SSL problems

Discussion in 'ESET Smart Security v4 Beta Forum' started by MasterTB, Feb 25, 2009.

Thread Status:
Not open for further replies.
  1. MasterTB
    Offline

    MasterTB Registered Member

    Hi, despite the fact that SSL protocol check is working for many sites (I have unchecked the option to automatic block of obsolete SSL v2 protocols), I'm having problems accessing sites like gmail and facebook, among others.
    I'm Running ESS v4RC and Opera Alpha 10 to access the web but for this sites the only chance to access is disabling SSL checks in ESS.
    Anyone having the same issues?

    I'm putting some screenshots to show the problem.

    Edit: It is an Opera>ESS related problem, it is working fine with IE, my guess is that the integration of ESS's certificate in Opera is not fully working...

    Attached Files:

    Last edited: Feb 25, 2009
  2. bigbw
    Offline

    bigbw Registered Member

    I've found a few SSL problems myself.

    Operating System: Windows Vista SP1.
    Security System: ESet Smart Security 4.0 Release Candidate - fresh install (no existing security system)
    Browser: IE7

    When looking at Settings, I noticed SSL wasn't enabled, so I set it to prompt me for each new visited site and I also unchecked the Block for SSL V2 box.

    To test out SSL, I thought I'd try the Logon button of various popular bank sites to see if the respective secure signon screen would appear or what happened if it didn't. I appreciate it is not a complete test as I'm not actually signing completely onto online banking (as I'd need umpteen online bank accounts which I don't have).

    When I was asked if I trusted the certificate I clicked the Yes button so that ESS did the SSL scan.

    These failed the logon screen test by hanging for ages and eventually giving an unable to display the Web page message:

    Nationwide
    Alliance & Leicester
    Egg
    ING Direct
    Salomon Smith Barney

    This failed because only part of a Web page displayed and the rest had errors that preventing moving on from the page:

    Northern Rock

    But on the other hand, these worked:

    Birmingham Midshires
    Bradford & Bingley
    BT
    Capital One
    Coventry
    Fidelity
    Principality
    Sainsburys
    Yorkshire
    Inland Revenue

    However, if I clicked the Exclude button when prompted for SSL scanning on the failed sites so that SSL scanning was bypassed then I could get access to those failed sites.

    Do the people at betasupport@eset.sk review these forums or should I also send this report to that Email address as well?
  3. NOD32 user
    Offline

    NOD32 user Registered Member

    Hi,

    They review them but I would still suggest that you email them and include a link to this thread and as mich information as possible about your system and configuration to assist with replicating your issue.

    Cheers :)
  4. MasterTB
    Offline

    MasterTB Registered Member

    I've sent Eset a support ticket regarding the problem, and I have to add that since the initial post I've been having trouble signing in to several other sites, including Hotmail or starting a session in Live Messenger because ESS refuses to accept the SSL certificates used to log in to the Live account.

    I have also seen this problem in IE so it is not an Opera isolated incident.

    hope they can fix this before going to final release.
  5. bigbw
    Offline

    bigbw Registered Member

    I've now Emailed my problem (see earlier post from me) to the betasupport Email address.

    Looking into it a bit further it seems that all but one of the sites I have problems with use the extended validation SSL certificates (the ones that cause the address bar to show green in IE7).

    But there again, at least one in the list that works also uses the extended validation certificates.

    I hope too that ESET can fix this before going live because otherwise I like their implementation with the number of choices available for SSL. My current security vendor's approach is an all-or-nothing one. When SSL scanning needs to be turned off for a particular site, all SSL scanning has to be turned off.

    My current security vendor's software can successfully scan all the sites I mentioned - but I've got two problems with their implementation, one is when the site certificate expires it doesn't get refreshed so I can't use the site after that date unless I disable SSL scanning, the other is that their implementation removes the extended certificate status (so the address bar in IE7 is white instead of green).

    So I am hopeful that ESET will make a better job of SSL scanning and if they do, I'll switch to them as a security vendor.
  6. MasterTB
    Offline

    MasterTB Registered Member

    OK, so, SSL scanning does not work anymore, I don't know if the certificate is corrupted or integration gets broken but I had to disable it in order to access secure sites.
    Any news from Eset about this issue?
    I understand this program is in beta stage but adding a function that does not work at all is not a good way to implement changes in software.
  7. NOD32 user
    Offline

    NOD32 user Registered Member

    Hi MasterTB,

    What happens if you try the following for testing?

    In the advanced settings tree under 'Certificates' clear the check for 'Add the root certificate for known browsers' and OK, and after a few moments pause go back in and re-check that box. While you're there, look under 'Trusted Certificates' remove all certificates that have any blank instead of data in any of their three fields, then back 2 levels in the tree under SSL, select 'Always scan SSL protocol' and then OK - and pause a few moments.

    Does your browsing experience improve?

