HomeОбразованиеRelated VideosMore From: Computerphile

Man in the Middle Attacks & Superfish - Computerphile

9344 ratings | 527915 views
Lenovo sold thousands of computers all carrying the Superfish software. Tom Scott explains what a security nightmare this became. More Tom Scott: http://www.youtube.com/enyay http://www.twitter.com/tomscott CORRECTION: At 2min 46secs Tom says "Private Key" when he means "Public Key" - The private key is not shared. Chip & PIN Fraud: https://youtu.be/Ks0SOn8hjG8 Could We Ban Encryption?: https://youtu.be/ShUyfk4QB-8 How Blurs & Filters work: https://youtu.be/C_zFhWdM4ic Numberphile: Encryption & Huge Numbers : https://youtu.be/M7kEpw1tn50 Public Key Cryptography: https://youtu.be/GSIDS_lvRv4 http://www.facebook.com/computerphile https://twitter.com/computer_phile This video was filmed and edited by Sean Riley. Computer Science at the University of Nottingham: http://bit.ly/nottscomputer Computerphile is a sister project to Brady Haran's Numberphile. More at http://www.bradyharan.com
Html code for embedding videos on your blog
Text Comments (566)
Nexus Clarum (3 days ago)
I'm gonna arp your rooter if you say router like rooter one more time!
Ash Draven (12 days ago)
Tom's face when he asks 'how do I draw a certificate authority?'
Michal Štein (16 days ago)
yeet let's encrypt is here
Dmitry Granicin (20 days ago)
Hey. Pst. Dell Blackfish.
letsgetverydrunk (22 days ago)
Chernobble?
Ahmad Atlam (29 days ago)
You know whats also rather strange ? Google not noticing a massive amount of multi-user traffic coming from a single attacker ip ... usually there is fair usage policy where this kind of activity (an entire DNS provider had to fall as well I presume) from a single/small amount of ip address should definitely raise a flag
granskare (1 month ago)
I was a support person for NSA while in Turkey, and I believe NSA is ok. NSA does current collecting and only looks at suspect addys.
Look into the makers of 'Superfish." "Former" IDF intelligence core programmer. This looks like an Intel OP under guise of "targeted advertising" to me. Targeted ads were the required "plausible deniability." Also superfish company komodia doubled as a "parental monitoring/parental control company. I'm getting ready to do a video on it. There are connections to Intel contractors etc. Think about how superfish may be combined with other seemingly local vulnerabilities to remotely root servers. Anyhow I dont buy the targeted advertising part. Just part of a coverup for what I like to call incremental backdoors.
Widg3t's Widgets (1 month ago)
What's a rooter?
Jessica Bray (1 month ago)
I feel like this was just a casual computer nerd conversation that they just decided to film.
J.J. Shank (1 month ago)
"rooter"
The LOL Minecrafter (2 months ago)
There was so much potential at 4:46 to fix the drawing by attaching a circle to the end of the factory and making it look like a giant key.
Marcus Grant (2 months ago)
Wasn't one of the Snowden leaks that NSA does and can spoof certificate authority for SSL?
ChrisMcFlyDude (2 months ago)
Great explanation to a complex topic. Thanks.
Jasper Mooren (2 months ago)
I don't quite understand, the whole point of signing a message with a key is so that you know that that person has to be the one who sent it right? Or at least someone who has that private key. You check with their public key if they used their private key without actually having their private key. Why do you need an authority for that? You can just have a library of public keys, right? That library can be widely distributed to ensure the validity of the library. I don't see the problem here.
George Bateman (2 months ago)
Just googling "total number of websites" answers that. The first result tells me there are >1.5 billion, so you're looking at installing a library of several GiB on every PC, and keeping it updated continuously. It just doesn't sound feasible! If you download the keys from a web service automatically as needed, then that service ends up sounding like an authority, just in slightly different form. Rather than distributing a big library, there is the idea of a "web of trust", whereby anyone can sign any other person's key having verified their identity manually, but it sounds like it would be challenging to evolve that to the point it improves upon the existing CA system.
Mr. Fahrenheit (2 months ago)
2:10 Jean Ralphio
dian pratama (2 months ago)
out of luck
Jasmine (2 months ago)
Why is the server British? 3:20
Naiver Miigon (2 months ago)
Hello! I am the router!
Palundrium (2 months ago)
It's cool looking back at this video and seeing him comment on a free certificate authority being in the works and today... We have that with Let's Encrypt!
Gilad Baruchian (2 months ago)
Wow that was explained so well, and the story was super interesting Like+Subscribe Get us more videos like this :)
John Manoochehri (3 months ago)
This channel is pure class. Thanks.
