Sunday, November 22, 2015

New Dell computer comes with a eDellRoot trusted root certificate

I recently purchased a Dell Inspiron 5000 series notebook (October 2015).  Setting things up, I was surprised to see a trusted root certificate pre-installed on the machine labeled "eDellRoot".  I'm having a tough time coming up with a good reason that Dell Computer Corporation needs to be a trusted root CA on my computer.

It has me thinking things similar to the Lenovo mistakes earlier this year with Superfish which I described at the time on twitter as "Lenovo commits corporate suicide".  With this eDellRoot presence causing curiosity, I posted again on twitter and this has resulted in some queries to more specifics on what I know.

I'll start with the MMC console certificates view of the installed cert.

Observe, the eDellRoot certificate is a trusted root that expires in 2039 and is intended for "All" purposes.  Notice that this is more powerful than the clearly legitimate DigiCert certificate just above it, which spikes more curiosity.

Drill in to see the certificate details and alarm bells start going off. 

"You have a private key that corresponds to this certificate".  This is getting very fishy!  As a user computer, I should NEVER have a private key that corresponds to a root CA.  Only the certificate issuing computer should have a private key and that computer should be ... very well protected!

Certificate details

Serial number starts with "6b c5 7b 95 18 93 aa 97 4b 62" and the keys are marked non-exportable.  Notice that this doesn't mean that the private key isn't accessible, it only means that it isn't exportable.  Anyone possessing the private key which is on my computer is capable of minting certificates for any site, for any purpose and the computer will programmatically and falsely conclude the issued certificate to be valid.

This is the same action that existed with Superfish and in that case, Lenovo made the tremendously awful action of using the SAME private key on every computer.  Has Dell done the same?  When I get a few minutes, I'll try this technique to dump the private key.

Is it Dell?

Consider, while I do know that this certificate came pre-installed on the computer and I do know that it is named "Dell", I do not actually know that this certificate came from Dell Computer Corporation.  Root certificates are always self-signed, so all I really know is that eDellRoot says eDellRoot is legit. Where it breaks down is that the private key IS PRESENT on my computer and that means ... bad.

I'll note that I do not see MITM website proxy as described in this Sophos blog and the sites visited check out clean using Steve Gibson's fingerprints service.  A spot checking of web browsing here and there also shows certificate chains checking out as I would expect.  What is the purpose of eDellRoot?

And request arrives, Joe, would you kindly share the eDellRoot certificate from your computer?  Okay, here you go, link

I look forward to reading comments,

Joe Nord