Not just Lenovo: Dell ships computers with self-signed root certificates

Last February, Lenovo shocked its security-conscious customers by pre-installing its own, self-signed root certificates on the machines it sold. These certificates, provided by a spyware advertising company called Superfish, made it possible for attackers create "secure" connections to undetectable fake versions of banking sites, corporate intranets, webmail providers, etc.

Now Dell has been caught doing the same thing, though it's not clear whether the self-signed root cert is being used to spy on users and inject ads (as was the case with Superfish) or whether the breach is aimed at accomplishing some other goal.

On Twitter, Dell has dismissed its customers' concerns, saying that "it doesn't cause any threat to the system" and recommending that users not remove it.

Dell issued a statement in the past hour that says technicians are investigating the reports. Until they and other outside experts weigh in, it's too early to say how widespread and severe this problem is. What is clear now is that the eDellRoot certificate was generated six months after the Superfish debacle came to light and that it poses a risk to at least some Dell customers. People who find this certificate installed on their computer should temporarily use only Firefox to browse to HTTPS-protected sites.

Affected people should also stay apprised of events and updates in the coming days. If the worst concerns about this root certificate are confirmed, Dell almost certainly will soon provide a tool to remove this credential. More on all of this will be coming in the hours or days to come.

Dell does a Superfish, ships PCs with self-signed root certificates
[Dan Goodin/Ars Technica]

(Image: Joe Nord)