Advice Request HTTPS scan: should you enable it?

Please provide comments and solutions that are helpful to the author of this topic.

RoboMan

Level 34
Thread author
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,399
HTTPS scanning has been a hot topic in the industry for a long time now, and reciently a lot in this forum. The objective of this thread is to post enough information to help users decide wether they should enable or disable this function within their antivirus.

1602957175097.png


WHAT IS HTTPS

HTTPS stand for Hypertext Transfer Protocol Secure and is a protocol based on HTTP, with the difference that the first one allows safe data transfer, meaning the connecting between you and the host is "encrypted".

WHAT IS THE ADVANTAGE OF HTTPS

Using an encrypted connection allows your information to be safe from cybercriminals on its way from point A to point B. For example, when banking, your bank site will probably force HTTPS to make sure all your credentials and moves remain private, encrpyted and unreadable from the outside (for example, from a hacker trying to use a MitM attack).

WHAT IS A MitM ATTACK

Man-in-the-middle attacks are pretty much self-explanatory. These are attacks designed to stand the cybercriminal between you and the host you're trying to connect. If you're using an HTTP connection, meaning an unencrypted, unsafe connection, somebody could place an attack on such connection to intercept and read all your traffic and information being transmitted. This usually is not possible if you're using an HTTPS connection (encrypted).

ANTIVIRUS AND THEIR PROBLEM WITH HTTPS

Despite how great it sounds, HTTPS is just about privacy and encryption, but it's still "vulnerable" to malware. An encrypted connection will not stop malware from being delivered, since HTTPS hosts can also send malware (this include browser sites, mail, messaging apps). Since antivirus do not like this idea, they must protect you from malware delivered within encrypted connections. But here's the issue: how can they scan for malware in an encrypted connection, if it's encrpyted and they can't read it?

HTTPS SCANNING

The only way to protect you in these scenarios is by scanning/filtering HTTPS. Since they can't read the encrypted information, they must place themselves in between you and the host (exactly as a cybercriminal would). This is obtained by installing a self-signed root CA certificate on computers and using it to issue "leaf," or interception, certificates for all HTTPS-enabled websites accessed by users. This way, an antivirus can read the information being delivered on encrypted connections, scan it, and make sure it's totally safe, therefore protecting you from dangers in HTTPS sites.

USER'S CONCERN

This is a "concern" for many users because it breaks the idea of "encryption". Encrypted connections were designed to avoid MitM attacks, and antivirus basically perform MitM attacks to "break" HTTPS and stand between both points, for the "sake of security". Also, many users believe that you stand for greater risks, since if a scenario took place where somebody could take control over your antivirus, the whole thing could be used to intercept the traffic and expose you.

THE CHOICE

Wether you should enable it or not comes up to each user. Enabling it means putting your trust in the antivirus you chose, just as you put your trust on the VPN you have. Disabling it will "reduce" protection at an extent where HTTPS malware won't be detected until it has been downloaded. In order to make a choice you should take into account what your daily habits are, if you do home banking, purchasing online, or any other activity which would benefict from some extra antivirus protection.
 
Last edited:

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
Great post (y)
Here is some (older) research on why it's not all that great:
 

SearchLight

Level 13
Verified
Top Poster
Well-known
Jul 3, 2017
625
Great post (y)
Here is some (older) research on why it's not all that great:

If you use HTTPS scanning, you're giving consent to allow a backdoor to be installed.
So based on these theories, it sounds like one should not be using HTTPS scanning because by so doing it creates vulnerabilities. However, based on what the OP wrote, the opposite is true.

I am currently using KSC which has this feature. What then is the consensus: enable the feature, and use at your own risk or disable it based on potential exposure. I am confused at this point. Thanks.
 

