Yet another certificate disaster

I was dismayed to read this article on The Register today which suggests that yet another large manufacturer has shipped a security nightmare with its laptops.  You’d have thought these people would have learned after the Lenovo “Superfish” debacle, but apparently not.

It would appear that Dell ships a self-signed root CA certificate by the name of “eDellRoot” which is automatically installed by Dell software into the Windows trusted root certificate store.  This would normally be not too much of a problem, but this time they’ve managed to install the private key as well, which means (assuming the private key is the same on every machine with this certificate on) that it’s trivially easy to take the private key, sign certificates with it and then any Dell machine will blindly accept this certificate which can be used for nefarious purposes such as impersonating web sites, man-in-the-middle attacks, malware, etc, etc, etc.

What on earth were Dell thinking?!