Google, Mozilla to Anti-Virus and Security Firms: “Stop Trashing HTTPS”

Megalith

24-bit/48kHz
Staff member
Joined
Aug 20, 2006
Messages
13,000
Another strike against anti-virus? Sounds like it. We’ve got a study here that paints security software in a bad light, accusing them of "undermining HTTPS connections and exposing browser users to decryption attacks.” If I’m understanding this right, anti-virus software is installing root certificates that allow them to read encrypted traffic—as you could imagine, this is sort of detrimental to the whole point of HTTPS.

The researchers urge antivirus vendors to stop intercepting HTTPS altogether, since the products already have access to the local filesystem, browser memory, and content loaded over HTTPS. Additionally, they charge all security companies with acting "negligently". "Many of the vulnerabilities we find in antivirus products and corporate middleboxes, such as failing to validate certificates and advertising broken ciphers, are negligent and another data point in a worrying trend of security products worsening security rather than improving it," they write. The study is likely to give ammunition to Chrome and Firefox developers who've criticized antivirus firms for undermining browser security features and introducing more security risks to users. Google's Project Zero, for example, recently found a bug in Kaspersky's TLS inspection that resulted in browsers not flagging an error if a user connected to the wrong site.
 
What really burns me is that I have to have 3 browsers installed in order to make sure that I have at least one browser that will work with a web page.

Some don't work/render properly in IE
Some don't work/render properly in Chrome
Some don't work/render properly in FireFox

And to top it off, Edge is worse than all 3 above.
 
A new twist on Privacy vs. Security.

Although in this case Security = Privacy most of the time anyway.

HTTPS doesn't block grandma from downloading the latest Crypto-malware. Anti-Virus does. I guess it depends on your priorities.

The HTTPS push always puzzled me. More could be used. But for pulling crap off an open website, the government has your page request via your ISP. They can pull down the page to monitor what you're looking at anyway. HTTPS is not a much of poor man's VPN. If anything the HTTPS request probably adds to your browser unique footprint and trackability.

I guess from Google's perspective, they don't want any competition in data mining you. By having your browser the value of your surfing goes up if they can keep the riff-raff from offering the same info.
 
A new twist on Privacy vs. Security.

the government has your page request via your ISP. They can pull down the page to monitor what you're looking at anyway. HTTPS is not a much of poor man's VPN. If anything the HTTPS request probably adds to your browser unique footprint and trackability.

Yes https is useless because I want everyone to know all my account numbers, social security, security questions, and to be searched without a warrant. /sarcasm

Nothing personal, but this is quite possibly the weakest argument I've heard all year.
 
Interesting, I didn't even realize this was a thing.

I spend most of my time in Linux, but my games OS is Win 10, and there I have Avira installed, but oddly enough I don't see Avira on that list.
 
Interesting, I didn't even realize this was a thing.

This really is a pretty common thing in corporations. The domain admin will install a certificate in the Windows ROOT store so that they can snoop on the traffic coming in and out of the organization. They do this in order to try to do web content filtering, among other things.

You can see this if you visit an SSL site in a browser and then inspect the SSL certificate. Google will sometimes show WebSense as the creator of the certificate for me at work. They are essentially man in the middling the traffic.

Google -> Google SSL Cert -> Middle Ware Dumb Box -> Middle Ware Dumb Box SSL -> Your Browser

Sad!

Hope this makes sense.
 
I work in the enterprise content security. Most enterprises now do MitM or SSL/HTTPS (I hate they say SSL when almost everyone has moved to TLS) intercept to be able to not only prevent malicious code from coming in but also use DLP to prevent confidential/private/personal/priority from going out. That requires decryption that traffic. Sadly, companies who develop home anti-virus/anti-malware applications do not keep up as well as the enterprise versions. I hate to say it, almost all home Anti-virus/malware sucks. Even enterprise av is usually playing cat and mouse. I've implemented enterprise application/process security for my home because of it.
 
This really is a pretty common thing in corporations. The domain admin will install a certificate in the Windows ROOT store so that they can snoop on the traffic coming in and out of the organization. They do this in order to try to do web content filtering, among other things.

