HTTPS Security Weakened by AV Products

Tiny

Level 3
Thread author
Well-known
Dec 29, 2016
131
An increasing number of antiviruses and network appliances intercept TLS connections to gain visibility into encrypted traffic, but in many cases this weakens connection security and introduces vulnerabilities, according to a new study.

The study, focusing on the security impact of HTTPS interception, was carried out last summer by researchers at Mozilla, Google, CloudFlare, the University of Michigan, the University of Illinois Urbana-Champaign, the University of California Berkeley, and the International Computer Science Institute.

Experts have analyzed the TLS handshakes associated with web browsers, security products and malware, and created a set of heuristics designed to allow web servers to detect HTTPS interception and identify the product responsible.

Tests were conducted by deploying these heuristics on Mozilla’s Firefox update servers, the CloudFlare content distribution network (CDN), and some major e-commerce websites. The analysis showed that 4% of the Firefox connections, 6.2% of the e-commerce connections, and nearly 11% of US-based CloudFlare connections were intercepted.

Worryingly, 97% of the Firefox, 54% of the CloudFlare and 32% of the e-commerce connections that were intercepted became less secure. More than 62% of the middlebox connections were weakened and over 58% had severe vulnerabilities.

“Alarmingly, not only did intercepted connections use weaker cryptographic algorithms, but 10–40% advertised support for known-broken ciphers that would allow an active man-in-the-middle attacker to later intercept, downgrade, and decrypt the connection,” researchers said in their report.

The list of middlebox vendors whose products were tested includes A10 Networks, Blue Coat, Barracuda, Check Point, Cisco, Forcepoint, Fortinet, Juniper Networks, Microsoft, Sophos, Untangle and WebTitan. Only the Blue Coat product received an A grade (optimal TLS connection equivalent to modern browsers), while the others received a C (contains known vulnerability) or F (severely broken connection vulnerable to MitM attacks).

middlebox_interception.png


The antiviruses analyzed in the study include Windows and Mac products from Avast, AVG, Bitdefender, Bullguard, CYBERsitter, Dr. Web, ESET, G DATA, Kaspersky, KinderGate, Net Nanny, PC Pandora and Qustodio. Only two of the tested Avast products received an A grade.

The researchers said they reported their findings to the affected vendors, and while some of them addressed the issues or they plan on doing so, others ignored them or refused to update their products and shifted responsibility to customers.

The study was published shortly after a member of the Chrome security team and a former Mozilla employee said the only antivirus that is not terrible is the one made by Microsoft.
 

Wingman

Level 4
Verified
Well-known
Feb 6, 2017
155
Only the Blue Coat product received an A grade (optimal TLS connection equivalent to modern browsers), while the others received a C (contains known vulnerability) or F (severely broken connection vulnerable to MitM attacks).

Thumbs up for Bluecoat...I assume all appliances/gateways were fuly updated prior to the test(?)I would expect gateways to still possibly support RC4 by default especially for fw/reverse proxies. Security wise it doesn't make sense but in business terms might be. If you have legitimate clients that still use -for example- xp or older OS and they need to connect via such ciphier cause their application is sooo old , you will have to make it happen. Security needs to support business needs
 
Last edited:

Tiny

Level 3
Thread author
Well-known
Dec 29, 2016
131
Is there any way to stop this weakening and do the AVs know about this?

According to the article they were informed.

The researchers said they reported their findings to the affected vendors, and while some of them addressed the issues or they plan on doing so, others ignored them or refused to update their products and shifted responsibility to customers.
 

shmu26

Level 85
Verified
Helper
Top poster
Content Creator
Well-known
Jul 3, 2015
8,182
use a good browser with proper security add-ons. Then turn off the browser protection in your antivirus, which is usually more trouble than it's worth, in my experience.
 
  • Like
Reactions: Deleted member 2913

Wingman

Level 4
Verified
Well-known
Feb 6, 2017
155
use a good browser with proper security add-ons. Then turn off the browser protection in your antivirus, which is usually more trouble than it's worth, in my experience.

But then how do you protect yourself from https delivered malware(I assume you mean disabling https security in your AV)?I am not being funny here , I just want to understand what ppl use. There is no right or wrong answer and it all depends on the security posture and the layer defence model you might be using.
 

shmu26

Level 85
Verified
Helper
Top poster
Content Creator
Well-known
Jul 3, 2015
8,182
But then how do you protect yourself from https delivered malware(I assume you mean disabling https security in your AV)?I am not being funny here , I just want to understand what ppl use. There is no right or wrong answer and it all depends on the security posture and the layer defence model you might be using.
okay, let's say for instance that you are using AVAST.
You can just go and install the AVAST extension in chrome, if you haven't already, or install any other one that you might like. This extension can scan HTTPS connections. It can find anything that the native AVAST browser protection would find.
 
  • Like
Reactions: Deleted member 2913

Wingman

Level 4
Verified
Well-known
Feb 6, 2017
155
okay, let's say for instance that you are using AVAST.
You can just go and install the AVAST extension in chrome, if you haven't already, or install any other one that you might like. This extension can scan HTTPS connections. It can find anything that the native AVAST browser protection would find.

I haven't used this product before but It seems that the AVAST extension in chrome doesn't scan for HTTPS content (you will effectively need your AV to be doing MITM -trust certificate etc). The AVAST externsion doesn't do that based on Avast FAQ | Avast Online Security browser extension: Overview

Think of the following scenario. A legitimate site (therefore not categorised as phishing,malicious etc by vendors) is hacked and delivering a malware not detected by AV (based on signatures )yet through HTTPS connection for about 30 minutes. The website is then restored but the actors(they remove the malicious code etc). How are you able to detect this ?
 
  • Like
Reactions: Deleted member 2913

shmu26

Level 85
Verified
Helper
Top poster
Content Creator
Well-known
Jul 3, 2015
8,182
I haven't used this product before but It seems that the AVAST extension in chrome doesn't scan for HTTPS content (you will effectively need your AV to be doing MITM -trust certificate etc). The AVAST externsion doesn't do that based on Avast FAQ | Avast Online Security browser extension: Overview

Think of the following scenario. A legitimate site (therefore not categorised as phishing,malicious etc by vendors) is hacked and delivering a malware not detected by AV (based on signatures )yet through HTTPS connection for about 30 minutes. The website is then restored but the actors(they remove the malicious code etc). How are you able to detect this ?

1 I didn't see in the FAQ where it says that they can't scan HTTPS. Please direct me to the right section
2 If the malicious download is not in the AVAST sigs, then scanning the HTTPS connection will not help either. What would you want it to detect, if the site is okay and the download is FUD?
 
  • Like
Reactions: Deleted member 2913
F

ForgottenSeer 19494

okay, let's say for instance that you are using AVAST.
You can just go and install the AVAST extension in chrome, if you haven't already, or install any other one that you might like. This extension can scan HTTPS connections. It can find anything that the native AVAST browser protection would find.
Avast was once as bad as other AVs when it comes to intercepting SSL/TLS connections, and in fact it was one of the worst. But they have made a complete overhaul of their interception techniques. Now they do not intercept Extended Validation certificates allowing the green bars to show, i've saw them that they do not intercept 100% of the certificates which are not EV, so i guess that they also sense where it can become a problem and don't intercept in such situations. They also make their own checks for certificate revocation, which is actually the thing that cannot be checked by the browser when a certificate is intercepted. The other thing that cannot be checked by the browser when a certificate is intercepted, is if the chain leads to a trusted root certificate, so Avast also does this for the browser and if the issuer is not trusted, they generate a non-trusted certificate in the store and use it so it triggers the browser warning. Everything else is copied to the self-signed (self-issued) certificate which Avast creates locally every time, which allows the browser to make all other checks except certificate revocation, like date of issue and signature/public key algorhitm. They actually increase the SSL protection of Chrome, because it is well known that the only type of check that Chrome does is the CRLSet check, which covers the very minimum of revoked certificates, while Avast uses OCSP and check every certificate in real time. Mozilla also does this very effectively with Firefox and also has an option for hard fail OCSP.
Please note that the option to turn off TLS scanning is located in the Web Shield settings of Avast, and uninstalling the Avast Online Security extension has nothing to do with this. Extensions by itself are not allowed any kind of changing the SSL certificates as a Chrome security measure.
 

shmu26

Level 85
Verified
Helper
Top poster
Content Creator
Well-known
Jul 3, 2015
8,182
Avast was once as bad as other AVs when it comes to intercepting SSL/TLS connections, and in fact it was one of the worst. But they have made a complete overhaul of their interception techniques. Now they do not intercept Extended Validation certificates allowing the green bars to show, i've saw them that they do not intercept 100% of the certificates which are not EV, so i guess that they also sense where it can become a problem and don't intercept in such situations. They also make their own checks for certificate revocation, which is actually the thing that cannot be checked by the browser when a certificate is intercepted. The other thing that cannot be checked by the browser when a certificate is intercepted, is if the chain leads to a trusted root certificate, so Avast also does this for the browser and if the issuer is not trusted, they generate a non-trusted certificate in the store and use it so it triggers the browser warning. Everything else is copied to the self-signed (self-issued) certificate which Avast creates locally every time, which allows the browser to make all other checks except certificate revocation, like date of issue and signature/public key algorhitm. They actually increase the SSL protection of Chrome, because it is well known that the only type of check that Chrome does is the CRLSet check, which covers the very minimum of revoked certificates, while Avast uses OCSP and check every certificate in real time. Mozilla also does this very effectively with Firefox and also has an option for hard fail OCSP.
Please note that the option to turn off TLS scanning is located in the Web Shield settings of Avast, and uninstalling the Avast Online Security extension has nothing to do with this. Extensions by itself are not allowed any kind of changing the SSL certificates as a Chrome security measure.
sounds good!
I didn't mean to imply that AVAST is or is not an offender. I just chose it as an example to illustrate my point, and according to your report, it was actually not such a good example.
 
  • Like
Reactions: Deleted member 2913
F

ForgottenSeer 19494

sounds good!
I didn't mean to imply that AVAST is or is not an offender. I just chose it as an example to illustrate my point, and according to your report, it was actually not such a good example.
And still not intercepting is best for browsers, but how many browsers can scan and detect malicious javascripts which exploit the browser? If it was just scanning the files it wouldn't need to intercept the browser, because the file would be scanned even before it is constructed as a .exe file. :)
 

shmu26

Level 85
Verified
Helper
Top poster
Content Creator
Well-known
Jul 3, 2015
8,182
does HitmanPro.Alert have the potential to break browser security in any way?