SSL Scanning - What's Up With That?

Discussion in 'other anti-virus software' started by hamlet, Jun 18, 2015.

  1. hamlet

    hamlet Registered Member

    Joined:
    May 10, 2005
    Posts:
    201
    I am giving up trying to keep up with the SSL scanning discussions in the ESET version 9 beta thread. My head is spinning after reading that and also after remembering that there were some problems with Kaspersky's implementation a few months ago. So, now I am wondering why vendors implement this capability if it is causes so many potential problems. Do the overall benefits outweigh the potential problems? Are some vendors feeling pressure to keep up with the competition? Or, is this a case where the potential negative outcomes are rare and the problems are being blown out of proportion?

    Thanks for any ideas you can share.
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Check out this thread: https://www.wilderssecurity.com/thre...r-ways-antivirus-software-lowers-your.375611/

    My take on this is the vendors are "doing a lesser of two evils" bit and feel the benefits outweigh the deficiencies in their methods. I don't agree. I have no issues with them scanning non-e-commerce and non-privacy critical web sites such as medical providers and the like. The vendors response to this is they leave these decisions for the user to implement and many of the exclusion methods provided are burdensome and in some cases just plain don't work properly.

    Finally, the AV vendors should submit their products to an independent source such as QUALS to certify that their SSL scanning methods meet or exceed SSL processing standards that currently exist in the major browsers. If they fail the independent testing, AV vendors should not implement the feature.
     
  3. hamlet

    hamlet Registered Member

    Joined:
    May 10, 2005
    Posts:
    201
    If an average person is using a security product from a company such as ESET or Bitdefender, are they more or less secure with SSL scanning on or off? Is this like anything else in the security world in that it really depends on the user's behavior and the kinds of web sites they are visiting?
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    There is a concept that almost all security experts regardless of area covered agree upon. Security properly implemented, increases your protection. Security improperly implemented, decreases your protection. Since all the current AV vendors SSL protocol scanning features have been shown to have one or more flaws in them, I will say the current state is SSL protocol scanning decreases your security; especially on web sites where you need the most protection.

    Again, I have no issue with decrypting general web site traffic. Just don't do it for financial or privacy sensitive web sites.
     
  5. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,632
    Location:
    Toronto, Canada
    I'm very glad to see a discussion thread on this topic. There's a lot of good points made.

    One thing that I would like to add is that if any software is intercepting (MITM) SSL, I think that it is extremely important for that software (or individual users) to have proper Exclusion functionality with a list of domains (eg. Banking, Taxes, etc.) that are not to be intercepted under any circumstances.
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Virtually all SSL unencrypting methods that exist today occur outside the browser; usually at the IP network level or by local host proxy. What that means is the software employed has to duplicate all the program logic that currently exists in the browsers to process encrypted transmissions. Rest assured it has taken the browser manufacturers many man hours of developmental and testing efforts to perfect that code. Also since encryption is evolutionary; the code is constantly changing. As such, it is reasonable to assume that the AV vendors will always be "behind the eight ball" when it comes to keeping pace with these developments.

    The solution to this problem is the browser manufacturers and the anti-malware developers need to work out a solution for secure accessibility of data for security inspection after the browser has unencrypted the data. This is far more difficult than sounds; mainly for non-technical reasons. Google for one will probably not cooperate since they are the driving force behind encrypting everything that exists; including all the ads that exist on their served up web pages. Nonetheless until browser access most likely by a secure API is developed, the anti-malware industry should leave SSL encryption processing to the browser.

    Footnotes:

    1. It is also important to note where this whole SSL traffic filtering originated from. That is from commercial and government entities wanting to "monitor" the web traffic of employees and citizens.

    2. The whole concept of SSL processing integrity is constantly being challenged these days. It has reached the point where many "experts" are stating it is permanently broken. Maybe it is time to get rid of web encryption entirely and to publicly state that Internet e-commerce as it exists today is unsecure.

    3. The standalone version of Bitdefender's Safe Pay software currently is the only security solution that provides the best SSL encryption processing. The only reason being that Bitdefender developed it's own stand alone Chromium based browser. However, it has been criticized for not keeping up with the latest overall security changes in the manufactured based like browser. A classic example of the issues faced by security software developers keeping pace with mainstream browser development.
     
    Last edited: Jun 19, 2015
  7. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
    Here is a list of "potentially affected software" from this site blog:

    https://www.cert.org/blogs/certcc/post.cfm?EntryID=221

    1. A10 vThunder
    2. Arbor Networks Pravail
    3. Baracuda Web Filter
    4. BASCOM School Web Filter
    5. Bloxx Web Filter
    6. Blue Coat SSL Visibility Appliance
    7. Check Point Data Loss Prevention (DLP), Anti Virus, Anti-Bot, Application Control, URL Filtering, Threat Emulation and IPS.
    8. Cisco ScanCenter
    9. Citrix NetScaler AppFirewall
    10. Clearswift SECURE Web Gateway
    11. ContentKeeper
    12. Cymphonix Internet Management Suite
    13. Dell SonicWALL
    14. EdgeWave iPrism Web Security
    15. ESET Smart Security
    16. F5 BIG-IP
    17. Fortinet FortiGate
    18. Fidelis Security XPS
    1. Finjan Vital Security (pdf)
    2. GFI WebMonitor
    3. GigaMon GigaSmart
    4. IBM Security Network Protection
    5. iboss Web Security
    6. iSHERIFF Cloud Security
    7. Juniper IDP devices
    8. Kaspersky Anti-Virus
    9. Komodia SSL Decoder
    10. M86 Secure Web Gateway (pdf)
    11. McAfee Web Gateway and Firewall Enterprise (pdf)
    12. Microsoft Forefront TMG
    13. NetNanny
    14. NextGig Netronome
    15. Optenet WebFilter (pdf)
    16. Palo Alto PAN-OS
    17. Panda Cloud Internet Protection
    18. PrivDog
    19. Radware AppXcel
    20. SafeNet eSafe Web Security Gateway
    21. Sangfor IAM (pdf)
    1. Smoothwall Secure Web Gateway
    2. Sophos Cyberoam
    3. Sourcefire SSL Appliance
    4. Squid
    5. Symantec Web Gateway
    6. Thomason Technologies Next Gen IPS
    7. Trend Micro Deep Security (pdf)
    8. Trustwave WebMarshal, Secure Web Gateway
    9. Untangle NG Firewall
    10. Venafi TrustAuthority
    11. VSS Monitoring vInspector (pdf)
    12. WatchGuard HTTPS Proxy
    13. Wavecrest CyBlock
    14. WebSense Content Gateway
    15. WebTitan
    16. Qbik WinGate
    17. WolfSSL SSL Inspection
    18. Zscaler
    19. ZyXel Firewall
    There may be others and it would be good if people could add them to the list.
     
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Avast, Adguard, BitDefender Internet Security, McAfee Web Gateway, Webroot Web Security Service
     
    Last edited: Jun 19, 2015
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Actually, the following quote from the EFF, Electronic Frontier Foundation, words things much more strongly that I did:

    But the most important lesson is for software vendors, who should learn that attempting to intercept their customers’ encrypted HTTPS traffic will only put their customers’ security at risk. Certificate validation is a very complicated and tricky process which has taken decades of careful engineering work by browser developers. Taking certificate validation outside of the browser and attempting to design any piece of cryptographic software from scratch without painstaking security audits is a recipe for disaster.

    Ref: https://www.eff.org/deeplinks/2015/...top-trying-intercept-your-customers-encrypted
     
  10. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    Why add Webroot and it's WIN Cloud? See here: https://www.wilderssecurity.com/thre...ion-update-thread.364655/page-58#post-2500573
    Also Web Browsers are protected via it's Identity Shield if it's listed and if not listed you can add your Browser via the add Button: http://www.webroot.com/En_US/SecureAnywhere/PC/WSA_PC_Help.htm#C6_IDProtection/CH6a_ManagingID.htm

    TH
     
    Last edited: Jun 20, 2015
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    From Steve Gibson's 'Fingerprints' web page:

