SSL Scanning - What's Up With That?

Thanks Nic for clarifying it's much appreciated!

Daniel

 

@av-vendors

as if they were listen, dream on, dream on

Why not offer a browser plug-in with a check like SSL EYE on top of URL blacklist check. Combine this with an AV-scan of the browser its dll's and the programs hooking key strokes (so not block but check), this would be a major improvement over breaking SSL security when trying to protect against (financial) malware. This scan/check could be user initiated or automatic for https websites).

 

Our URL and IP database still scans and gives scores to SSL websites - we just don't scan everything you download from them. However if you were to download an executable file from such a site and run it, then Webroot will evaluate that executable as usual after the download is completed.

 

Thanks for contributing to the thread And by the way nice bunny ears

 

Sure thing and thanks A former coworker brought them back from a gaming convention. If you zoom in you can see the Mario Bros image on the left ear.

 

I guess I should clarify that for SSLSplit to work, its cert. has to be added to the PC's root CA:

For SSLsplit to act as a middle man for SSL connections, it needs to be able to generate and sign certificates that the victim trusts. In order to do so, the victim must have the attacker’s root CA certificate in its trust store.

ref.: http://blog.philippheckel.com/2013/08/04/use-sslsplit-to-transparently-sniff-tls-ssl-connections/

So, the only way a MITM can fully impersonate a Root CA without browser alerts is with a forged root CA cert. or improperly issued intermediate/root CA certs..

 

On a Dutch forum, someone noticed that SSL Labs still said his Firefox was vulnerable to Logjam, even though he had updated to v39.0, turns out the culprit is BitDefender IS, and BD's SSL scanning is vulnerable to Logjam.
https://www.security.nl/posting/434485/Firefox 39_0 nog steeds kwetsbaar voor Logjam aanval

 

What is an anti-virus going to detect in my https traffic that it won't be able to detect by scanning my local system?

 

Perhaps the issue is the AV must wait for whatever is downloading over SSL to actually be written to the local system before it can be scanned if scanning SSL traffic is not possible?

 

This is only an issue with security software that does protocol (HTTP and HTTPS) scanning of inbound web traffic at the network level or via local host proxy server. Only a handful of the AVs do this; Eset, Kapersky, Bitdefender, and Avast that I am aware of. All others will scan only upon file download.

 

Bitdefender free only does HTTP scan & not HTTPS, right?

 

All BD free does is a HTTP link scan. It does not scan web page code such as javascript an the like.

HTTP Scanning
Protects you from scams such as credit card phishing attempts, Bitdefender Antivirus Free Edition scans all the links you access from your browser and blocks them when they prove to be unsafe.

 

Got it, thanxx.