Saznaj Sve (3 months ago)
Tom in the Middle hahah
linkers (3 months ago)
"then they do maths to them"
Vincent Cleaver (3 months ago)
I am fascinated by the 'IBM' paper with the holes which you guys use. Not the American 11 by 17 or whatever, of course
Peter Marshall (3 months ago)
Ssl for free gives you free ssl certificates that last for 3 months
Top Secret (3 months ago)
What if you could reverse engineer a private key? That would be absolutely disasterous.
Khaithang Haokip (3 months ago)
I like how Computerphile promotes Duckduckgo implicitly.
Tyler Fields (3 months ago)
Why do you have to use markers for most of your videos? I literally can't listen to the video because of sensitivity to that damn sound. :(
Andrew Turton (4 months ago)
Shoe size …. lol …. I know little things amuse little minds ….
omega (4 months ago)
the. rooter and me: a guide to wiredriving in Britain
TheCreeperTrack (4 months ago)
Isn't that what happened to Github when they got DDOSed?
Keaton Lee (4 months ago)
0:59 "Basically the network is built on trust. And so the computers just kind of believe it." Hm . . . *WELL THAT'S GREAT!!*
Reece Orton (5 months ago)
6:17 who else noticed the joke?
Lee Fraser (5 months ago)
I a little bit scared to say , ive heard somthing about TPM  backdoor built in? sorry for caps, also mem leak with cpu can be read ?
Dustin Harman (5 months ago)
Great video, not only the step by step explanation but really appreciate how "little" emphasis you showed to the particular incident. This a HUGE issue overall and applies far more than just Superfish installed on a single machine, not just because xyz company wants to see what you are doing. But because someone ELSE can use it for FAR more malicious purposes.
Zachary White (5 months ago)
MORE TOM SCOTT PLS
TuckyIsAwesome (6 months ago)
SuperFish is SuperFishy
Ankdoeslego (6 months ago)
Isn’t it great that we can all get feee SSL certificates.
Aristo Suhandi (6 months ago)
This man talking to the points, Thanks a lot man .
Thedude 21 (6 months ago)
Its the two drums and a symbol fall of a cliff guy
AKFAN FORTYSEVEN (6 months ago)
Public and Private Key Encryption..... Because...maths.
Student Five Creates (6 months ago)
My school district requires every student to install their root authority on their device to get on school WiFi.
Jaroslav Reisinger (6 months ago)
Pleas by more lenovo and cheap stuff. Pleas
Tomas ArVu (6 months ago)
6:17 Email, Password, Shoe size I wonder what are they trying to know ( ͡° ͜ʖ ͡°)
Greenball Science (7 months ago)
Let's encrypt is free
Daniel Ardelean (7 months ago)
Someone can explain the Xmas Tree attack ? Which is related with the port scan and router bugging ?
Tom Lake Charles (7 months ago)
I’m starting with the man in the middle, I’m asking him to stop stealing my passwords!
Stephen Hunter (7 months ago)
Superfish wasn't just on computers at one stage it was also on websites.
Knno1 (7 months ago)
DuckDuckGo lol Someone's hiding something ;)
itsZinZin W (8 months ago)
2:25 this needs to be a meme or a gif
Shay. W. (8 months ago)
Whoever made the thumbnail is a digital art Leonardo Da Vinci
iLinked (8 months ago)
why-fie
Victor Varsanyi (8 months ago)
I've noticed some ISPs add adverts to traffic also, is that different than the Lenovo superfish malware nightmare? How secure are firewall caches?
Savit Gupta (9 months ago)
What happens to device that are too old, and didn't come with the public keys for the certificate authorities ?
mspenrice (9 months ago)
Just goes to show... never underestimate the utterly desperate things greedy people will do to make a quick and easy buck. Also, would this affect _just_ their laptops, or their phones and tablets as well? I've got a Yoga Tab sitting around here somewhere, largely unused, but might as well secure it...
Rawr Bear Media (9 months ago)
Just watched this with my Lenovo laptop sitting next to me.. Which I bought in 2014... Luckily now running Linux but still, that's insane
Pryce Newberg (9 months ago)
I actually heard about this in 2016. Why am I watching this? Also, this is why I won't ever buy a Lenovo laptop, call me paranoid...
Mateus Figueiredo (9 months ago)
Are Lenovo and Superfish the same thing?
Przemek (9 months ago)
But this threat is the case only in open Wi-Fi network, isn't it? When I'm at home and I'm connecting my own private, secured by password Wi-Fi connection nothing bad can happen, can it?
Dl. Buli (10 months ago)
That sound the marker makes on that sheet of paper gets my hairs on end !!!! Darn !!!
berke erayabakan (10 months ago)
So simply the company who provides that security authorithy, or whatever its called, is the man in the middle. #YIKES
StarParty, Anime Slayer (11 months ago)
"Do maths to them"
Gplor (11 months ago)
What if a middle man were middle maned by another middle man?