    Once SSL Interception is occurring, the page CONTENT being delivered over SSL can no longer be absolutely trusted. Since the pages are already being decrypted and scanned for content, nothing prevents them from also being altered. What that means is, though it is incredibly unlikely, an SSL-intercepting Proxy Appliance could theoretically alter THIS page on the fly, before your web browser receives it. Such an alteration could replace the authentic fingerprints the GRC server has received and forwarded to your web browser with fraudulent fingerprints for the sites being tested. (But there's a solution to that as well.)

    ref: https://www.grc.com/fingerprints.htm
     
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Full Content Inspection including Support for SSL/HTTPS

    Today, up to 35% of enterprise traffic is secured using the Secure Sockets Layer (SSL) protocol. With the rise in use of Hypertext Transfer Protocol Secure (HTTPS) and with applications, such as Gmail and Facebook, and search engines enabling SSL by default, most enterprises should expect increases in SSL traffic. Cybercriminals know this, and they have begun to use SSL to hide their attacks. Now that malware frequently appears on legitimate websites, Webroot scans encrypted SSL and HTTPS web traffic. This helps protect users from malware hiding in secure traffic, and this permits network administrators to set policies to stop the exfiltration of MS Office documents through encrypted traffic.

    ref.: http://www.webroot.com/us/en/compan...st-secureanywhere-web-security-service-update
     
  13. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    Well that sounds Positive for the Webroot WIN Cloud IMO don't you?

    Thanks,

    TH

    2015-06-04_14-36-28.png
     
  14. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
    Yes, but how does Webroot do it? They may not be doing the MITM type scanning that is a concern. I checked the Firefox certificate store and couldn't find one from Webroot.
     
  15. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    I'm still waiting for a reply from my Webroot Contacts and it's the weekend so most likely on Monday! As I said the Web Filter Extension as well us Beta Testers are using a Web Filter Driver so we will wait to see what they say.

    Thanks,

    TH
     
  16. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    2,283
    I though Webroot URL scanning dings performance and users turning off. Is URL scan same as SSL scan...? Does URL scan include 'certificate' n' content..?

    Thanks hamlet et al. Need to know info.
     
    Last edited: Jun 20, 2015
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Probably using this or something similar: https://www.roe.ch/SSLsplit . It's still a MITM.
     
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Another way the client root CA can be bypassed:

    Using a custom certificate
    In this method, a custom certificate is first signed by a recognized third-party CA and then installed on the FortiGate. This results in a chain of trust that does not exist when the FortiGate’s default certificate is used. This example allows network users to trust the FortiGate as a CA in its own right. Once the FortiGate is trusted, your users will no longer see certificate errors.

    ref: http://cookbook.fortinet.com/preventing-certificate-warnings/
     
  19. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,767
    Location:
    Outer space
    "For HTTP and HTTPS connections, SSLsplit removes response headers for HPKP in order to prevent public key pinning"
    HPKP is still supported with WSA, so it isn't SSLsplit, and I also don't notice any changes on SSL Labs client test with WSA. I was under the impression older WSA versions scanned HTTP traffic and newer use a browser extension for scanning pages.
     
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    To keep things in perspective, the link I posted on Webroot was for their business/commercial version. I have no clue if the retail version does SSL protocol scanning.
     
  21. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Another abet a bit scholarly ref. to the dangers of SSL protocol scanning outside the browser: https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
     
    Last edited by a moderator: Jun 21, 2015
  22. tolstoshev

    tolstoshev Registered Member

    Joined:
    Mar 26, 2014
    Posts:
    18
    Location:
    United States
    So WSS, which is our full proxy service, does scan have the option to turn on SSL inspection now. It's not enabled by default though, thus you do have to enable it. And as people have mentioned, this means that we are acting as a man in the middle for the purposes of security certificates, which is why you have to decide to turn it on and import the certificates needed.
     
  23. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    2,283
    er' what
     
  24. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
    Do I understand correctly that this is a separate service that's not present in Webroot SecureAnywhere?

    http://www.webroot.com/us/en/business/products/web-security/
     
  25. tolstoshev

    tolstoshev Registered Member

    Joined:
    Mar 26, 2014
    Posts:
    18
    Location:
    United States
Loading...