You can see this if you visit an SSL site in a browser and then inspect the SSL certificate. Google will sometimes show WebSense as the creator of the certificate for me at work. They are essentially man in the middling the traffic.

Google -> Google SSL Cert -> Middle Ware Dumb Box -> Middle Ware Dumb Box SSL -> Your Browser

Sad!

Hope this makes sense.


Yeah, I knew corporate users do this. I usually try to work around it by doing any non-work browsing in a linux VM with a VPN on port 443 pointing to my home server. I'm not doing anything I'm not supposed to, but I also don't need IT snooping on me.
 
Yes https is useless because I want everyone to know all my account numbers, social security, security questions, and to be searched without a warrant. /sarcasm

Nothing personal, but this is quite possibly the weakest argument I've heard all year.
Because I said never use HTTPS? Do a lot of banking on hardforum? Get a fucking real counter argument.

If you're reading a wiki or something meant to be public, there is no need. Yet Google and other punish sites for not doing it now. Its a crock. Doing it costs time/effort. How high can we make the investment on a website until we cleanse the non-advertisers off the web?
 
Because I said never use HTTPS? Do a lot of banking on hardforum? Get a fucking real counter argument.

If you're reading a wiki or something meant to be public, there is no need. Yet Google and other punish sites for not doing it now. Its a crock. Doing it costs time/effort. How high can we make the investment on a website until we cleanse the non-advertisers off the web?

there is a need because a wiki you can still log into your account.
 
Because I said never use HTTPS? Do a lot of banking on hardforum? Get a fucking real counter argument.

If you're reading a wiki or something meant to be public, there is no need. Yet Google and other punish sites for not doing it now. Its a crock. Doing it costs time/effort. How high can we make the investment on a website until we cleanse the non-advertisers off the web?

It's certainly not as important as it is with - say - banking but it is not useless. I'd rather my username and password weren't compromised. Would it be the end of the world? No. (Well, probably a little bit more now that I'm posting news and have write access to more places) but in the grand scheme of things, I can probably recover my account or create another. it would just be unfortunate, and a pain.

That, and I don't necessarily want people snooping in my packets and tying the "real me" to my forum posts. I don't necessarily post anything I'd be embarrassed about, but I also don't want to have to actively think about what I'm posting just in case it has some sort of impact on professional relationships or anything like that.

https is good. If it were up to me it would be used on everything, no matter how trivial.
 
Yeah, I knew corporate users do this. I usually try to work around it by doing any non-work browsing in a linux VM with a VPN on port 443 pointing to my home server. I'm not doing anything I'm not supposed to, but I also don't need IT snooping on me.

I use an SSH tunnel set up with dynamic proxy with Firefox ;)

Sometimes we cannot get to legitimate programming websites. The tunnel turns out to be a lot faster. I sometimes turn it on to upload/download large files.
 
Hard to believe that there is an argument against using HTTPS. Maybe it is a pain for admins? Well, too bad because if you want me to log in to your site, then you'd better use it.
 
Um... properly encrypted, can't they only track the web domain you visit, not the specific web page you view?

Anyways, make your own Certificate Authority. I do for my VPN so I can use "free" wifi on my phone without worrying about MitM attacks.

The main issue is WHO DECIDES WHICH CERTIFICATES ARE TRUSTWORTHY.

Most people are oblivious to https/ TLS, never mind keeping track of which certificates their OS and browser think are secure.
 
The main issue is WHO DECIDES WHICH CERTIFICATES ARE TRUSTWORTHY.
Speaking of certificates, Google, Mozilla and trust.... if any of you are using Wosign or StartCom for SSL certs (like my company was until last week when I discovered that a cert was no longer working in FF 51+), they've been shitcanned by Mozilla and Google in the latest versions of the browsers due to multiple reasons described in the below links.
https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/
https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html
We switched to Thawte.
 
Is there a site that can help users check for known 'bad' certs on their systems, like a running database type thing?
 
