Are google or other browser vendors looking at ways of combatting this in the future. Would it be a massive privacy invasion to send back root cert details to the browser vendor so they can identify suspicious root certificates.
It might be nice for browsers to flag locally installed root certificates and give some kind of visual indication to users but I'm not even sure how easy this is to do because a lot of browsers use the system roots and don't control the roots directly. its easy to identify the extra certs when you control the original roots.
also apparently this doesn't go down too well with corporate users who want to install extra private roots for internal services or for MITM.
If Chrome implemented better cert checks, Lenovo (or anyone else) could just install their own version of ''Chromium, enhanced by Superfish'' for users and push them there instead. Who do we turn to then, Microsoft? (No thanks.) The party at fault here is Lenovo; I would be cautious to blame the tools they used. Also keep in mind there are many white hat uses for MITM SSL packet manipulation. If you lock down all the tools, pretty soon you end up with a walled garden controlled by very few parties (who then pull crap like this in the end anyway, with slightly better spin/PR).
It might be nice for browsers to flag locally installed root certificates and give some kind of visual indication to users but I'm not even sure how easy this is to do because a lot of browsers use the system roots and don't control the roots directly. its easy to identify the extra certs when you control the original roots.
also apparently this doesn't go down too well with corporate users who want to install extra private roots for internal services or for MITM.