SSL problems

[MasterTB]

Hi, despite the fact that SSL protocol check is working for many sites (I have unchecked the option to automatic block of obsolete SSL v2 protocols), I'm having problems accessing sites like gmail and facebook, among others.
I'm Running ESS v4RC and Opera Alpha 10 to access the web but for this sites the only chance to access is disabling SSL checks in ESS.
Anyone having the same issues?

I'm putting some screenshots to show the problem.

Edit: It is an Opera>ESS related problem, it is working fine with IE, my guess is that the integration of ESS's certificate in Opera is not fully working...

[bigbw]

I've found a few SSL problems myself.

Operating System: Windows Vista SP1.
Security System: ESet Smart Security 4.0 Release Candidate - fresh install (no existing security system)
Browser: IE7

When looking at Settings, I noticed SSL wasn't enabled, so I set it to prompt me for each new visited site and I also unchecked the Block for SSL V2 box.

To test out SSL, I thought I'd try the Logon button of various popular bank sites to see if the respective secure signon screen would appear or what happened if it didn't. I appreciate it is not a complete test as I'm not actually signing completely onto online banking (as I'd need umpteen online bank accounts which I don't have).

When I was asked if I trusted the certificate I clicked the Yes button so that ESS did the SSL scan.

These failed the logon screen test by hanging for ages and eventually giving an unable to display the Web page message:

Nationwide
Alliance & Leicester
Egg
ING Direct
Salomon Smith Barney

This failed because only part of a Web page displayed and the rest had errors that preventing moving on from the page:

Northern Rock

But on the other hand, these worked:

Birmingham Midshires
Bradford & Bingley
BT
Capital One
Coventry
Fidelity
Principality
Sainsburys
Yorkshire
Inland Revenue

However, if I clicked the Exclude button when prompted for SSL scanning on the failed sites so that SSL scanning was bypassed then I could get access to those failed sites.

Do the people at betasupport@eset.sk review these forums or should I also send this report to that Email address as well?

[NOD32 user]

Quote:

Originally Posted by bigbw

I've found a few SSL problems myself.

Do the people at betasupport@eset.sk review these forums or should I also send this report to that Email address as well?

Hi,

They review them but I would still suggest that you email them and include a link to this thread and as mich information as possible about your system and configuration to assist with replicating your issue.

Cheers

[MasterTB]

I've sent Eset a support ticket regarding the problem, and I have to add that since the initial post I've been having trouble signing in to several other sites, including Hotmail or starting a session in Live Messenger because ESS refuses to accept the SSL certificates used to log in to the Live account.

I have also seen this problem in IE so it is not an Opera isolated incident.

hope they can fix this before going to final release.

[bigbw]

I've now Emailed my problem (see earlier post from me) to the betasupport Email address.

Looking into it a bit further it seems that all but one of the sites I have problems with use the extended validation SSL certificates (the ones that cause the address bar to show green in IE7).

But there again, at least one in the list that works also uses the extended validation certificates.

I hope too that ESET can fix this before going live because otherwise I like their implementation with the number of choices available for SSL. My current security vendor's approach is an all-or-nothing one. When SSL scanning needs to be turned off for a particular site, all SSL scanning has to be turned off.

My current security vendor's software can successfully scan all the sites I mentioned - but I've got two problems with their implementation, one is when the site certificate expires it doesn't get refreshed so I can't use the site after that date unless I disable SSL scanning, the other is that their implementation removes the extended certificate status (so the address bar in IE7 is white instead of green).

So I am hopeful that ESET will make a better job of SSL scanning and if they do, I'll switch to them as a security vendor.

[MasterTB]

OK, so, SSL scanning does not work anymore, I don't know if the certificate is corrupted or integration gets broken but I had to disable it in order to access secure sites.
Any news from Eset about this issue?
I understand this program is in beta stage but adding a function that does not work at all is not a good way to implement changes in software.

[NOD32 user]

Hi MasterTB,

What happens if you try the following for testing?

In the advanced settings tree under 'Certificates' clear the check for 'Add the root certificate for known browsers' and OK, and after a few moments pause go back in and re-check that box. While you're there, look under 'Trusted Certificates' remove all certificates that have any blank instead of data in any of their three fields, then back 2 levels in the tree under SSL, select 'Always scan SSL protocol' and then OK - and pause a few moments.

Does your browsing experience improve?

