Google Dev Finds Serious Flaws in Kaspersky's HTTPS Traffic Inspection System

Jack

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 24, 2011
9,378
Tavis Ormandy, one of Google Project Zero's most proficient security researchers, has identified two issues in the way Kaspersky security products inspect HTTPS traffic for web threats.

According to the researcher, the Kaspersky performs this operation by its root certificate (Kaspersky Anti-Virus Personal Root) as a trusted certificate authority (CA) in the operating system's authorized certificate store.

Every time users access a web resource hosted via HTTPS, Kaspersky security software proxies all SSL connections and deploys its own (leaf) certificates to scan the incoming connections for any threats.

This way traffic is still encrypted, but certificates appear to be issued by Kaspersky's root certificate.

Kaspersky security products broke HTTPS connections for some users
Here's where Ormandy discovered the first problem. The researcher says that Kaspersky uses the first 32 bits of a real certificate's MD5 hash as the key for the cloned leaf certificate.

When users (re-)access HTTPS resources, the antivirus searches for this MD5 signature and reuses the same cloned leaf certificate.

"You don't have to be a cryptographer to understand a 32bit key is not enough to prevent brute-forcing a collision in seconds. In fact, producing a collision with any other certificate is trivial," Ormandy explained in a bug report made public yesterday.

In a real-world example, Ormandy says that the 32bit key of certificates for the sites HackerNews (news.ycombinator.com) and the portal of Manchester, Connecticut (manchesterct.gov) are the same.

Ormandy reveals that this bug broke HTTPS connections for many Kaspersky users, who were unable to access secure websites, or the website downgraded to using HTTP instead.

Breaking-HTTPS.png

Read more: Google Dev Finds Serious Flaws in Kaspersky's HTTPS Traffic Inspection System
 

RejZoR

Level 15
Verified
Top Poster
Well-known
Nov 26, 2016
699
Haven't had any problems with HTTPS scanning in avast!. HTTPS gets scanned properly without any issues. Not really sure how they do it. In the beginning they sort of "injected" their certificate in the middle of secure connection, but they changed the mechanism later and now they are using some different mechanism that doesn't seem to break the encryption chain. Browser still shows HTTPS connections with the original encryption key and not their own like before. Bottom line is, they seem to have a very effective and apparently also secure mechanism to achieve that. Any info how Kaspersky as doing it? Same way as avast! in the beginning?
 

Klappis

Level 1
Verified
Feb 15, 2014
30
HTTPS scanning is a pain, with every AV suite. Just turn it off, and use a browser extension instead.

Well there's HTTP scanning but there's no HTTPS scanning in Bitdefender. Should i turn off HTTP scanning?
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top