Interestingly, for users who are running the Superfish software there's no need for a MitM to have the private certificate as the Superfish MitM proxy is validating any cert. I have a screenshot here: http://defaultstore.com/four.png of it validating my MitM proxy cert. To be clear, I'm in the middle of the TLS connection from Bank of America thanks to Superfish not denying the bogus cert I provided.
If you have Superfish and want to validate this behavior for yourself, you can visit https://defaultstore.com/ and watch it accept an expired cert. Given this situation the Chrome team and others should without a doubt treat the cert as revoked.
It's likely a lot of people are still running that software. I bought a Lenovo Yoga 2 11 today and it had Superfish installed by default and all my connections are MitM'd on that machine.
UPDATE: if the cert is revoked, it will likely leave a lot of people unable to browse the web. It would be nice if the revocation process in Chrome could provide users with instructions on how to remove the software.
If you have Superfish and want to validate this behavior for yourself, you can visit https://defaultstore.com/ and watch it accept an expired cert. Given this situation the Chrome team and others should without a doubt treat the cert as revoked.
It's likely a lot of people are still running that software. I bought a Lenovo Yoga 2 11 today and it had Superfish installed by default and all my connections are MitM'd on that machine.
UPDATE: if the cert is revoked, it will likely leave a lot of people unable to browse the web. It would be nice if the revocation process in Chrome could provide users with instructions on how to remove the software.