Cheers

[MasterTB]

Hi NOD32 user:

I tried your suggestion, I even removed Eset's Root certificate from Opera and IE, still I get the same error displayed on the screenshots of the first post, either I get a fatal error trying to access secure sites or the certificate for those sites get regected.

I honestly don't know what seems to be the problem.
Will try again removing all the certificates, disabling SSL, restartign and starting all over again,if that doesn't work I will leave it disabled until someone from Eset support give me an answer or perhaps a work arround.

[MasterTB]

I followed my own advice, removed the certificates, closed the browser, disabled SSL on V4, restarted, enabled all again and... PRESTO it is working.
Of course, I have it set to ask every time I visit a new site, otherwise it does not work.
One problem though, you have an option to say YES, an option to say YES ALWAYS, an option to EXCLUDE (which is pretty much deffinitive) and an option to say NO, BUT you have no option to say NO ALWAYS, that is bothering me because when you are visiting a site that has both HTTP and HTTPs content, there is always a pop up if you keep saying no to the secure traffic if you don't want it.
There should be an option to say ALWAYS NO.
I also notice the lack of information in the pop ups. for instance, when I saw the pop up I'm posting in the screenshot below, I was browsing this site (http://www.sobrenotebooks.com.ar/200...ilion-dv5.html) looking for imput on a laptop, yet the warning does not mention it or any other site so I really don't know where it is coming from.. ergo I don't know if I can trust it or not, or better yet, if I want that traffic to be loaded into the page.
Something for the guys at ESET to think about...

[NOD32 user]

I'm pretty sure that EXCLUDE is the as No, always button you wanted - I can not find any entry created by it's use except for in the list of excluded certificates which means that when that certificate is used to authenticate an SSL connection it's SSL traffic is not scanned.

I've actually found a couple of things that don't operate as expected when SSL scanning is enabled (one of them is the http://sync.live.com/ app) so for those I've removed the certificate from the Trusted Certificates list and used exactly that option when prompted again later, so all is well again.

Cheers

[MasterTB]

Quote:

Originally Posted by NOD32 user

I'm pretty sure that EXCLUDE is the as No, always button you wanted - I can not find any entry created by it's use except for in the list of excluded certificates which means that when that certificate is used to authenticate an SSL connection it's SSL traffic is not scanned.

Not quite, when you say EXCLUDE, as you mention, the traffic is not scanned, BUT when you say NO, the traffic is blocked because you're telling Eset that you DON'T trust the certificate.
There should be an ALWAYS NO button..

[MasterTB]

Another fault in Eset's SSL secure check is that EV Enabled sites do not show up GREEN on Opera, instead they show up Yellow, which means Secure but not EV secure.
I believe the Eset's root certificate should be faithful to the security of the site checking so that the user really sees the site as it is supposed to be seen.

[MasterTB]

Here we go again... SSL broken on my newly installed V4 314 Spanish.
It worked for about a day, and now... broken... what can I say...
I'm leaving a pic, with a time stamp so that it is clear that it just happened.

[nodyforever]

Hello MasterB,

My images:

[muppetman]

I have noticed that SSL scan doesn't seem to pickup the eicar test string.

For example, click on this (with SSL scanning enabled)

https://secure.eicar.org/eicar.com.txt

It should alarm, but it doesn't.

As comparison, here is the eicar file, not delivered via SSL

http://www.eicar.org/download/eicar.com.txt

Is this a bug?

ESS Details: 4.0.314.0

Code:

Virus signature database: 3912 (20090306)
Update module: 1028 (20090302)
Antivirus and antispyware scanner module: 1188 (20090301)
Advanced heuristics module: 1090 (20090219)
Archive support module: 1091 (20090213)
Cleaner module: 1038 (20090210)
Anti-Stealth support module: 1010 (20090302)
Personal firewall module: 1044 (20090121)
Antispam module: 1011 (20090114)
System status module: 1210 (20090306)
Self-defense support module : 1005 (20081105)

[jerick70]

I am having problems with SSL too. I had to turn it off before it drove me mad . Anyway... the big issue I was having was with the Gmail plugin for Firefox. I would get an error saying the website had an invalid certificate. I couldn't get ESS to like the website as hard as I tried. I added the website it was looking for to the Address Management list and no go. I will post some images when I get home tonight.

Edit: Well I can't get the error to come up anymore. Not sure what the difference is??