How Kaspersky makes you vulnerable to the FREAK attack and other ways Antivirus software lowers your

Discussion in 'other anti-virus software' started by Gein, Apr 26, 2015.

  1. Gein

    Gein Registered Member

    Joined:
    Dec 8, 2013
    Posts:
    219
  2. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    I agree with article: just don't intercept https. Yes ESET has this disabled by default. Don't know about the others.
    About a year ago I've been testing Kaspersky. After a while I was checking my certificate store and found their certificate in Trusted Root CA. I suspected that they were using it for https interception, which this article confirmed.
     
  3. TJP

    TJP Registered Member

    Joined:
    May 6, 2006
    Posts:
    120
    Great link; thanks for the reading material Gein!
     
  4. chillstream

    chillstream Registered Member

    Joined:
    Aug 2, 2013
    Posts:
    49
    Location:
    Croatia
    Around 30% of web traffic today is https and it's rising still. And it's not only your trusted e-mail or banking websites that use it, even torrent websites now employ encryption, meaning that potentially malicious content can get on your PC even through an encrypted connection (and we're not talking only about files here, but suspicious scripts, exploits and other payloads too).
    So the vendors must either drop web scanning altogether or use an certificate to intercept this traffic.
    But I agree that (advanced) users should be offered an option to disable https scanning if they so wish.
     
  5. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Some of them also add extensions to browsers so they can intercept traffic right after it is decrypted by a browser.
     
  6. chillstream

    chillstream Registered Member

    Joined:
    Aug 2, 2013
    Posts:
    49
    Location:
    Croatia
    Yeah, but then they usually support only one or two most prominent web browsers, all the other lesser known browsers or forks are left unprotected.
    Not to mention that plugins are often, as is the case with Kaspersky and Firefox, several weeks behind new browser releases and they're always playing catch-up to the latest browser version, again leaving users with an disabled out-of-date plugin.
    I much prefer generic web scanning to the plugin approach.
     
  7. RejZoR

    RejZoR Lurker

    Joined:
    May 31, 2004
    Posts:
    6,426
    I've asked avast! team about it as well since they do HTTPS scanning as well. Will see what they have to say...
     
  8. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    5,614
    Location:
    Milan and Seoul
    So basically the article suggests (please forgive me I'm not so savvy about these things) we should not use the web protection as it weakens the browser's own security?
     
  9. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Article suggests you should use it for http only and not for https.
     
  10. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    5,614
    Location:
    Milan and Seoul
    Thanks, that much I had understood, I might revert to my old practice of no web protection...
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Quite interesting, I believe Glasswire is also doing this, at least according to another Wilders member.
     
  12. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    Uuuhm, don't you need to install a certificate in Kaspersky to be able to inspect https traffic? This is not installed by default. :confused:
     
  13. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,094
    Location:
    Germany
    If AV vendors think stream scanning is so important, then of course it should be enabled for secure connections as well. If AV vendors disable https interception by default, they admit that users are still protected without it. And if users are protected without https interception, then why insist on still intercepting http? Either scan all traffic or none, period. At least be consistent in your approach and reasons for it. I simply don't understand why some vendors strongly advise against disabling http scanning but on the other hand don't scan https. Either there is a risk in disabling stream scanning or there isn't.
     
  14. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    I just installed it in my VM and it does install certificate in Trusted Root CA:

    upload_2015-4-27_16-6-42.png
     
  15. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,625
    Location:
    USA
    If you don't use Safe Money, this is not an issue, right?
     
  16. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    Interesting... thanks!
     
  17. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    It's not related to Safe Money as I understand. It's about https traffic being scanned when using your browser. Kaspersky decrypts encrypted network traffic, scans it and then reencrypts it using their certificate. At least that's how I understand the situation. It's like MITM for your encrytped traffic.
     
  18. Gein

    Gein Registered Member

    Joined:
    Dec 8, 2013
    Posts:
    219
    I think they said the root certificate was installed by default.
     
  19. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,625
    Location:
    USA
    I was pretty sure that Safe Money used it but since I don't use Safe Money I could be mistaken. I know the certificate is installed by default but I am pretty sure they have been doing that for several years. I do not think they scan encrypted connections be default though. Hopefully someone that knows for sure will give us more info.
     
  20. Gein

    Gein Registered Member

    Joined:
    Dec 8, 2013
    Posts:
    219
    I think the issue with adding the root certifictate at install, by default, would be that it could potentially use a less secure encryption method than the one used by the website you are trying to connect to.
     
  21. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    I checked default installation and found out that encrypted connections are scanned upon request from some AV components:

    upload_2015-4-28_6-44-29.png

    When I navigated to google search site, site was identified by Kaspersky AV Personal Root CA and not google's own certificate:

    upload_2015-4-28_6-46-13.png

    So I guess that by default Kaspersky is scanning https connections.
     
  22. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    how can you tell if your av is scanning encrypted connections?can't see any setting to whether Norton IS is or isn't or even an option to enable/disable scanning
     
  23. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    You can go to https site and check if connection is using certificate from that site or AV's certificate as shown in previous post.
     
  24. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,094
    Location:
    Germany
    Norton doesn't intercept https.
     
  25. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,625
    Location:
    USA
    Thanks, I was going to look for those settings and you just saved me some time.
    -Looking at your screenshot again, I just realized I have 38 Kaspersky certificates installed. I assume it must orphan 1 with every install. It would appear I have installed it 38 times over the life of this machine (I have done some beta testing).
     
    Last edited: Apr 28, 2015
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.