Dell shipped systems with the eDellRoot certificate's public and private key Credit: REUTERS/George Frey Dell has come under fire for shipping PCs with a pre-installed trusted root certificate that can be used to compromise the security of encrypted HTTPS connections. The issue is similar to one Lenovo customers faced after the company shipped their systems with the Adware known as Superfish.The Lenovo issue gained a good deal of attention, and led to safer systems for consumers. However, six months after the Lenovo incident, Dell started using a trusted root certificate with similar problems called eDellRoot.The certificate ships with both the public and private key. On Reddit over the weekend, both were released to the public.“Surely Dell had to have seen what kind of bad press Lenovo got when people discovered what Superfish was up to. Yet, they decided to do the same thing but worse. This isn’t even a third-party application that placed it there; it’s from Dell’s very own bloatware,” commented the Reddit poster under the name “rotorcowboy”. “To add insult to injury, it’s not even apparent what purpose the certificate serves. At least with Superfish we knew that their rogue root CA was needed to inject ads into your web pages; the reason Dell’s is there is unclear.”Systems with the certificate installed are at risk should an attack use eDellRoot to create valid certificates for various websites, as demonstrated by Kenn White: ––The certificate problems created by Dell will only impact users of Internet Explorer, Microsoft’s Edge browser, and Chrome. Firefox users will not be affected, because Mozilla uses its own certificate store.Freelance journalist and security writer Hanno Böck has created a website for Dell customers who want to test their systems and check to see if they’re vulnerable.Dell hasn’t issued any comment to the public, but in a statement to Ars Technica, the company said that technicians were looking into the matter.Update: Shortly after this story went live, Dell issued the following statement to members of the media.Customer security and privacy is a top concern and priority for Dell. The recent situation raised is related to an on-the-box support certificate intended to provide a better, faster and easier customer support experience. Unfortunately, the certificate introduced an unintended security vulnerability. To address this, we are providing our customers with instructions to permanently remove the certificate from their systems via direct email, on our support site and Technical Support. We are also removing the certificate from all Dell systems moving forward. Note, commercial customers who image their own systems will not be affected by this issue. Dell does not pre-install any adware or malware. The certificate will not reinstall itself once it is properly removed using the recommended Dell process.Dell didn’t respond to questions about the models that were affected by this issue, but when asked for additional details by Jeremy Kirk, of IDG’s News Service, the company said the certificate was added for support reasons.We began loading the current version on our consumer and commercial devices in August to make servicing PC issues faster and easier for customers.When a PC engages with Dell online support, the certificate provides the system service tag allowing Dell online support to immediately identify the PC model, drivers, OS, hard drive, etc. making it easier and faster to service. No personal information has been collected or shared by Dell without the customer’s permission. Related content news Gwinnett Medical Center investigating possible data breach After being contacted by Salted Hash, Gwinnett Medical Center has confirmed they're investigating a security incident By Steve Ragan Oct 02, 2018 6 mins Regulation Data Breach Hacking news Facebook: 30 million accounts impacted by security flaw (updated) In a blog post, Facebook’s VP of product management Guy Rosen said the attackers exploited a flaw in the website's 'View As' function By Steve Ragan Sep 28, 2018 4 mins Data Breach Security news Scammers pose as CNN's Wolf Blitzer, target security professionals Did they really think this would work? By Steve Ragan Sep 04, 2018 2 mins Phishing Social Engineering Security news Congress pushes MITRE to fix CVE program, suggests regular reviews and stable funding After a year of investigation into the Common Vulnerabilities and Exposures (CVE) program, the Energy and Commerce Committee has some suggestions as to how it can be improved By Steve Ragan Aug 27, 2018 3 mins Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe