Perhaps the same way Avast is apparently scanning it? https://malwaretips.com/threads/avast-web-shield-https-certificate-interception.85520/post-752318
Yes I noticed that in IE also. Similar as discussed on malwaretips forum: Firefox (and Tor Browser) show original certificate and IE shows Kapsersky's. And AFAICT network content is scanned in both situations.
IE11 and Edge both use Windows root CA store for certificate validation. Both Chrome and Firefox use their own internal root CA store for certificate validation. Suspect this has to do with why Kaspersky's root CA certificate store not being shown in Firefox. Kaspersky's SSL protocol scanning option I believe is contained within its GUI Network setting section. What you might want to check if Kaspersky is installing a kernel mode network adapter mini-port filter driver. This would show in Winobj as a kernel file filtering driver. Such a driver would allow Kaspersky to scan HTTPS traffic within the network stack itself prior to hitting the browser. Eset used to likewise do the same but in recent versions switched to using the Windows Filtering Platform interface. Use of a network adapter mini-port filter driver is problematic for a number of reasons; notably if Microsoft implements internal changes to the TCP/IP protocol.
Hi @itman. I checked FF certificate store and Kaspersky's certificate is installed. I also checked detailed report and noticed that ffcert.exe was run when FF was launched for first time, indicating that certificate was imported. Same action was logged in previous versions of K also. Regarding driver, I checked drivers it installed and closest to network related driver is Packet Network Filter driver (klim6.sys) but I don't know if it's used for network traffic interception. Since similar happened with Avast and Kaspersky, maybe browser's updates caused this change. It would be nice if someone checked with other AV solutions that install their own certificate to intercept https, if they get similar results.
I will state this in regards to AV vendors performing SSL protocol scanning. Each has variations on how it is done. Eset for example, excludes most but not all web sites that have EV certificates associated with them. It also has an internal whitelist of trusted web sites that it excludes from scanning. Finally, Eset does not just scan browser based HTTP/HTTPS traffic but other like app traffic as well. As far as Firefox, Kaspersky, and the fact the wilderssecurity.com is not showing Kaspersky's root CA certificate, I would assume that indeed Kaspersky is not scanning HTTPS traffic on the site. One needs to go to other HTTPS sites in FireFox and see if this is happening on all HTTPS sites using Firefox. If this is the case, it would be proof that Firefox is somehow blocking Kaspersky's SSL protocol scanning. Best to post this fact on the Kaspersky web site forum for an explanation as to why this is happening.
Kaspersky also has an option to disregard sites with EV certificates, but it's not enabled by default and I didn't enable it. This is happening on all https sites. Downloading eicar test file through https is blocked on network level. All components that require https interception (secure data input...) still work as before. So I guess that https scanning is still performed. Something just changed from past when their certificate was shown as the one authenticating websites. Similar is happening with Avast so IMO it can't be a coincidence.
Let's assume Avast is also using a network packet filter driver. What both may be employing is the dual-fork MITM technique. What happens is the incoming packet is suspended in transmission and in essence copied. Kaspersky would use its Windows root CA store certificate to inspect the copied packet. Once the inspection is completed, the suspended packet is released to the browser. As such, the incoming packet would retain all its original information. If this is going on, there should be a noticeable lag in the browser web page rendering. How noticeable would be dependent an PC processing characteristics. There are also major ethical and security issues with this approach since the HTTPS interception is occurring totally outside of the browser environment.
I don't have it installed ATM, if I had to guess, result would be the same as on all other https sites.
I took a few pics when I had Kaspersky Free 19.0.0.1088(b) on-board. wilderssecurity.com and yahoo.com were not Kaspersky certificate Chrome Edit: see #122
Confirmed. google.com does show the Kaspersky certificate, whereas wilders.com and yahoo.com do not. Hm... if I remember correctly, the Kaspersky certificate was shown on ALL HTTPS sites with previous versions of KIS, but this is quite obviously not the case with the latest version of KIS 19.0.0.1088(b). I do hope this will be fixed soon.
@vtn54, is this in Internet Explorer? I noticed that in IE I got Kaspersky's certificate shown. In Firefox and Tor Browser I got certificate from specific website instead of Kaspersky's.
Mine shows no "Kaspersky" on any website. I have disabled scanning of encrypted traffic because everyone says it will create security holes. And disabled the network attack blocker because it reduces the speed of my VPN by 20-25Mbps. BTW, does anyone know why only the VPN connection? My normal internet is not slower with it. (The VPN uses IKEv2 and therefore a WAN Miniport. Maybe that's why?)
Something must have changed not too long ago. Now the Kaspersky certificate is enabled on all https websites. Strange. Maybe KL fixed something. Anyway, it seems to work as expected now.
Okay... "Something must have changed not too long ago #119"....since, with Firefox all https sites now render Kaspersky proxy certificate with scan encrypted connections enabled. Thanks Edit: since I have three Firefox profiles. My Firefox observation re Kaspersky certificate may be different. https://support.kaspersky.com/us/common/errors/14396 Chrome is now showing Kaspersky certificate for google.com, wilderssecurity.com and yahoo.com Thanks
now, I'm seeing Lets Encrypt with wilderssecurity and askwoody Edit: must be me because Chrome sandbox'd renders Kasperksy Root Certificate. head scratch
It's not just you. I tried wilderssecurity and askwoody a couple of hours ago - I saw the Kaspersky certificate. I tried again a couple of minutes ago - now I also get this Let's Encrypt certificate (Firefox 61.0.2). Hm... strange, isn't it?
