Skip to main content

Update: Some Dell computers have vulnerable HTTPS credential, removal instructions issued

dell xps 13 2015 review lid logo
Greg Mombert/Digital Trends
Update 8:30AM 11/24/2015: Another statement has been issued. This one clarifies that the “eDellRoot” certificate was not malware or adware, but part of the company’s support services, and the resulting security flaw was unintentional. A removal tool has been made available. You can read Dell’s full blog post addressing the issue here.

Update 3:05PM 11/23/2015: Dell has issued an expanded statement about the security problem, stating it was unintended flaw, and that users will be able to fix the issue by following the company’s instructions.

Recommended Videos

Customer security and privacy is a top concern and priority for Dell. The recent situation raised is related to an on-the-box support certificate intended to provide a better, faster and easier customer support experience. Unfortunately, the certificate introduced an unintended security vulnerability. To address this, we are providing our customers with instructions to permanently remove the certificate from their systems via direct email, on our support site and Technical Support. We are also removing the certificate from all Dell systems moving forward. Note, commercial customers who image their own systems will not be affected by this issue. Dell does not pre-install any adware or malware. The certificate will not reinstall itself once it is properly removed using the recommended Dell process.

Please enable Javascript to view this content

It’d be better if the problem never existed in the first place, but Dell’s response has appeared much quicker than Lenovo’s handling of Superfish, which initially denied there was a problem at all.

Original text: It’s thought that systems currently being shipped by Dell might be carrying a major security flaw, leaving them wide open for potential attacks. Evidence of this error has been found on an Inspiron 5000 series notebook and an XPS 15 with a certificate called “eDellRoot,” but at this stage it’s difficult to get a handle on just how widespread the problem is.

The issue centers around the self-signed transport layer security credential, according to findings from Reddit reported by Ars Technica. Its existence makes it relatively simple for a hacker to slip past HTTPS protection protocols by forging a certificate to imitate the credentials of the self-signed “eDellRoot” certificate found on vulnerable Dell systems. With that bit of subterfuge complete, it would be possible for an attacker to imitate any website without the user knowing. Even most security programs can’t detect this sort of attack.

Remarkably, this problem was not caught by Dell, instead being investigated by a user who found a suspicious certificate named eDellRoot pre-installed on a new system. His claims were then corroborated by other users who found the same files present on their Dell computers.

Dell has since released a statement stressing that customer security and privacy is a ‘top concern’ in relation to pre-installed content. As such, an investigation into these suspect certificates in currently ongoing, and more updates for affected users are expected to be circulated by the company at the earliest opportunity.

Earlier this year, competing PC manufacturer Lenovo was the center of a similar uproar regarding pre-installed content that included a self-signed HTTPS certificate. In that case, Superfish adware was the guilty party — but the way that it opened up the computer it was installed upon resembled the exploit potentially lingering on Dell systems.

There are plenty of reasons why building a computer can be a better option than buying a stock system, but chief among them has to be complete control over what is installed upon it from the outset. In most cases, bloatware is the biggest problem, but a scenario like Dell’s snafu is something many users would prefer to steer clear of altogether.

Brad Jones
Former Digital Trends Contributor
Brad is an English-born writer currently splitting his time between Edinburgh and Pennsylvania. You can find him on Twitter…
ChatGPT just dipped its toes into the world of AI agents
OpenAI's ChatGPT blog post is open on a computer monitor, taken from a high angle.

OpenAI appears to be just throwing spaghetti at this point, hoping it sticks to a profitable idea. The company announced on Tuesday that it is rolling out a new feature called ChatGPT Tasks to subscribers of its paid tier that will allow users to set individual and recurring reminders through the ChatGPT interface.

Tasks does exactly what it sounds like it does: It allows you to ask ChatGPT to do a specific action at some point in the future. That could be assembling a weekly news brief every Friday afternoon, telling you what the weather will be like in New York City tomorrow morning at 9 a.m., or reminding you to renew your passport before January 20. ChatGPT will also send a push notification with relevant details. To use it, you'll need to select "4o with scheduled tasks" from the model picker menu, then tell the AI what you want it to do and when.

Read more
Will a VPN work on the TikTok ban? Here’s everything you need to know
TikTok logo on an iPhone.

TikTok is one of the most popular apps on the planet, and unless you live under a rock, you've probably heard by now that it's likely going to get banned in the United States. For the roughly 170 million monthly TikTok users in the US, the potential ban is disappointing news, to say the least. We're happy to report that there's still hope, though. If you already have the app on your phone, you can actually bypass the ban somewhat quite easily. In fact, the main way to do it is through the use of a VPN, and given how common VPNs are these days, you may already have a paid VPN subscription that you could potentially utilize. It's also worth noting that while free VPN options exist, they may not work as well as paid VPNs, especially when it comes to country choices and speeds.

But let's backtrack a bit - you’ve probably heard of virtual private networks before, what exactly do they do? In short, a VPN helps you protect your privacy by disguising your location, allowing you to change your apparent location and view websites in other countries as if you were a resident.

Read more
Your personal info is being stolen with every click you make – but don’t worry, Incogni can help with that
Incogni remove personal information from identity thieves

You may already be using one of the best VPNs for online privacy, but you can still go one step further and take the fight to the companies holding your information hostage. With every signup and click around the web, there's a chance that malicious parties are picking up on your personal data, shopping patterns, and interests. And that's even if you're using one of the best antivirus packages out there. Luckily, Incogni is ready to take on the fight against these data brokers for you. And, even better, you can now get a year's worth of their service for 55% off the regular price. Just tap the button below and enter the code DIGITALDEAL upon checkout to lower an annual plan from around $180 to closer to $81. Alternatively, keep reading to learn more about the service and how it can help you combat these threats.

Why you should try Incogni
Between IP addresses, cookies, accounts, and other data, a complex narrative about you and your patterns can be made for advertisers. Even Incognito Mode isn't perfect at keeping your information totally safe. An April 2023 lawsuit showed just how sloppy big companies can be with your data — at that time, Facebook didn't have rules regarding the ways third parties could interact with user data. If you're clickin', your data is probably stickin'.

Read more