blackice

Level 27
Verified
Do the MiTM/intercept https certificates by installing their own in the browser or not ? I find the AV doing MiTM a bit intrusive
They do, I go back and forth between turning it off and relying on extensions and my router filtering, and leaving it on. But, one way to look at it if you want the protection is that the AV already has access to just about everything on your system. MiTM isn't going to change anything if they want to breach your privacy. And they have improved flagging bad/unencrypted/broken connections. Still I understand being wary of MiTM with certificates. They also have added support for TLS 1.3.
 

MacDefender

Level 11
Verified
Yeah I am still not a fan of MiTM SSL interception. Browsers go out of their way to do extended certificate validation (such as pinning for popular services in Chrome and supplementing the revocation list) and enforce policies around mixed SSL content. By presenting to a browser a manually force-trusted certificate it not only bypasses all the browser provided security features (which I guarantee is better than what any 3rd party AV has implemented), but it also leaves on disk a private cert that any attacker can use to generate HTTPS pages that the browser trusts.

I understand the things they gain out of SSL inspection but that's something I'm never willing to go with, and it automatically erodes my trust when an AV program automatically opts me into this kind of feature without explicitly asking for consent while explaining the pros and cons to SSL inspection.


BTW, Cisco has been working on malware inspection techniques that don't involve SSL decryption: Detecting Encrypted Malware Traffic (Without Decryption)
This was productized last year as Encrypted Traffic Analysis on their high end equipment: Cisco Adds Encrypted Traffic Analysis Function
 

blackice

Level 27
Verified
Yeah I am still not a fan of MiTM SSL interception. Browsers go out of their way to do extended certificate validation (such as pinning for popular services in Chrome and supplementing the revocation list) and enforce policies around mixed SSL content. By presenting to a browser a manually force-trusted certificate it not only bypasses all the browser provided security features (which I guarantee is better than what any 3rd party AV has implemented), but it also leaves on disk a private cert that any attacker can use to generate HTTPS pages that the browser trusts.

I understand the things they gain out of SSL inspection but that's something I'm never willing to go with, and it automatically erodes my trust when an AV program automatically opts me into this kind of feature without explicitly asking for consent while explaining the pros and cons to SSL inspection.


BTW, Cisco has been working on malware inspection techniques that don't involve SSL decryption: Detecting Encrypted Malware Traffic (Without Decryption)
This was productized last year as Encrypted Traffic Analysis on their high end equipment: Cisco Adds Encrypted Traffic Analysis Function
It does not bypass all protections. ESET does not intercept EV Certificates. It will open a banking mode browser if you so choose, but it does not intercept those communications on EV sites even in the banking browser.
 

MacDefender

Level 11
Verified
It does not bypass all protections. ESET does not intercept EV Certificates. It will open a banking mode browser if you so choose, but it does not intercept those communications on EV sites even in the banking browser.
Glad to hear that is the case! I should also add that legally the interception of banking and healthcare web traffic can be problematic and can violate a lot of regulations particularly in the EU unless you have put your product through a certification process. I’ve had to deal with this nightmare before with centralized SSL filtering appliances.

At any rate I'm very glad they don't intercept EV certs but that also means they too are cognizant of the implications of SSL interception. It's still my personal opinion that I dislike these features and would like to be explicitly asked to opt in rather than finding out by surprise. Everyone else is welcome to make their own choice!
 

artek

Level 5
It does not bypass all protections. ESET does not intercept EV Certificates. It will open a banking mode browser if you so choose, but it does not intercept those communications on EV sites even in the banking browser.
I wouldn't touch the HTTPS scanning feature with a ten foot pole.

"Not only that, inspecting SSL negotiation with Wireshark shows the ESET application actually downgrades your SSL connection to TLSv1.0 even if your browser and the site you are visiting would normally use the much stronger TLSv1.1 or TLSv1.2."

Source: Don't use ESET SSL protocol filtering

They were downgrading encryption to protect you from malware and exploits that an up-to-date browser alone would have probably protected you from.
 

blackice

Level 27
Verified
I wouldn't touch the HTTPS scanning feature with a ten foot pole.

