Q&A I've officially changed my stance on HTTPS scanning

ncage

Level 3
May 20, 2017
102
I have officially changed my stance on https scanning. I used to believe that it was necessary because ever site these days as a cert and without it the AV would be partially handicap without it. Well I've been using kaspersky on mac for maybe 3 months or so and they https injection has caused so many issues. You would think kaspersky would have this figure out by now but no. The first issue is it broke homebrew. Homebrew uses curl. By the error i got out of curl it looks like kaspersky was trying to do a tls downgrade attach (to tls1):

curl: (35) error:1400443E:SSL routines:CONNECT_CR_SRVR_HELLO:tlsv1 alert inappropriate fallback
Error: Failed to download resource "ncurses_bottle_manifest"
Download failed: https://ghcr.io/v2/homebrew/core/ncurses/manifests/6.2

Kaspersky "partially" fixed it but it was a total pain in the rear. They required me to do so much work on my side for them to fix the issue (from logs, to memory dumps, ect...). Thankfully i'm technical or it would have been impossible. You would think Kaspersky would have this figured out by now.

I do TimeMachine backups over my network. I've been fighting for months with it continuously failing after 2 or 3 backups (time machine backups happen every hour). I'd have to reboot and it would start working again until it started failing again after 2-3 hours. Well guess what it was? Kaspersky!!! After my first experience with their tech support i'm not going to do it again.

So from here on out any product that has https scanning i will immediately disable it. If it interface is kind of screaming at you that you're insecure because you disabled it then i won't use it. The hardest thing to give up will be adguard.

I was using bitdefender that doesn't have https scanning (in its mac product that is) but the issues with bitdefender from windows follows it to the mac side (it uses WAYYYY to much memory) so i bought kaspersky. At this point i'm not sure if i'm going to back to bitdefender or start trying alternatives (SHP comes to mind).

As aside my work has used websense, wsa (cisco web security appliance), and fortinet and they have all sucked. Everything will be working fine and thing just randomly break all the time. It almost requires someone looking into these issues full time. Granted i have heard with TLS 1.3 you no longer MTM TLS
 

Minimalist

Level 6
Oct 2, 2020
288
I agree. For me it's also more trouble than it's worth.
Setting up Kaspersky, I disable SSL scanning and script injection. It speeds up browsing.
With ESET I add browser and torrent client to protocol scanning exception as it shows warning if you disable component entirely.
Emsisoft doesn't perform MITM and it seems that F-Secure also doesn't.
 

Spawn

Administrator
Verified
Staff member
Jan 8, 2011
21,053
The hardest thing to give up will be adguard.
I am not familiar with AdGuard products - What are your views on their DNS and VPN services, and can either do similar tasks to HTTPS filtering, without using that setting in AdGuard for Mac?
 

TairikuOkami

Level 31
Verified
Content Creator
May 13, 2017
2,046
You would think kaspersky would have this figure out by now but no.
There is nothing to figure out, HTTPS scanning breaks HTTPS, period. You either get a secure HTTPS or you get HTTPS scanning. If you get a fake iphone, putting a fake stamp on it (fake certificate), will not make it act a as real one. Besides, network scanning is overrated. It is like a double realtime protection, AV realtime will catch it once it gets downloaded anyway.
 

Raiden

Level 19
Verified
Content Creator
May 7, 2018
899
I agree!

I too am against any form of HTTPS scanning. It has proven over and over again that it cause issues....it's more hassle that it's worth. HTTPS was designed to ensure you have a secure connection to the server with no one in between...that includes the "good guys" (aka AVs). Sad part is, AV vendors know this, but do it any ways, why?...well they have to "protect you".:rolleyes: Then they scare you by throwing up red warnings if you disable it. Quite frankly this is why I've stopped using 3rd party products. While they may offer good protection, they also cause problems by hooking into things they shouldn't, as well as scaring the user making them feel that they are un-protected. As it's already been mentioned, many other vendors seem to be able to offer good web protection without HTTPS scanning,...so it is possible, they just have to put to work into it.

Security vendors earn comparatively little from their Mac-supporting lines. So knowing that, your expectation should be that they are going to put a proportionately less effort into making their Mac lines polished. Then there is the lack of bug reports from Mac users. I would bet that for every Mac user like you that contacted a vendor to get them to fix it, there is probably 9,999 Mac users that do not report anything. On top of that security soft vendors perform very little Mac beta testing. Economically, it just isn't worth it for them to expend all the effort needed to make a bug-free Mac-compatible product.

While I agree, I am also of the opinion that if you are going to offer a product to another OS, then you need to offer the same level of polish. If you don't care as much, or you don't feel that you make enough from it, then stop offering that product and put all that extra effort into your more successful products. Problem is...the security software industry is full of copy cats and marketing check boxes then companies actually willing to try to differentiate themselves. That's just my opinion....:emoji_beer:
 
Last edited:
Top