Q&A I've officially changed my stance on HTTPS scanning

ncage

Level 3
May 20, 2017
102
323
I have officially changed my stance on https scanning. I used to believe that it was necessary because ever site these days as a cert and without it the AV would be partially handicap without it. Well I've been using kaspersky on mac for maybe 3 months or so and they https injection has caused so many issues. You would think kaspersky would have this figure out by now but no. The first issue is it broke homebrew. Homebrew uses curl. By the error i got out of curl it looks like kaspersky was trying to do a tls downgrade attach (to tls1):

curl: (35) error:1400443E:SSL routines:CONNECT_CR_SRVR_HELLO:tlsv1 alert inappropriate fallback
Error: Failed to download resource "ncurses_bottle_manifest"
Download failed: https://ghcr.io/v2/homebrew/core/ncurses/manifests/6.2

Kaspersky "partially" fixed it but it was a total pain in the rear. They required me to do so much work on my side for them to fix the issue (from logs, to memory dumps, ect...). Thankfully i'm technical or it would have been impossible. You would think Kaspersky would have this figured out by now.

I do TimeMachine backups over my network. I've been fighting for months with it continuously failing after 2 or 3 backups (time machine backups happen every hour). I'd have to reboot and it would start working again until it started failing again after 2-3 hours. Well guess what it was? Kaspersky!!! After my first experience with their tech support i'm not going to do it again.

So from here on out any product that has https scanning i will immediately disable it. If it interface is kind of screaming at you that you're insecure because you disabled it then i won't use it. The hardest thing to give up will be adguard.

I was using bitdefender that doesn't have https scanning (in its mac product that is) but the issues with bitdefender from windows follows it to the mac side (it uses WAYYYY to much memory) so i bought kaspersky. At this point i'm not sure if i'm going to back to bitdefender or start trying alternatives (SHP comes to mind).

As aside my work has used websense, wsa (cisco web security appliance), and fortinet and they have all sucked. Everything will be working fine and thing just randomly break all the time. It almost requires someone looking into these issues full time. Granted i have heard with TLS 1.3 you no longer MTM TLS
 

Minimalist

Level 6
Oct 2, 2020
296
2,944
I agree. For me it's also more trouble than it's worth.
Setting up Kaspersky, I disable SSL scanning and script injection. It speeds up browsing.
With ESET I add browser and torrent client to protocol scanning exception as it shows warning if you disable component entirely.
Emsisoft doesn't perform MITM and it seems that F-Secure also doesn't.
 

Spawn

Administrator
Verified
Staff member
Jan 8, 2011
21,053
47,744
The hardest thing to give up will be adguard.
I am not familiar with AdGuard products - What are your views on their DNS and VPN services, and can either do similar tasks to HTTPS filtering, without using that setting in AdGuard for Mac?
 

TairikuOkami

Level 31
Verified
Content Creator
May 13, 2017
2,048
10,350
You would think kaspersky would have this figure out by now but no.
There is nothing to figure out, HTTPS scanning breaks HTTPS, period. You either get a secure HTTPS or you get HTTPS scanning. If you get a fake iphone, putting a fake stamp on it (fake certificate), will not make it act a as real one. Besides, network scanning is overrated. It is like a double realtime protection, AV realtime will catch it once it gets downloaded anyway.
 

Raiden

Level 19
Verified
Content Creator
May 7, 2018
900
7,448
I agree!

I too am against any form of HTTPS scanning. It has proven over and over again that it cause issues....it's more hassle that it's worth. HTTPS was designed to ensure you have a secure connection to the server with no one in between...that includes the "good guys" (aka AVs). Sad part is, AV vendors know this, but do it any ways, why?...well they have to "protect you".:rolleyes: Then they scare you by throwing up red warnings if you disable it. Quite frankly this is why I've stopped using 3rd party products. While they may offer good protection, they also cause problems by hooking into things they shouldn't, as well as scaring the user making them feel that they are un-protected. As it's already been mentioned, many other vendors seem to be able to offer good web protection without HTTPS scanning,...so it is possible, they just have to put to work into it.

Security vendors earn comparatively little from their Mac-supporting lines. So knowing that, your expectation should be that they are going to put a proportionately less effort into making their Mac lines polished. Then there is the lack of bug reports from Mac users. I would bet that for every Mac user like you that contacted a vendor to get them to fix it, there is probably 9,999 Mac users that do not report anything. On top of that security soft vendors perform very little Mac beta testing. Economically, it just isn't worth it for them to expend all the effort needed to make a bug-free Mac-compatible product.