"Not only that, inspecting SSL negotiation with Wireshark shows the ESET application actually downgrades your SSL connection to TLSv1.0 even if your browser and the site you are visiting would normally use the much stronger TLSv1.1 or TLSv1.2."

Source: Don't use ESET SSL protocol filtering

They were downgrading encryption to protect you from malware and exploits that an up-to-date browser alone would have probably protected you from.
Notice that that article is 5 years old. Most vendors have changed. ESET now supports TLS 1.3.
 

artek

Level 5
Notice that that article is 5 years old. Most vendors have changed. ESET now supports TLS 1.3.
Until the specs change and it takes them forever to update it. Or they re-use the private key. Or they support old encryption cyphers. All of which has happened in the past. And if you want my opinion, AV manufacturers have been so consistently bad at it that I wish they would just stop altogether. If the last three out of three cars you've bought from an auto manufacture have had engine failure, why do you think this latest model is going to be any different?
 

fabiobr

Level 9
Verified
Glad to hear that is the case! I should also add that legally the interception of banking and healthcare web traffic can be problematic and can violate a lot of regulations particularly in the EU unless you have put your product through a certification process. I’ve had to deal with this nightmare before with centralized SSL filtering appliances.

At any rate I'm very glad they don't intercept EV certs but that also means they too are cognizant of the implications of SSL interception. It's still my personal opinion that I dislike these features and would like to be explicitly asked to opt in rather than finding out by surprise. Everyone else is welcome to make their own choice!
ESET is the main vendor of enterprise products in EU.
 

blackice

Level 27
Verified
Until the specs change and it takes them forever to update it. Or they re-use the private key. Or they support old encryption cyphers. All of which has happened in the past. And if you want my opinion, AV manufacturers have been so consistently bad at it that I wish they would just stop altogether. If the last three out of three cars you've bought from an auto manufacture have had engine failure, why do you think this latest model is going to be any different?
Some people agree with it, some don’t. I was just sharing the current facts. I understand why you are opposed to https inspection.
 

notabot

Level 15
Is it really or is this the ongoing myth about their software? Coz writing in assembly is incredibly inefficient for today's standards.
It's entirely pointless there days and I doubt there's even a talent pool of assembly developers to maintain a project, I'm not aware of any active assembly-only (or at least mostly assembly) projects these days - perhaps they exist in the embedded space, which I'm not familiar with.

int 21 :)
 

blackice

Level 27
Verified
It's entirely pointless there days and I doubt there's even a talent pool of assembly developers to maintain a project, I'm not aware of any active assembly-only (or at least mostly assembly) projects these days - perhaps they exist in the embedded space, which I'm not familiar with.

int 21 :)
I think people are just baffled by how light ESET is while still having good protection.
 

RejZoR

Level 14
Verified
The "light" is such a weird definition these days. I mean, I have freaking 32GB of RAM pretty much just because I can. And it wasn't even stupid expensive. Before this I had 18GB (triple channel X58, hence the funny number). And even if I only had 16GB, last time I opened task manager to worry about RAM was back when Windows XP was a thing and I had system with 1GB of RAM iirc.
 

blackice

Level 27
Verified
The "light" is such a weird definition these days. I mean, I have freaking 32GB of RAM pretty much just because I can. And it wasn't even stupid expensive. Before this I had 18GB (triple channel X58, hence the funny number). And even if I only had 16GB, last time I opened task manager to worry about RAM was back when Windows XP was a thing and I had system with 1GB of RAM iirc.
I tend to agree. I haven’t had less than 16 in a long time. And it hasn’t hindered anything.
 

SeriousHoax

Level 29
Verified
Malware Tester
The "light" is such a weird definition these days. I mean, I have freaking 32GB of RAM pretty much just because I can. And it wasn't even stupid expensive. Before this I had 18GB (triple channel X58, hence the funny number). And even if I only had 16GB, last time I opened task manager to worry about RAM was back when Windows XP was a thing and I had system with 1GB of RAM iirc.
You're comparing lightness with ram usage only which is wrong. There are many other parameters beside ram usage.
AV-Comparative does an excellent job at testing this. Check this: Performance Test April 2019
ESET is the lightest in their test as well so my and many other user's personal experience + this result surely verifies it.
 
Top