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,712

" For the first time ever, this report includes data on the percentage of malware in the wild delivered via encrypted HTTPS connections. WatchGuard’s threat intelligence shows that 67% of all malware in Q1 was delivered via HTTPS, so organizations without security solutions capable of inspecting encrypted traffic will miss two-thirds of incoming threats. Additionally, 72% of encrypted malware was classified as zero day (meaning no antivirus signature exists for it, and it will evade signature-based protections). These findings show that HTTPS inspection and advanced behavior-based threat detection and response solutions are now requirements for every security-conscious organization."

I wonder how high the percentage must be before this can become a problem for home users.
 

SpiderWeb

Level 10
Verified
Well-known
Aug 21, 2020
468
Like others have said HTTPS Scanning is a backdoor. All your traffic gets decrypted sometimes even before it gets to your computer. So somewhere in some random country, a server is looking at your encrypted sessions. Servers like this one:

Spy agencies LOVE you for installing a phony certificate giving anyone who hacks the AV vendor's server access to everything you are browsing. They have hacked the AV servers years ago and actively monitor all files that run through them. Think about all the passwords you just openly shared. Think about your banking transactions. Think about highly personal, sensitive information. What is the AVs policy on data retention? Do they immediately delete your decrypted data? How much do they share with other 3rd parties? How much do they share with law enforcement in your country and in their country? So so many attack vectors that are opened by doing SSL/TLS/HTTPS scanning, you make 1 step forward and 100 steps back. DNS privacy, VPN, encryption, sandboxing, site-isolation, VM, content blocking, all of this is pointless when you allow HTTPS Scanning because your AV or cloud AV server become the single point of failure where anyone can inject or leak everything you are trying to protect. Every browser security engineer at Firefox, Chrome and Brave says it's a horrible idea, so many security researchers say it's a horrible idea. Only AV vendors who are in the business of spreading fear say it's making you more secure.
 

Jan Willy

Level 11
Verified
Top Poster
Well-known
Jul 5, 2019
544
Like others have said HTTPS Scanning is a backdoor. All your traffic gets decrypted sometimes even before it gets to your computer. So somewhere in some random country, a server is looking at your encrypted sessions. Servers like this one:

Spy agencies LOVE you for installing a phony certificate giving anyone who hacks the AV vendor's server access to everything you are browsing. They have hacked the AV servers years ago and actively monitor all files that run through them. Think about all the passwords you just openly shared. Think about your banking transactions. Think about highly personal, sensitive information. What is the AVs policy on data retention? Do they immediately delete your decrypted data? How much do they share with other 3rd parties? How much do they share with law enforcement in your country and in their country? So so many attack vectors that are opened by doing SSL/TLS/HTTPS scanning, you make 1 step forward and 100 steps back. DNS privacy, VPN, encryption, sandboxing, site-isolation, VM, content blocking, all of this is pointless when you allow HTTPS Scanning because your AV or cloud AV server become the single point of failure where anyone can inject or leak everything you are trying to protect. Every browser security engineer at Firefox, Chrome and Brave says it's a horrible idea, so many security researchers say it's a horrible idea. Only AV vendors who are in the business of spreading fear say it's making you more secure.
You don't use any AV program?
Edit:
I mean: any AV program with HTTPS scanning.
 
Last edited:
  • Like
  • HaHa
Reactions: JB007 and Nevi

SpiderWeb

Level 10
Verified
Well-known
Aug 21, 2020
468
I disabled HTTPS scanning in ESET Internet Security but will keep it on, in the Adguard.
Otherwise, it wont block ads in Youtube, etc.
View attachment 247519
You can just use NextDNS for blocking and uBlockOrigin for cosmetic filtering, no middleman needed especially since Adguard is Russian all traffic decrypted is subject to Russian law.
 

SearchLight

Level 13
Verified
Top Poster
Well-known
Jul 3, 2017
625

" For the first time ever, this report includes data on the percentage of malware in the wild delivered via encrypted HTTPS connections. WatchGuard’s threat intelligence shows that 67% of all malware in Q1 was delivered via HTTPS, so organizations without security solutions capable of inspecting encrypted traffic will miss two-thirds of incoming threats. Additionally, 72% of encrypted malware was classified as zero day (meaning no antivirus signature exists for it, and it will evade signature-based protections). These findings show that HTTPS inspection and advanced behavior-based threat detection and response solutions are now requirements for every security-conscious organization."

I wonder how high the percentage must be before this can become a problem for home users.

If this is valid, there is an argument to keep the feature enabled. However, there still does not seem to be a majority opinion on which way is best for a home user.

That said, if one were to disable this feature, what AV or what additional piece of software could one use that would accomplish a similar type of protection against this potential malware?
 

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,731
If this is valid, there is an argument to keep the feature enabled. However, there still does not seem to be a majority opinion on which way is best for a home user.

That said, if one were to disable this feature, what AV or what additional piece of software could one use that would accomplish a similar type of protection against this potential malware?
A browser extension that blocks by url would probably be sufficient for home users. And if you have an AV it’s still going to scan the file on execution, or on demand.
 

SearchLight

Level 13
Verified
Top Poster
Well-known
Jul 3, 2017
625
A browser extension that blocks by url would probably be sufficient for home users. And if you have an AV it’s still going to scan the file on execution, or on demand.

The question is: is the risk of malware content in https sites bigger than the risk that the server of the AV provider gets hacked or that the AV provider is unreliable.

I think that both these two statement sum it up nicely.

For some people, disabling HTTPS scanning mainly comes into play because the loading of web pages slows when enabled depending upon their AV.

I think that the best that one can hope for is to pick a reliable AV with a solid reputation because at the end of the day, if a software is made by man or woman, it can also be bypassed by the same at some point. In other words, the idea is to make it as difficult as possible to plant malware onto your PC without slowing it down to the point that it becomes unuseable: deterrence, and good common sense. This is just my opinion.
 

avatar

From ADGuard
Verified
Developer
May 23, 2014
96
You can just use NextDNS for blocking and uBlockOrigin for cosmetic filtering, no middleman needed especially since Adguard is Russian all traffic decrypted is subject to Russian law.
It would be very nice if you stop spreading this. First of all, AdGuard is a Cyprus company. Second, decryption takes place right on the device and not on some server, we can't and don't want to see your traffic. It belongs to you and it is subject to the law of the country you reside in.

Regarding the topic, despite some valid concerns, this is the only way for you to be in control of your browsers and applications. Just imagine, if perfect encryption existed, you would NEVER learn what Chrome sends to its servers. Or take any other app on your PC, you just wouldn't have the means to inspect them. I am seeing this all the time with modern IoT devices and it really bugs me that I have no way to audit them.

Anyway, "THE CHOICE" part of the article is very nice. You need to really trust the developer if you're going to use a product that does HTTPS scanning. By the way, the same is true for any browser extension as most of them can access the same sensitive info.

And one more thing. Despite all the talks and concerns, I never heard of any malware exploiting AVs HTTPS scanning (maybe I wasn't looking good enough). At the same time, I've heard, seen, and discovered myself hundreds of cases with powerful browser extensions being exploited for malicious purposes. However, there's a huge backlash to Chrome devs trying to limit extensions (see Manifest V3) in the name of security. The point is that this is natural for some tools to have access to web traffic, and people want them to have it. Long-term, if we want these tools to do it in a more "secure" way, we'd better work with OS vendors to provide a better and more secure alternative to HTTPS scanning.
 

YuanJiawj

Level 12
Verified
Top Poster
Well-known
Oct 9, 2014
579
It would be very nice if you stop spreading this. First of all, AdGuard is a Cyprus company. Second, decryption takes place right on the device and not on some server, we can't and don't want to see your traffic. It belongs to you and it is subject to the law of the country you reside in.

Regarding the topic, despite some valid concerns, this is the only way for you to be in control of your browsers and applications. Just imagine, if perfect encryption existed, you would NEVER learn what Chrome sends to its servers. Or take any other app on your PC, you just wouldn't have the means to inspect them. I am seeing this all the time with modern IoT devices and it really bugs me that I have no way to audit them.