Do root certs still intercept traffic when you are outside the company's domain? I don't want them to see my banking or retirement plans. That is nobody's business in IT.
 
unless there is an actual agent installed on your machine not likely. In enterprise environments it is pretty common to ssl intercept whole classifications of web traffic either on an edge firewall or proxy, sometimes companies will let specific web content categories go unintercepted such as finance/banking, or they'll just do everything. Depends how pernoid of an environment you work in, how much protection you want, and also what the hardware you have is capable of. Easy way to shave down the number of transactions is to just let certain web categories bypass your SSL decryption policy, but their HTTP counterparts will still hit basic URL filtering for malware/porn/etc
 
Do root certs still intercept traffic when you are outside the company's domain? I don't want them to see my banking or retirement plans. That is nobody's business in IT.
Then don't do your banking at work...sorry to sound like dicck but If you're doing stuff on Company time and using Company resources to do non company stuff then you are basically giving out your data to them and it is going to be snooped on.
Anyway I doubt many companies actually intentionally snoop on their employees . Most traffic data isn't held for lengthy periods of time. Most of the traffic goes unnoticed until or unless red flags go off on some automated system and what your doing is flagged as suspicious.
 
Interesting, I didn't even realize this was a thing.

I spend most of my time in Linux, but my games OS is Win 10, and there I have Avira installed, but oddly enough I don't see Avira on that list.

They talk about Avira in the PDF ... the whole read is visually tricky, they wrote the below part in very small font size so if you are speed reading or just glancing through the file you'll miss it... after reading the pdf the whole thing seems one sided and targeted for some Corp political lets start a pissing match... I found it off that they didn't test Anything from Emsisoft .

4We tested and found that the following products did not intercept TLS connections: 360 Total, Ahnlabs V3 Internet Security, Avira AV 2016, Comodo Internet Security, F-Secure Safe, K7 Total Security, Malwarebytes, McAfee Internet Security, Microsoft Windows Defender, Norton Security, Panda Internet Security 2016, Security Symantec Endpoint Protection, Tencent PC Manager, Trend Micro Maximum Security 10, and Webroot SecureAnywhere.


Pdf = https://zakird.com/papers/https_interception.pdf
 
Then don't do your banking at work...sorry to sound like dicck but If you're doing stuff on Company time and using Company resources to do non company stuff then you are basically giving out your data to them and it is going to be snooped on.
Anyway I doubt many companies actually intentionally snoop on their employees . Most traffic data isn't held for lengthy periods of time. Most of the traffic goes unnoticed until or unless red flags go off on some automated system and what your doing is flagged as suspicious.

I said "outside the companies domain" like at home...
 
Um... properly encrypted, can't they only track the web domain you visit, not the specific web page you view?

Anyways, make your own Certificate Authority. I do for my VPN so I can use "free" wifi on my phone without worrying about MitM attacks.

The main issue is WHO DECIDES WHICH CERTIFICATES ARE TRUSTWORTHY.

Most people are oblivious to https/ TLS, never mind keeping track of which certificates their OS and browser think are secure.

Exactly.

So, you want to browse a company's vanity website with no downloads or other crap in there?

WARNING! WARNING! DANGER WILL ROBINSON! DANGER! DANGER!

Want to browse a site using self-signed certs?

WARNING! WARNING! DANGER WILL ROBINSON! DANGER! DANGER!

Waiting to see how long before the decide "Let's Encrypt" certs are worthy of some Lost In Space Robot.
 
Um... properly encrypted, can't they only track the web domain you visit, not the specific web page you view?

Anyways, make your own Certificate Authority. I do for my VPN so I can use "free" wifi on my phone without worrying about MitM attacks.

The main issue is WHO DECIDES WHICH CERTIFICATES ARE TRUSTWORTHY.

Most people are oblivious to https/ TLS, never mind keeping track of which certificates their OS and browser think are secure.


Try Qualys to check a web site's certificates. I haven't used their free site,

https://www.qualys.com/

but the part of Qualys I have access to does a quite exhaustive scan with root checking, encryption, cipher and some of the common exploits. DHS uses them.
 
Last edited:
Back
Top