The Dell Lesson on Trust Scope

30Nov15

Dell has been in trouble for the last few days for shipping a self signed CA ‘eDellRoot'[1] in the trusted root store on their Windows laptops. From a public relations perspective they’ve done the right thing by saying sorry and providing a fix.

This post isn’t going to pick apart the rights and wrongs – that’s being done to death elsewhere. What I want to do instead is examine what this means from the perspective of trust boundaries.

Fine On Your Own Turf

It’s completely acceptable to use private CAs (which might be self signed) within a constrained security scope. This is regular practice within many enterprises. Things can get a little underhand if those CAs are being used to break TLS at corporate proxies, but usually there’s a reason for this (e.g. ‘data leakage prevention’) and it’s flagged up front as part of employee contracts etc.

Where Dell went wrong here was doing something that had a limited scope to them ‘it’s just to help support our customers’, but global scope in implementation[2].

Who Says?

When a company adds a CA certificate to its corporate desktop image then not only is the scope limited to users within that company, but the decision making process and engineering to put it there falls onto a relatively small number of people. That small group will be able to reason about which certificates to add in (and maybe also which to pull out).

It’s completely opaque who at Dell (or Lenovo etc.) got to make the call on adding in their CA to their OEM build, but I’m guessing that this wasn’t a decision that got run by a central security team (otherwise I expect this would never have happened).

The Lesson

Something that can impact many people (perhaps even a global population) should not be subject to the whims of individual product managers. Mechanisms need to be set up to identify security/privacy sensitive areas, and provide governance over changes to them.

Note

[1] It now seems that there’s also a second certificate ‘DSDTestProvider ‘
[2] That mistake was further compounded by making the private key available, which thus amounted to a compromise toolkit for anybody to stage man in the middle attacks against Dell customers, a pattern seen previously with Lenovo’s Superfish adventure. Dell’s motivations may have been purer, but the outcome was the same.

 



No Responses Yet to “The Dell Lesson on Trust Scope”

  1. Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: