both outbound and inbound, with the result that Superfish can read it.

Ironically, if the filter were to pass the now-already-unencrypted data on to your browser, your browser wouldn’t know what to do with it: you originally made an HTTPS connection, so your browser is expecting an encrypted stream.

To solve this problem, the filter re-encrypts the data, and passes it back to you. (This process involves decrypting with one key and re-encrypting with another, which is where the name keybridging comes from.)

Your browser thinks it made an end-to-end encrypted connection, and in a sense it did, except that the other end of the connection was not the server – it was the Superfish filter on your own computer.

The certificate problem

At this point, you’re probably thinking, “But wouldn’t that sort of interception be obvious? Surely I’d see a warning?”

In theory, that’s exactly what ought to happen.

HTTPS traffic is signed by a digital certificate that identifies the company that owns the website you’re connecting to, and that certificate is signed, or vouched for, by a Certificate Authority, whose identity is pre-programmed into your browser as a “trusted advisor.”

For example, when you visit Naked Security (this is using Firefox on OS X 10.10), you see something like this:

Naked Security’s certificate is owned by Sophos; Sophos’s right to represent itself as Naked Security is vouched for by GlobalSign; and GlobalSign’s right to vouch for Sophos is vouched for by Firefox.

If you visit a site where the chain of trust in the certificate is not in good order, for example because you have been forced through a MiTM imposter, you’ll usually see a warning notice, perhaps like this:

The Superfish solution

If you browse to Naked Security on a Windows computer with Superfish Visual Discovery installed, you don’t get a warning.

That probably makes you think that you have trustworthy end-to-end encryption with our site:

But if you click on the HTTPS padlock to dig into the certificate details (this is using IE 11 on Windows 8.1) will you see something very unusual:

As we saw above, Sophos’s official Naked Security certificate is signed by GlobalSign, by explicit arrangement between the two companies.

So, who authorised Superfish to sign for Sophos as well?

Why didn’t a warning pop up?

The answer is that, at install time, the Superfish software vouches for itself to Windows by setting itself up as a trusted Certificate Authority.

Now it can create fake certificates for any site it likes, at any time, and then unilaterally sign those certificates to make them trusted, too:

So all your traffic to and from Naked Security, or, or your bank, passes through Superfish’s MiTM layer, where it is temporarily decrypted and re-encrypted.

Granted, that content ends up decrypted inside your browser anyway, but having it unscrambled in more places than is strictly necessary is a needless risk.

And, of course, you have to trust Superfish not to do anything untoward with that decrypted data, either by accident or design.

On those grounds alone, we recommend that you uninstall the Superfish software if you find it on your computer:

Lenovo obviously agrees, because it has stopped using Superfish, promised never to pre-install it again, and published its own removal instructions.

It gets worse

As you’ve probably already realised, for Superfish to present the fake Naked Security certificate you see above, it had to generate and sign that certificate automatically, in real time, when you first tried to visit our site.

(There’s obviously no way that Superfish could predict all the sites you might use, so it can’t have ready-made fake certificates installed in advance.)

In cryptographic terms, the software needs to carry around a copy of the Superfish private signing key, even though private keys are supposed to be kept private and secure.

And it does, as you will find if you dig around in the memory of the running Superfish software:

Fortunately, the private key is itself encrypted, or password protected.

Otherwise, any crook who dumped a copy of it would immediately be able to use it to sign his own fake certificates.

These would automatically be trusted on your computer, because Superfish registered itself with Windows as a Trusted Root Certification Authority.

Cracking the key

Sadly, for Superfish to use that private key itself in real time, the password needs to be stored somewhere.

And it is: it’s buried in the Visual Discovery software.

In fact, it’s the name of the company from which Superfish licensed the MiTM software module, all in lower case:

The text of the password appears unencrypted in memory when Visual Discovery is running, which is how various SSL security researchers recovered and verified it.

→ When you try to crack a cryptographic key, you usually start with a list of the most likely passwords, in what’s known as a dictionary attack. You can use a regular dictionary for a collection of everyday words, or a list that is obviously associated with the target you’re trying to crack, such as the in-memory text of the LSP process here.

Note that Superfish’s private key can be used for more than just signing HTTPS certificates.

It can also be used for code signing, which is where you vouch for a program (or even a device driver that runs inside the operating system itself) in the same way that HTTPS certificates vouch for websites.

That means the Superfish certificate could be abused by cybercrooks not only to trick you into trusting a fake website, but also to trick you into trusting any software that you download from it.

The bottom line

Superfish’s software represents a security risk.

You should look to see if it’s installed on your computer and remove it if it is there.

Go to Control Panel | Programs | Programs and Features.

Right click and choose Uninstall to get rid of it.

Then you should delete the Trusted Root Certification Authority certificate that it installed, so that no-one else can abuse it later on.

(For detailed removal advice, please see: How to get rid of the Lenovo “Superfish” adware.)

NB. Sophos products detect this software as a Potentially Unwanted Application (PUA) called SuperFish-A, of type Adware. If it is already installed on a Windows computer, Sophos Anti-Virus can get rid of it.


Aside from useful Superfish content – that’s one of the clearest explanations I’ve read about Certificate Authorities and the https certification process. Thanks.

One question – if implemented as a LSP/WFP in the OS, does that mean superfish/Visual Discovery can capture non-web based traffic, eg. transferring images between PCs on a LAN ?


AFAIK, this sort of network filter is, indeed, a _network_ filter, not just a web traffic filter. So, in theory, it gets a chance to sniff at anything…

However, as I haven’t analysed the entire Superfish filter code, I’m afraid I don’t have a definitive answer for what it does snoop on, over and above HTTP/HTTPS.


So they didn’t even bother to create a new “trusted” root certificate for every install? If they create new SSL certificates for every web site you visit, it should have been trivial to create a root certificate at install time.
That would certainly not address the initial concern of surreptitiously decrypting HTTPS traffic, but at least a crook wouldn’t be able to abuse the fake root certificate.


Indeed. This is a very special interpretation of the word “private,” in which it is used to mean “widely and publicly distributed and known” :-)

It’s a bit like making the key to every room in a hotel the same. It’s good enough…until someone notices.


I have been buying Lenovo professional computers for some months. This makes me wonder if i need to change.


Changing vendors is a big proposition, bigger with company size. Since Lenovo now realizes their error, if your business is larger (so it’s less-than-practical to change), I would get some solid assurances from them.

Specifically, they put this software on your PCs for a reason. As a customer, you deserve to know exactly why they added it. If the reasons seem plausible, AND if the reply didn’t pass through a lawyer first, you might stick with them. If they filtered the reply through a legal team (you should be able to tell by the use of extraneous and useless extra words), it might be time to jump ship, regardless of the cost.

I do not envy you your decision.


It seems this Superfish was only deployed on home-user systems – its unlikely any big supplier would dare pre-load corporate machines with this kind of crapware. Most businesses big enough to have a proper IT team will probably be wiping new machines anyway, and deploying standardised Windows builds with the software properly selected for appropriateness.


Bitdefender apparently does the same thing. At least when I check the lock in Chrome it says the certificate was issued by Bitdefender.

Should I be alarmed?


That’s a question you have to answer for yourself assuming that the Bitdefender installation was your own choice :-)

Presumably, Bitdefender doesn’t use a publicly-available private key, with a widely-known password, on your computer, which mitigates the risk – a crook would have to acquire information about your installation of the product in order to target you. (And the easiest way to do that would probably be via malware, in which case the crook could install his own browser plugin anyway and see your browser data after it’s decrypted.)

My own preference is to avoid having other people look inside my HTTPS sessions, simply because there is less to go wrong. In a corporate setting, of course, that’s not always possible if your web browsing is filtered at an outbound gateway (e.g. the Sophos Web Appliance, or SWA) and your administrators have turned on HTTPS filtering.

(There’s a sort of “middle ground” here for sysadmins, which products like the Sophos Web Appliance support. You can turn off HTTPS decrypt-recrypt for chosen web destinations, such as financial sites, while still looking into HTTPS content for the rest. This means you can create a work environment where unknown HTTPS content still gets scanned, just in case, yet your staff still enjoy end-to-end security and privacy where it matters. Just make sure you explain what you’re doing so no-one gets taken by surprise :-)


I wish the industry would move to client certificate authentication, and away from server certificate only TLS.


Don’t you mean “move to client side *as well as* server side?”

(Insistence on client-to-server authentication without a corresponding server-to-client verification is one thing that made so-called IMSI Catchers or Stingrays for intercepting mobile phone calls rather easy. Set up a fake base station and let the phone prove itself to you in blind faithfulness :-)


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!