Anyway, "THE CHOICE" part of the article is very nice. You need to really trust the developer if you're going to use a product that does HTTPS scanning. By the way, the same is true for any browser extension as most of them can access the same sensitive info.

And one more thing. Despite all the talks and concerns, I never heard of any malware exploiting AVs HTTPS scanning (maybe I wasn't looking good enough). At the same time, I've heard, seen, and discovered myself hundreds of cases with powerful browser extensions being exploited for malicious purposes. However, there's a huge backlash to Chrome devs trying to limit extensions (see Manifest V3) in the name of security. The point is that this is natural for some tools to have access to web traffic, and people want them to have it. Long-term, if we want these tools to do it in a more "secure" way, we'd better work with OS vendors to provide a better and more secure alternative to HTTPS scanning.
Nowadays speaking, writing and giving an opinion on everything is very very easy, but sustaining and showing our points of view with facts is very very difficult.

Everyone can have an opinion, but assuming something without knowing it is bad and speaks a little bad about each one.
 

SpiderWeb

Level 10
Verified
Well-known
Aug 21, 2020
468
It would be very nice if you stop spreading this. First of all, AdGuard is a Cyprus company. Second, decryption takes place right on the device and not on some server, we can't and don't want to see your traffic. It belongs to you and it is subject to the law of the country you reside in.

Regarding the topic, despite some valid concerns, this is the only way for you to be in control of your browsers and applications. Just imagine, if perfect encryption existed, you would NEVER learn what Chrome sends to its servers. Or take any other app on your PC, you just wouldn't have the means to inspect them. I am seeing this all the time with modern IoT devices and it really bugs me that I have no way to audit them.

Anyway, "THE CHOICE" part of the article is very nice. You need to really trust the developer if you're going to use a product that does HTTPS scanning. By the way, the same is true for any browser extension as most of them can access the same sensitive info.

And one more thing. Despite all the talks and concerns, I never heard of any malware exploiting AVs HTTPS scanning (maybe I wasn't looking good enough). At the same time, I've heard, seen, and discovered myself hundreds of cases with powerful browser extensions being exploited for malicious purposes. However, there's a huge backlash to Chrome devs trying to limit extensions (see Manifest V3) in the name of security. The point is that this is natural for some tools to have access to web traffic, and people want them to have it. Long-term, if we want these tools to do it in a more "secure" way, we'd better work with OS vendors to provide a better and more secure alternative to HTTPS scanning.
You can't be serious. Cyprus is a tax haven not a privacy haven and your Wikipedia article says most employees and operations are still in Moscow.

Transparency is the key and literally all security researchers agree that being a MITM is NOT improving security for anyone. Installing a custom certificate is a backdoor and yes it's because of companies like yours that Chromium team has to implement Manifest V3 because the risk of it being used for malicious purposes is too big. I see on Adguard's website that there are assurances that sensitive traffic is not being decrypted but do you guys have every password manager, every financial site, every health care site whitelisted? My point is not an opinion, it's a regurgitation of what browser security devs are saying and have been saying for years. You altering and scanning encrypted traffic increases security by a small margin in exchange for doubling the user's attack surface.

Summary - Pros and Cons of HTTPS Filtering

Pros:
+Convenience
+Might block TLS malware/phishing

Cons:
-Undermines site isolation
-Undermines passwords
-Breaks sandboxing security model
-Breaks DNS encryption security model
-Breaks secure updates
-Downgrades modern encryption standards
-Allows eavesdropping
-Causes error messages
-Leaks IP/deanonymizes you

Nobody's security model should be based on 'trust'. Everyone's security model should be based on trustless actors, minimizing the amount of trust required.
 
F

ForgottenSeer 85179

And one more (big) con:

If the cert gets invalid which is used by the product/ company, ALL connections are insecure.
Same as using HTTP for everything.

Also nobody here answer why breaking TLS for analysing the content against malware is needed, before the OS and/ or AV get in the end.
What's the point?
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top