Beo Wulf (11 months ago)
aaaaaaaaand ssl strip came out 🌚
Cameron H (11 months ago)
But superfish is just a company for swimming at
NeilIsBored (11 months ago)
Superfish sounds like a new IP for the GameCube.
Weasle 65 (11 months ago)
" they do maths to them." Real specific tom
Meme Maker 9000 (11 months ago)
"All servers look like computers from the 1990s" mine looks like a potato...
Eric Paul Goldie (1 year ago)
Everyone should check their web browser certificates on a regular basis. Remove any certificates that have expired.
Jānis Šteninbergs (1 year ago)
Let's Encrypt provides free renewable 3 month SSL keys.
1K Productions (1 year ago)
But what prevents the attacker from just getting the certificate authority keys from their own device? This doesn't make sense to me.
awsomeabacus (1 year ago)
7:54 Does "sign keys" mean "issue certificates"?
DiabloMinero (1 year ago)
Another issue: What if the attacker sitting on your network tells your computer that google prefers http over https, encrypts your packets, and forwards them to google?
Kento Nishi (1 year ago)
"Simplifying massively here"
John Runyon (1 year ago)
It's very sad that this all could've been avoided if they had just generated a CA on first boot.
John Runyon (1 year ago)
ARP spoofing still works just fine on a sadly large number of devices. Quite useful when you need to sniff the network traffic from a closed device and you have a crappy consumer router.
So happy now that we can get free certificates from lets encrypt. the internet will soon become a more secure place
Theo N (1 year ago)
the video has 384,384 view right now
Whirvis (1 year ago)
The *_ROOTER_*
Donald Sayers (1 year ago)
How do you check who signed the certificate on Chrome?
BRIQ HAUS LTD. (1 year ago)
Great work, you guys go into more depth than the average tutorials and the information is strong.
Hermes-on-hardware (1 year ago)
4:22 CA does not generate a set of public and private keys for you. You do that yourself. As they pointed out in the annotation at 2:48 you NEVER share you private key. What you do is create a `Certificate Signing Request (CSR)`. Which basically contains your Public Key, websites URL and few other insignificant details. So no fax machines needed :( It is still a good video and a starting point. Because OpenSSL is one big and complicated system
Renato Kobashigawa (1 year ago)
I think this is happening to The Pirate Bay.
Preetty Goood (1 year ago)
I've been using the same lenovo laptop since 2012! How come no one told me about this?
ini the man (1 year ago)
I have a lenovo laptop but I'm okay because I always do a fresh install of any operating system and then get the drivers I need.
Kul Ousemnes (1 year ago)
padlock should be in opened position when you drew it if we use that analogy:))
Mike Seal (1 year ago)
Certainly more than 1 million
Christopher Monahan (1 year ago)
Funilly enough Superfish is also the name of a javascript library we use at my current work as well as the chippy down the road.
Ian Macdonald (1 year ago)
It's actually worse than that. SSL is near to useless on any site that carries third party advertising. The advertiser doesn't need Superfish, they can run Javascript in your browser that logs your keystrokes or scans for password fields. The advertising is served via a different certificate than the one covering the site you visit, yet there is no mention of this in the browser's SSL info. It is as if the connection from your browser to the advertiser doesn't exist. Yet, using a wiretrace you can see that it does. . Not a lot of end users know that.
Magnus Juul (1 year ago)
I don't even know why anyone trusts NSA after the incident with Edward Snowden
R. pizzamonkey (1 year ago)
I'm starting with the man in the middle (oh yeah)
homo weirdus (1 year ago)
they probably lost more money in lawsuits and negative pr than they made from superfish. ironic isnt it?
avichal chadha (1 year ago)
Tom Scott is an amazing teacher , perhaps the best teacher in computerphile
Chris MCMLXXXII (1 year ago)
Did anyone think the end was like a Creepy Pasta?
Chris MCMLXXXII (1 year ago)
Man in the middle attack. How do you beat a chess Grandmaster? Play 2 Grandmasters and use his moves against the other.
clyax113 (1 year ago)
"Superfish." ... "Superphish" did no one else notice that? That's like calling your company "Knot Evil."
Rock & Rollin' Nolan (1 year ago)
The thumbnail made me think this was going to be about "Tom in the Middle of Toms" attacks so I was disappointed.
Xander Petty (1 year ago)
I like the DuckDuckGo plug you slipped in there.
Garfield Vikernes (1 year ago)
Is it just me or does Tom's face seem the most comfortable thing to touch?

Would you like to comment?

Join YouTube for a free account, or sign in if you are already a member.