Browser Add-on Bitdefender Trafficlight still transmits every site in clear text?

Tiamati

Level 10
Verified
Nov 8, 2016
476
A few months ago i checked i post telling Bitdefender Trafficlight (BTL) was sending unencrypted sites for Bitdefender servers (you can check the original post HERE)

But i made my own research and could not confirm this information in the present moment. So i would like to know if you can help me to check if that is still true.

1) I tried to replicate the post guide but despite i accessed the BTL requests and sends, i could not find any unencrypted message. So i believe the problem is solved.
Edit:
I can find the site BTL is sending in plain text (params tab), but the security tab shows TLSv1.2 protocol for all requests.

Examples
1584160364885.png


1584160429946.png

2) According to BTL privacy police:

3. Protecting the Personal data
As a leader in information security services, confidentiality and data protection are of vital importance for us. Access to the collected personal data is restricted only to Bitdefender employees and data processors that need access to this information. All Bitdefender information security policies are ISO 27001 certified.
Bitdefender may use other IT companies to process the collected personal data. These companies are considered data processors and have strict contractual obligations to keep the confidentiality of the processed data and to offer at least the same level of security as Bitdefender. Data processors have the obligation not to allow third parties to process personal data on behalf of Bitdefender and to access, use and/or keep the data secure and confidential.

Bitdefender may host personal data in Romania, Ireland, as well as in European Union or any other jurisdiction which offers adequate level of personal data protection according to European Union standards, including companies that are certified under the US-EU Privacy Shield program.

Due to confidentiality obligations and security requirements the specific information regarding the name and details for each processor used will be provided only to competent authorities.

The following types of data processor are being used:

  • hosting services in Romania, Ireland and US;
  • support channel communications in Romania, Ireland, Poland and US;
  • marketing services (including email marketing) in Romania and US.
All our data processors in US are certified in the US-EU Privacy Shield program.

Access to certain sections of Bitdefender websites is protected by a username and password. We recommend not to reveal this password. Bitdefender will never ask for your account's password via any kind of messages or phone calls. We advise not to disclose your password to anyone asking you to do so. If possible, we also recommend to log out of your online services account after each session. We also advice to close the browser window after navigating or using Bitdefender services.

Unfortunately, transferring data over the Internet cannot be 100% secure. Consequently, despite our efforts to protect personal data, Bitdefender cannot assure or guarantee the security of the information transmitted by the user until the information is on our servers. Any information you transmit is done on your own risk.

So, i believe that if BTL actually already sent any unencrypted messages to Bitdefender servers, that is not true anymore.
 
Last edited:

blackice

Level 29
Verified
Apr 1, 2019
1,864
A few months ago i checked i post telling Bitdefender Trafficlight (BTL) was sending unencrypted sites for Bitdefender servers (you can check the original post HERE)

But i made my own research and could not confirm this information in the present moment. So i would like to know if you can help me to check if that is still true.

1) I tried to replicate the post guide but despite i accessed the BTL requests and sends, i could not find any unencrypted message. So i believe the problem is solved.
Edit:
I can find the site BTL is sending in plain text (params tab), but the security tab shows TLSv1.2 protocol for all requests.

Examples
View attachment 234835

View attachment 234836

2) According to BTL privacy police:


Bitdefender may use other IT companies to process the collected personal data. These companies are considered data processors and have strict contractual obligations to keep the confidentiality of the processed data and to offer at least the same level of security as Bitdefender. Data processors have the obligation not to allow third parties to process personal data on behalf of Bitdefender and to access, use and/or keep the data secure and confidential.

Bitdefender may host personal data in Romania, Ireland, as well as in European Union or any other jurisdiction which offers adequate level of personal data protection according to European Union standards, including companies that are certified under the US-EU Privacy Shield program.

Due to confidentiality obligations and security requirements the specific information regarding the name and details for each processor used will be provided only to competent authorities.

The following types of data processor are being used:

  • hosting services in Romania, Ireland and US;
  • support channel communications in Romania, Ireland, Poland and US;
  • marketing services (including email marketing) in Romania and US.
All our data processors in US are certified in the US-EU Privacy Shield program.

Access to certain sections of Bitdefender websites is protected by a username and password. We recommend not to reveal this password. Bitdefender will never ask for your account's password via any kind of messages or phone calls. We advise not to disclose your password to anyone asking you to do so. If possible, we also recommend to log out of your online services account after each session. We also advice to close the browser window after navigating or using Bitdefender services.

Unfortunately, transferring data over the Internet cannot be 100% secure. Consequently, despite our efforts to protect personal data, Bitdefender cannot assure or guarantee the security of the information transmitted by the user until the information is on our servers. Any information you transmit is done on your own risk.

So, i believe that if BTL actually already sent any unencrypted messages to Bitdefender servers, that is not true anymore.
I just checked this out as well in Firefox and got the same results. They are now sent over TLS 1.2. But it is still sending full URL strings.
 

Tiamati

Level 10
Verified
Nov 8, 2016
476
They are now sent over TLS 1.2
well if they are sending trough TLS 1.2, i believe the only problem now would be Bitdefender accessing all your sites without any difficult. However their privacy policy mention they won't use or sell that data. Besides that, most AV extensions i know sends that kind of data (except for Emsisoft that sends only hashs)
 

blackice

Level 29
Verified
Apr 1, 2019
1,864
well if they are sending trough TLS 1.2, i believe the only problem now would be Bitdefender accessing all your sites without any difficult. However their privacy policy mention they won't use or sell that data. Besides that, most AV extensions i know sends that kind of data (except for Emsisoft that sends only hashs)
I think a lot of people still find this an unnecessary privacy compromise.
 

Azure

Level 26
Verified
Content Creator
Oct 23, 2014
1,537
I agree... but it's certainly not as bad as sending clear logs without encryption. As long they are under TLS protocol, it should not be a problem. Unless bitdefender servers are hacked (what is unlikely)
Considering Kaspersky servers were hacked in the past, I believe it's not impossible for the same to happen to BitDefender.
 

Pat MacKnife

Level 11
Verified
Jul 14, 2015
526
Yes if you install webadvisor :
Supported Browsers

  • Internet Explorer 10.0 or later
  • Microsoft Edge (Windows 10 only, Fall Creators Update required)
  • Firefox
  • Google Chrome


 

blackice

Level 29
Verified
Apr 1, 2019
1,864
Yes if you install webadvisor :
Supported Browsers

  • Internet Explorer 10.0 or later
  • Microsoft Edge (Windows 10 only, Fall Creators Update required)
  • Firefox
  • Google Chrome


I saw that. However, since it is not available in the Firefox extension store I’m not inclined to check it out.
 

Azure

Level 26
Verified
Content Creator
Oct 23, 2014
1,537

blackice

Level 29
Verified
Apr 1, 2019
1,864

To be accurate, they state it was an attack on their network but that neither their products or services had been compromised
Trend Micro said the same thing. None of them would admit it.
 
Top