SSL works by verifying a certificate against an authority, so if there is anyone you don't trust on your list, you can't trust site you are visiting. Superfish distributed their private signing key everywhere, protected only by the simple 'komodia' password. Now anyone can pretend to be them. Operating systems install their own list of authorities, but Firefox maintains its own. Other Komodia products are also vulnerable.
I feel like it's better to not mention the password on the key. It could have been the best password in the world and it wouldn't matter. Local signing means the key can be extracted. Talking about the minor obfuscation of storing a passworded key in the same file as the password is a red herring that gives the wrong impression.
In short: It wasn't protected by the password. It was protected by nothing.
Good point. The important part is that it illustrates just how vulnerable Komodia products are. That password will likely get people access to other things as well.
SSL works by verifying a certificate against an authority, so if there is anyone you don't trust on your list, you can't trust site you are visiting. Superfish distributed their private signing key everywhere, protected only by the simple 'komodia' password. Now anyone can pretend to be them. Operating systems install their own list of authorities, but Firefox maintains its own. Other Komodia products are also vulnerable.