amirr

Level 7
1602945217268.png


I was talking with a friend and he said:

"uBO serves me well and is free, so I intend on keeping it for the time being.
However, your screenshot prompted the following comment from me :


Actually, I’d advise against using HTTPS filtering in any software, be it an antivirus solution (I disabled it in KIS) or in this case a content blocker.

I don’t remember if we discussed it already, but the main problem is : certificate obscuring.

You see, when such a system intercepts HTTPS connections, it basically receives the connection instead of the actual client (e.g. your browser), decrypts it, analyzes it (and filters it if need be), and re-encrypts it with its own self-signed certificate that it injects in the Windows Trusted Root store.
This poses two problems :
• As the certificate is self-signed, it’s not validated by a trusted root authority, rather acting as a root authority. It is generally a bad practice, even though it is a required step in the process ;
• More importantly, you have to trust the application to do the decryption, verifications and encryption properly. The verification part is crucial : as your browser will display the filtering app’s certificate, it becomes the app’s job to verify the strength of the connection, the certificate chain, etc. of the originating site. It is not an easy task, and browser do it well, but I’ve seen examples of filtering apps not doing it very well at all (for instance, KIS didn’t use to warn of a bad certificate when it did filter secure connections. It does now.) ;
• Lastly, and more problematically, it obscures the origin of the certificate. Say I visit some site, I can see that the HTTPS connection is signed by a certificate by a trusted root, say, GlobalSign. If the next day I visit the same website and the certificate is now run by another emitter, it can raise questions. It can be harmless, but also a sign of a man-in-the-middle attack. However, if a filtering application is used, all I will see is their own “trusted” (self-signed) root, and I won’t notice anything. That, to me, is the worse problem (even more with EV certs, that are supposed to certify also the organization that the certificate belongs to, even if they will, sadly, disappear with time).

As a filtering browser extension, such as uBO or presumably AdGuard’s own extension sees requests before (on the request side) and after (on the response side) the encryption is run, it sees them as clear text anyway and doesn’t need to run this interception process. So to me it’s actually a security risk, and not needed anyway (just the same, an antivirus would catch the file as it’s downloaded for instance if it was malicious, without having to intercept the HTTPS connection but rather reading the file contents)."

*KIS: Kaspersky Internet Security

Any idea?
 

amirr

Level 7
"Yes there are some security risks with software such as AV or Ad-filtering such as Adfender or Adguard. Yes these are MITM (man in the middle) risks.

But the added or extra layer of security provided by the Antivirus filtering HTTPS probably out weighs the risks involved.

Several times my AV has stopped online trojan.Future seems to be that there will be HTTPS online trojans or malware everywhere, so it will be necessary for https scanning even more in the future.
Just my opinion."
 

Gandalf_The_Grey

Level 38
Verified
Trusted
Content Creator
In my opinion not. By the way, not all banksites in your and my country are EV certified. They occur in the exclusions list from Filter HTTPS Protocol in Adguard Desktop.
After reading the FAQ linked to by @Nightwalker it doesn't matter as long as they are on the list of exclusions from AdGuard.
That list has now 3328 banks and financial services listed.
They also have a sensitive list with for example the sites for password managers.
So, they exclude a lot by default.
You can find those lists here:
This still makes me wonder if HTTPS filtering is a good thing, it's without a doubt effective.
 

amirr

Level 7
Hi, all, my friend said this to me and I liked to share:

Well, if you read the thread entirely, you see that some people are against HTTPS filtering (such as security123) and some are ok with the trade-off as for them the filtering is more important than HTTPS integrity.

My own position is that indeed HTTPS filtering “breaks” HTTPS (as it performs a MITM attack, although a benevolent one, at the risk of obscuring evil ones or origin problems), so I would disable it.
But I understand that people can think otherwise, and prefer to filter HTTPS if it makes them feel more protected because their AV is able to filter the HTTPS protocol (which as discussed before isn’t really needed).

So in the end, it’s a personal choice.

If you want to ensure the integrity of the communication, then yes, add those sites ( banking sites and sites you use to shop online.) to the exclusions list if you still use HTTPS filtering.

(Also, as EV certs are on their way out, the setting to not filter EV certs only will soon not make sense anymore)
 
Last edited:
Top