"We thank customers such as Hanno Böck, Joe Nord and Kevin Hicks, aka rotorcowboy, who brought this to our attention. If you ever find a potential security vulnerability in any Dell product or software, we encourage you to visit this site to contact us immediately."

That's something a lot of companies could learn from. But besides that the whole reason why they did it seems a bit thin, as if it needs a root certificate to get to a device tag.

"It was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers."

Yeah, right. There's no other way to identify the model other than loading a root certificate with the power to certify any site as any domain. They expect people to believe that? Are they incompetent or corrupt?

I worked for Dell a few years ago, and this is a complete bullshit response. The service tag takes all of 3 seconds to obtain. The full system specs are revealed once it's entered. At no point is bypassing the customers security a requirement of getting your service tag.

It gets better: they also shipped the private key material for signing arbitrary windows kernel drivers with a Verisign-issued certificate: https://www.duosecurity.com/blog/dude-you-got-dell-d-publish...

I was wondering why they did it... Now I think I'd prefer not knowing. Not only was it a terrible idea, apparently there was nobody to tell the programmer it's a terrible idea, and even QA (if they have it) didn't do their job.

Basically all the way from the idea to release, they had no person who knows what root certificates are.

I don't think it was installed with malicious intentions. It wouldn't make sense to leave the private key inside anyway

With this root cert anyone could decode SSL traffic between you and a supposed secure web server. These kind of accidental security blunders seem to be a regular occurrence. Are people that incompetent or is there a more sinister reason.

A bad situation, but a good (and timely) response.

I'm beginning to think that Microsoft should automatically block unrecognized root CAs unless it is added through a group policy.

> Customer security and privacy is a top concern and priority for Dell;

Come on!

The author says right there that the certificates were "intended to make it faster and easier for our customers to service their system."

Statements completely contradicting each other.

> This certificate is not being used to collect personal customer information.

That's a very strong statement, which a sizeable percentage of Hacker News readers could probably disprove in minutes.