    Cheers :)
  8. MasterTB
    Offline

    MasterTB Registered Member

    Hi NOD32 user:

    I tried your suggestion, I even removed Eset's Root certificate from Opera and IE, still I get the same error displayed on the screenshots of the first post, either I get a fatal error trying to access secure sites or the certificate for those sites get regected.

    I honestly don't know what seems to be the problem.
    Will try again removing all the certificates, disabling SSL, restartign and starting all over again,if that doesn't work I will leave it disabled until someone from Eset support give me an answer or perhaps a work arround.
  9. MasterTB
    Offline

    MasterTB Registered Member

    I followed my own advice, removed the certificates, closed the browser, disabled SSL on V4, restarted, enabled all again and... PRESTO it is working.
    Of course, I have it set to ask every time I visit a new site, otherwise it does not work.
    One problem though, you have an option to say YES, an option to say YES ALWAYS, an option to EXCLUDE (which is pretty much deffinitive) and an option to say NO, BUT you have no option to say NO ALWAYS, that is bothering me because when you are visiting a site that has both HTTP and HTTPs content, there is always a pop up if you keep saying no to the secure traffic if you don't want it.
    There should be an option to say ALWAYS NO.
    I also notice the lack of information in the pop ups. for instance, when I saw the pop up I'm posting in the screenshot below, I was browsing this site (http://www.sobrenotebooks.com.ar/2008/12/la-notebook-de-hoy-hp-pavilion-dv5.html) looking for imput on a laptop, yet the warning does not mention it or any other site so I really don't know where it is coming from.. ergo I don't know if I can trust it or not, or better yet, if I want that traffic to be loaded into the page.
    Something for the guys at ESET to think about...

    Attached Files:

  10. NOD32 user
    Offline

    NOD32 user Registered Member

    I'm pretty sure that EXCLUDE is the as No, always button you wanted - I can not find any entry created by it's use except for in the list of excluded certificates which means that when that certificate is used to authenticate an SSL connection it's SSL traffic is not scanned.

    I've actually found a couple of things that don't operate as expected when SSL scanning is enabled (one of them is the http://sync.live.com/ app) so for those I've removed the certificate from the Trusted Certificates list and used exactly that option when prompted again later, so all is well again.

    Cheers :)
  11. MasterTB
    Offline

    MasterTB Registered Member

    Not quite, when you say EXCLUDE, as you mention, the traffic is not scanned, BUT when you say NO, the traffic is blocked because you're telling Eset that you DON'T trust the certificate.
    There should be an ALWAYS NO button..
  12. MasterTB
    Offline

    MasterTB Registered Member

    Another fault in Eset's SSL secure check is that EV Enabled sites do not show up GREEN on Opera, instead they show up Yellow, which means Secure but not EV secure.
    I believe the Eset's root certificate should be faithful to the security of the site checking so that the user really sees the site as it is supposed to be seen.
  13. MasterTB
    Offline

    MasterTB Registered Member

    Here we go again... SSL broken on my newly installed V4 314 Spanish.
    It worked for about a day, and now... broken... what can I say...
    I'm leaving a pic, with a time stamp so that it is clear that it just happened.

    Attached Files:

    Last edited: Mar 4, 2009
  14. nodyforever
    Offline

    nodyforever Registered Member

    Hello MasterB,

    My images:

    Attached Files:

  15. muppetman
    Offline

    muppetman Registered Member

    I have noticed that SSL scan doesn't seem to pickup the eicar test string.

    For example, click on this (with SSL scanning enabled)

    https://secure.eicar.org/eicar.com.txt

    It should alarm, but it doesn't.

    As comparison, here is the eicar file, not delivered via SSL

    http://www.eicar.org/download/eicar.com.txt

    Is this a bug?

    ESS Details: 4.0.314.0
    Code:
    Virus signature database: 3912 (20090306)
    Update module: 1028 (20090302)
    Antivirus and antispyware scanner module: 1188 (20090301)
    Advanced heuristics module: 1090 (20090219)
    Archive support module: 1091 (20090213)
    Cleaner module: 1038 (20090210)
    Anti-Stealth support module: 1010 (20090302)
    Personal firewall module: 1044 (20090121)
    Antispam module: 1011 (20090114)
    System status module: 1210 (20090306)
    Self-defense support module : 1005 (20081105)
    
  16. jerick70
    Offline

    jerick70 Registered Member

    I am having problems with SSL too. I had to turn it off before it drove me mad o_O . Anyway... the big issue I was having was with the Gmail plugin for Firefox. I would get an error saying the website had an invalid certificate. I couldn't get ESS to like the website as hard as I tried. I added the website it was looking for to the Address Management list and no go. I will post some images when I get home tonight.

    Edit: Well I can't get the error to come up anymore. Not sure what the difference iso_O??
    Last edited: Mar 8, 2009
Thread Status:
Not open for further replies.