opr Posted April 29, 2015 Share Posted April 29, 2015 How Kaspersky makes you vulnerable to the FREAK attack and other ways Antivirus software lowers your HTTPS securityLately a lot of attention has been payed to software like Superfish and Privdog that intercepts TLS connections to be able to manipulate HTTPS traffic. These programs had severe (technically different) vulnerabilities that allowed attacks on HTTPS connections.What these tools do is a widespread method. They install a root certificate into the user's browser and then they perform a so-called Man in the Middle attack. They present the user a certificate generated on the fly and manage the connection to HTTPS servers themselves. Superfish and Privdog did this in an obviously wrong way, Superfish by using the same root certificate on all installations and Privdog by just accepting every invalid certificate from web pages. What about other software that also does MitM interception of HTTPS traffic?Antivirus software intercepts your HTTPS trafficMany Antivirus applications and other security products use similar techniques to intercept HTTPS traffic. I had a closer look at three of them: Avast, Kaspersky and ESET. Avast enables TLS interception by default. By default Kaspersky intercepts connections to certain web pages (e. g. banking), there is an option to enable interception by default. In ESET TLS interception is generally disabled by default and can be enabled with an option.When a security product intercepts HTTPS traffic it is itself responsible to create a TLS connection and check the certificate of a web page. It has to do what otherwise a browser would do. There has been a lot of debate and progress in the way TLS is done in the past years. A number of vulnerabilities in TLS (upon them BEAST, CRIME, Lucky Thirteen, FREAK and others) allowed to learn much more how to do TLS in a secure way. Also, problems with certificate authorities that issued malicious certificates (Diginotar, Comodo, Türktrust and others) led to the development of mitigation technologies like HTTP Public Key Pinning (HPKP) and Certificate Transparency to strengthen the security of Certificate Authorities. Modern browsers protect users much better from various threats than browsers used several years ago.You may think: "Of course security products like Antivirus applications are fully aware of these developments and do TLS and certificate validation in the best way possible. After all security is their business, so they have to get it right." Unfortunately that's only what's happening in some fantasy IT security world that only exists in the minds of people that listened to industry PR too much. The real world is a bit different: All Antivirus applications I checked lower the security of TLS connections in one way or another. ....................................Kaspersky vulnerable to FREAK and CRIMEHaving a look at Kaspersky, I saw that it is vulnerable to the FREAK attack, a vulnerability in several TLS libraries that was found recently. Even worse: It seems this issue has been reported publicly in the Kaspersky Forums more than a month ago and it is not fixed yet. Please remember: Kaspersky enables the HTTPS interception by default for sites it considers as especially sensitive, for example banking web pages. Doing that with a known security issue is extremely irresponsible. ................................Everyone gets HTTPS interception wrong - just don't do itSo what do we make out of this? A lot of software products intercept HTTPS traffic (antiviruses, adware, youth protection filters, ...), many of them promise more security and everyone gets it wrong.I think these technologies are a misguided approach. The problem is not that they make mistakes in implementing these technologies, I think the idea is wrong from the start. Man in the Middle used to be a description of an attack technique. It seems strange that it turned into something people consider a legitimate security technology. Filtering should happen on the endpoint or not at all. Browsers do a lot these days to make your HTTPS connections more secure. Please don't mess with that.I question the value of Antivirus software in a very general sense, I think it's an approach that has very fundamental problems in itself and often causes more harm than good. But at the very least they should try not to harm other working security mechanisms.Read the full article at: https://blog.hboeck.de/archives/869-How-Kaspersky-makes-you-vulnerable-to-the-FREAK-attack-and-other-ways-Antivirus-software-lowers-your-HTTPS-security.html Link to comment Share on other sites More sharing options...
knowledge-Spammer Posted April 29, 2015 Share Posted April 29, 2015 lets see what people think about this ? Link to comment Share on other sites More sharing options...
opr Posted April 29, 2015 Author Share Posted April 29, 2015 The popular Adguard also uses this man-in-the-middle attack method to install its root certificate in our browser without any warning. Link to comment Share on other sites More sharing options...
knowledge-Spammer Posted April 29, 2015 Share Posted April 29, 2015 The popular Adguard also uses this man-in-the-middle attack method to install its root certificate in our browser without any warning. i see Link to comment Share on other sites More sharing options...
nIGHT Posted April 30, 2015 Share Posted April 30, 2015 This AV's that are supposed to protect us will be the one responsible to expose us since its been using the same certificate on its interception. :think: Link to comment Share on other sites More sharing options...
opr Posted May 19, 2015 Author Share Posted May 19, 2015 Hanno the article author warns about adguard in the comments: I checked my certificate manager, shocked to see root CA certificate installed by my anti-ads software - Adguard! It looks to be working as what you wrote, a MITM attack software to block ads but there was no warning or asking me for permission during the install. Much thanks if you can do a quick analysis to see how good or bad it works.#1.1.2 fsecon on 2015-04-29 21:49 (Reply) Had a look at it. It's bad. It's bad in a very interesting and creative way. If you have adguard installed: Remove it together with its cert immediately. It's a huge security risk. I'll post details later.#1.1.2.1 Hanno (Homepage) on 2015-04-30 21:33 (Reply) Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.