Dell apologizes for laptop security scare, will remove vulnerability today – The Verge
Dell has been shipping an SSL certificate on a number of its laptops, generating security concerns that hackers could misuse the certificate to spy on web traffic. After being made aware of the problem yesterday, Dell says “we deeply regret that this has happened and are taking steps to address it.” Unlike Lenovo’s Superfish scare, Dell claims its certificate isn’t used for adware.
Software update arriving today to remove the certificate
“It was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model,” says a Dell spokesperson. “This certificate is not being used to collect personal customer information.” Dell has posted instructions to permanently remove the certificate from affected systems here, and the company will also publish a software update today that will automatically check for the certificate and remove it. The company has not confirmed how many machines are affected, but the Inspiron 5000, XPS 15, and XPS 13 are known to ship with the certificate preinstalled.
Dell’s quick response should be commended, but the company failed to learn from Lenovo’s own mistakes. That’s surprising, especially given that Dell has been using the Superfish scare as a, now ironic, marketing trick. “Worried about Superfish?” is a question asked on a number of Dell’s PC pages. “Each application we pre-load undergoes security, privacy and usability testing to ensure that our customers experience the best possible computing performance, faster set-up and reduced privacy and security concerns.” That security testing clearly needs to be improved.