While I agree, I am also of the opinion that if you are going to offer a product to another OS, then you need to offer the same level of polish. If you don't care as much, or you don't feel that you make enough from it, then stop offering that product and put all that extra effort into your more successful products. Problem is...the security software industry is full of copy cats and marketing check boxes then companies actually willing to try to differentiate themselves. That's just my opinion....:emoji_beer:
 
Last edited:

amirr

Level 20
Verified
Jan 26, 2020
987
3,485
Setting up Kaspersky, I disable SSL scanning and script injection. It speeds up browsing.
Thanks for the tip. Do I need to disable that in the settings in the screenshot below?
1637932281047.png
 
Last edited:

amirr

Level 20
Verified
Jan 26, 2020
987
3,485
Thahks @Local Host a lot. Mostly I meant to know if those two settings are exactly the SSL scanning settings. I wanted to be sure of that.
So if you confirm this, I will go and disable them.
 

JasonUK

Level 3
Apr 14, 2020
126
551
The hardest thing to give up will be adguard.
Why give it up? You can disable https scanning by unchecking the relevant box in settings > network > https filtering.

You get one warning that you may see ads on certain sites and that's it.

I must admit I've been weighing up whether to do so or not lately (on AdGuard) and would certainly disable it if AV was also https scanning!
 
Last edited:

JasonUK

Level 3
Apr 14, 2020
126
551
@JasonUK I did disable https scanning in KIS but had to keep https scanning on in my Adguard for Windows to get most of the ads blocked. Was that, ok?
There are far more qualified posters to answer that @amirr but I think that if any software is using https scanning you're potentially breaking the security of https. That said I've run both AdGuard for WIndows & Avast Free AV for months (both with https scanning enabled) with no obvious issues at all so disabling either / both would possibly be a bit paranoid for an average user :)
 

burmr

Level 1
Nov 13, 2021
34
77
Well I've been using kaspersky on mac for maybe 3 months or so and they https injection has caused so many issues. You would think kaspersky would have this figure out by now but no.
What you are saying is taken by many here as security blasphemy.

You need to re-think what you are saying about HTTPS scanning and add 20 browser extensions.

Even though HTTPS scanning is not needed. Never has been. Never will be. Like your experience, all HTTPS scanning does is cause problems for many. The notion that HTTPS scanning is a necessity is hilarious. It fundamentally breaks HTTPS security itself.

Is your choice if you wanna be secured on malicious HTTPs websites or not, Kaspersky won't fail to protect you with or without HTTPs scanning anyway.
Not just Kaspersky. Others as well.
 

amirr

Level 20
Verified
Jan 26, 2020
987
3,485
There are far more qualified posters to answer that @amirr but I think that if any software is using https scanning you're potentially breaking the security of https. That said I've run both AdGuard for WIndows & Avast Free AV for months (both with https scanning enabled) with no obvious issues at all so disabling either / both would possibly be a bit paranoid for an average user :)
Yes, I read some stuff written by those people, but right now wanted to again evaluate.
So, in KIS, now I have HTTPS scanning disabled. And keep the HTTPS scanning on in Adguard for Windows. So you confirm this way, it is ok?
 

JasonUK

Level 3
Apr 14, 2020
126
551
@amirr ~ if you're worried about https scanning potentially breaking https then you probably wouldn't enable either. If you're not that concerned but have had issues with KIS with https scanning enabled but feel more Ads are blocked enabling it in AdGuard then your solution seems reasonable.

I'm trying out Windows Defender (hardened) + the AdGuard extension at the moment so https scanning isn't an issue... at least as far as I'm aware!!
 

burmr

Level 1
Nov 13, 2021
34
77
I feel very uncomfortable even sending anyone my logs or memory dumps. There is SO MUCH information in those that I just can't.
That is a psychological issue, and not one based upon reality. If you weren't aware of it, Windows automatically uploads logs and memory dumps to Microsoft, along with a whole bunch more. Moreover security software like Kaspersky automatically upload files, logs and other files to Kaspersky for analysis. That is to say nothing of a whole range of 3rd party software that do it to some extent.
 

DDE_Server

Level 22
Verified
Sep 5, 2017
1,136
6,123
i am thinking to disable it also in Bitdefender however it did not break anything yet but slow browsing however i am using Adguard desktop which has https filtering so may be enough. i keep it as second layer but sacrificing some performance in browsing
 

Local Host

Level 24
Verified
Sep 26, 2017
1,353
6,285
That is a psychological issue, and not one based upon reality. If you weren't aware of it, Windows automatically uploads logs and memory dumps to Microsoft, along with a whole bunch more. Moreover security software like Kaspersky automatically upload files, logs and other files to Kaspersky for analysis. That is to say nothing of a whole range of 3rd party software that do it to some extent.
Yeah this is false, I would know considering I monitor my traffic closely, no logs are automatically sent anywhere.

Max I've seen sent without consent was system information to pull the right updates on Windows Update, which doesn't carry any personal information anyway.
 
Top