All of a sudden, Amazon pages have started throwing errors about an SSL certificate from swedishfish-221529501.us-east-1.elb.amazonaws.com. This is being used to "verify" the SSL connection to fetch a 1x1 transparent PNG image, https://sf-696745784.us-east-1.elb.amazonaws.com/sf.png.
Googling those revealed precisely fuck all, so I looked at the page source, and found this (I have prettyprinted it, but have not altered it in any other way):
<script type="text/javascript"> window.$Nav && $Nav.when('alert.appendMessage', 'metrics', 'page.ready').run('alert.js', function(appendMessage) { var m = window.$Nav.getNow('metrics'); var i = new Image; i.onload = function() { m.increment('nav-superfish-vulnerable') }, i.onerror = function() { m.increment('nav-superfish-not-vulnerable') }, i.src = 'https://sf-696745784.us-east-1.elb.amazonaws.com/sf.png'; window.$Nav.declare('config.signInOverride', false); }); window.$Nav && $Nav.when('$').build('alert.appendMessage', function($) { return function() { var $alertDiv = $('<div id="nav-alert"></div>'); $alertDiv.append('<span id="nav-alert-msg"> </span>'); $alertDiv.append('<a href=" " id="nav-alert-url"> </a>'); $alertDiv.append('<span id="nav-alert-close">×</span>'); $alertDiv.prependTo('#navbar'); $('#nav-alert-close').click(function() { $('#nav-alert').hide(); }); }; }); </script>
This looks to me like they are trying to gather stats on how many people accessing Amazon are affected by the Lenovo Superfish vulnerability. This, in case you haven't heard of it, is factory malware installed by Lenovo on laptops enabling them to MITM SSL connections and send Lenovo details of all your shit.
All very well, I guess, but it would have been nice to have been FUCKING TOLD that Amazon have deliberately included code on their website that causes the browser to throw up certificate errors, instead of seeing this dodgy-looking certificate error pop up out of the blue and wondering if Amazon themselves have been hacked or what.
Oh, and there is NOT some code somewhere else that fills in the nav-alert stuff and shows you a warning. (Or if there is, it doesn't work, but I wouldn't have thought so because Amazon are one of the very, very few websites where all the fucking javascript works instead of throwing errors left right and centre or just failing silently so things don't work for no apparent reason.) Having got this far I tried accepting the dodgy certificate for experiment, and verified that the i.onload() function did indeed get called, but no matter what I did thereafter, it all just carried on as before and no warnings appeared, even when I did things like "View emails with sellers" which require you to sign in again.
OH THANKS A FUCKING LOT, AMAZON, YOU WANKERS. Include code to test people's computers for Superfish vulnerability, then when you find it don't bother to tell them, oh no, just write it down in your fucking private notebook and let them carry right on in happy ignorance. FUCKSAKE.
Not to mention that the test is shit anyway because people with a less suspicious mentality aren't going to think about stuff like this; they will just unthinkingly click "accept" when the browser complains about the dodgy certificate so the test results will contain shitloads of false positives. Because people are thick and this is what they do. Like when they install antivirus software and then click "accept" and "don't ask me again" on all the warnings and then whine about getting virused even though they've got antivirus software installed it isn't fair this software is no good etc etc etc.
The certificate details are:
Certificate name sf-696745784.us-east-1.elb.amazonaws.com Amazon.com WA US emailAddress: security@amazon.com Issuer swedishfish-221529501.us-east-1.elb.amazonaws.com Amazon.com Seattle WA US emailAddress: security@amazon.com Certificate version 3 Serial number 0x1001 Not valid before 21/02/15 01:09:00 GMT Not valid after 21/02/16 01:09:00 GMT Fingerprint (SHA-1) B2 52 37 3A 8C 42 74 AF 89 E6 CB D9 FB 23 2B A9 FF 11 CD CA Fingerprint (SHA-256) C9 E2 6E 51 66 98 46 8B 2D 2F A5 20 F5 8D 93 96 9E 13 AF 6F 37 76 52 E3 09 F7 6D 99 65 EA EF B0 Public key(1024 bits) Public key algorithm rsaEncryption Modulus: 00: EF 5A 4F 80 28 B0 F3 EE 4B 52 23 CD 11 BB 7F 54 10: E6 AB D9 93 86 F8 66 4C 33 FE 79 52 F2 BA F3 6E 20: 79 2C 5A 63 22 3D BC CA 2D 7A DE 8F 8E 4B D7 53 30: F4 6F 45 2B FE 68 2D 85 7E CB 97 45 29 02 D3 D6 40: F6 0C A8 14 1C 06 F0 C1 04 70 31 58 19 F0 02 B4 50: 2B F7 46 04 94 A6 DC 58 C2 6C 5A 7E 53 65 18 E5 60: 62 37 F9 DD B9 E0 11 88 C5 24 85 C2 01 31 EF 3A 70: 3A 2A 27 78 2B 18 56 FD 0F 30 9E 19 36 49 BE F9 Exponent: 01 00 01 Signature Signature algorithm sha256WithRSAEncryption Signature 00: C2 30 B6 FE 05 5B C2 89 14 D8 DF C8 19 BC DA E7 10: 23 48 4A 19 E7 AF F1 47 85 5C 10 2B 41 C4 CC E9 20: 3F 16 FF 16 72 5E C7 5F CA B8 A9 49 1B 95 C9 D3 30: 8B CB 52 94 5B 56 00 97 EC 7D D6 9C 3F 86 63 2F 40: 4D 60 62 8A 45 90 96 17 69 2A 5A 24 E3 D4 13 D7 50: 34 1F F4 D3 5B ED 91 C9 75 14 39 34 4B 28 8C 2D 60: 63 E8 2F D1 73 14 34 D2 F3 A7 82 3F 3E 36 B7 FD 70: 1C 3E 62 F5 3E 98 FF 26 60 93 F6 41 E1 3F 29 81 Extensions X509v3 Basic Constraints CA:FALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier E9:FA:61:BC:C9:E8:C6:1E:95:D1:89:CA:A4:0E:9E:01:F1:E7:0E:F6 X509v3 Authority Key Identifier keyid:FB:98:B3:53:7F:14:44:2E:E8:EE:D5:09:9A:5E:0E:56:86:A8:35:88
Googling this stuff reveals that the above "Authority Key Identifier" is common to "genuine" Superfish certificates from the actual Superfish malware itself.
Back to Pigeon's Nest
Be kind to pigeons