crezz

Level 5
Verified
Does anyone know exactly what the Kaspersky Trusted Browser mode does compared to opening the browser normally ?

I've noticed that it is not possible to take screenshots when the trusted browser is working. However, what else is it doing ? Does it create a sandbox ?

I have not found very much on the Kaspersky website to explain exactly what the protected browser does or how it works.
 

Nightwalker

Level 14
Content Creator
Verified
From Kaspersky support:

How Safe Money works

When you sign in to your online banking profile, Kaspersky Internet Security does the following:
  • Checks that you are trying to access a genuine online banking or payment system page. To ensure the trustworthiness of a website, the application checks a requested page address against a continuously updated database of financial institution websites (the database is maintained by Kaspersky Lab engineers).
  • Verifies the certificate that is used to establish a secure connection, thus preventing access to a fake web page.
  • Scans your operating system for vulnerabilities that are critical for online banking.
  • Offers that you open a requested website in the Safe Money mode to protect your personal data.

Kaspersky Internet Security protects your Clipboard data against interception and theft when you are using the Safe Money mode. The product also prevents unauthorized screenshot capture (powered by the Hypervisor, DirectX®, and OpenGL technologies).
As a result, your online transactions become more secure.
Source:
How to protect online transactions with Kaspersky Internet Security 19
How to configure and use Safe Money in Kaspersky Internet Security 2015
 
E

Eddie Morra

Thanks for the replies- However, I can't see a great deal of information to show that it places the browser in a sandbox ? Do we know that it definately does this?
Hypervisor-powered protection against screenshots does not work in Kaspersky Internet Security 2016

In some cases, you may encounter the error Hypervisor-powered protection against screenshots does not work. This can happen if Safe Browser is turned on computers under Windows 8, Windows 8.1 (x64), or Windows 10 with Kaspersky Internet Security installed and running. The error means that Safe Browser cannot protect your computer from malware which secretly takes screenshots of your actions on the computer.
Above is to do with KIS 2016 which was a long time ago but pretty much should be the same. Remember what harlan said about hardware and BIOS.

Hyper-visor powered protection is virtualisation powered protection.
 
E

Eddie Morra

Does Safe Money intercept certificates and replace them with a certificate by Kaspersky ?
I doubt it because the documentation talks about how they perform checks on the certificate for the website - it could have been worded better though, I assume this is what they were trying to say.

Checks the certificate with the help of which an encrypted connection is established; thus preventing access to a fake web page.
Source: What is Kaspersky Safe Money

I recommend you ask on the Kaspersky forums if @harlan4096 is unsure.
 

notabot

Level 8
I doubt it because the documentation talks about how they perform checks on the certificate for the website - it could have been worded better though, I assume this is what they were trying to say.


Source: What is Kaspersky Safe Money

I recommend you ask on the Kaspersky forums if @harlan4096 is unsure.

Thanks for this, I think one doesn’t exclude the other, eg the AV could intercept the certificate to scan unencrypted web traffic -> browser sees certificate by AV company but at the same time AV company also performs checks on the original certificate for the site.
 
Last edited:
  • Like
Reactions: harlan4096

notabot

Level 8
Thanks ! Can I ask does this require any browser addon to work ? And if it replaces a domains certificate with one from Kaspersky in the browser ?

It’s clear the browser runs either in a sandbox or a virtual used environment and it checks eg for certificate revocation which is great but the two above points would be of concern to me.

Also does it play well with password managers ?
 

harlan4096

Moderator
Staff member
Malware Hunter
Verified
For the 1st question, example with a bank site:
For the 2nd: You may install inside the sandbox instance, for example FireFox plugins, in fact, I tried to install "Key" add-on to connect with my KeyPass 2, and it worked inside the sandbox...
 
E

Eddie Morra

Based on images shared by @harlan4096, it appears Kaspersky Safe Money does mess with the certificates, unless the HTTPS scanning is enabled and that is the one responsible for it.

You can see on the image shared in the post above that it says that the certificate was verified/issued by Kaspersky... but it should say it was issued by DigiCert. Also, the expiration date for the real certificate is July, 2019... not in November.

Looking at the hash data, it's a different certificate, which confirms it once and for all as it not being the real, official one.
 
  • Like
Reactions: Jack and notabot

notabot

Level 8
For the 1st question, example with a bank site:
For the 2nd: You may install inside the sandbox instance, for example FireFox plugins, in fact, I tried to install "Key" add-on to connect with my KeyPass 2, and it worked inside the sandbox...
Thanks for this, looks like they replace certificates with their own which wouldn’t be my cup of tea. The sandbox and having a pwd manager in the sandbox sound great though
 
  • Like
Reactions: harlan4096

notabot

Level 8
Based on images shared by @harlan4096, it appears Kaspersky Safe Money does mess with the certificates, unless the HTTPS scanning is enabled and that is the one responsible for it.

You can see on the image shared in the post above that it says that the certificate was verified/issued by Kaspersky... but it should say it was issued by DigiCert. Also, the expiration date for the real certificate is July, 2019... not in November.

Looking at the hash data, it's a different certificate, which confirms it once and for all as it not being the real, official one.
I haven’t used Kaspersky for a long long time ( probs the product is entirely different now ). Is https scanning done with an addon ? Then probably the addon replaces the certificates. In which case ( if the answer to prev q is yes ) the question becomes if Safe Money can work on its own without the addon, this would give the best outcome in my view the safety of the sandbox without messing with certificates
 
E

Eddie Morra

Is https scanning done with an addon ?
As far as I know, Kaspersky relies on the Windows Filtering Platform (WFP) for system-wide filtering of the network traffic. Combined with the certificate changes, they'll be able to decrypt the encrypted HTTPS traffic for more through parsing of the captured packets. And I believe that the HTTPS scanning is system-wide supported.

Therefore, the answer to the quoted question is No, as far as I know.

I am not a Kaspersky user though... I can be corrected/wrong at any-time.
 
  • Like
Reactions: harlan4096

notabot

Level 8
As far as I know, Kaspersky relies on the Windows Filtering Platform (WFP) for system-wide filtering of the network traffic. Combined with the certificate changes, they'll be able to decrypt the encrypted HTTPS traffic for more through parsing of the captured packets. And I believe that the HTTPS scanning is system-wide supported.

Therefore, the answer to the quoted question is No, as far as I know.

I am not a Kaspersky user though... I can be corrected/wrong at any-time.
I could be wrong as I haven’t used WFP but I doubt there can be an API or SDK that allows a functional interception & replacement of SSL certs in the general case without help from an addon.
Eg if I wrote my own browser which has its own trusted root CA repository, the only way the interception & replacement ( done by using an SDK ) would work without breaking the browser is if Kaspersky was inserted as a trusted root CA in that repository. Else the replaced (by the AV) domain certificate would never be accepted by the user space application (the browser).
If the user runs as a 1-off a program to install the Kaspersky root CA cert it’s hard to renew the cert, revoke it etc , this approach has maintainanability issues.
On the other hand a browser addon can always renew or revoke the Kaspersky root CA cert on demand therefore allowing interception & replacement of domain certs in a manner that’s maintainable - thus I’m more inclined to believe the addon is pretty much a requirement for a functional and maintainable SSL cert replacement scheme

In this design the SDK would do the interception & replacement and the addon would be used to maintain the root AV CA cert in the browser certificate repo - both are needed for this to work without hiccups
 
Last edited:
  • Like
Reactions: harlan4096
E

Eddie Morra

I could be wrong as I haven’t used WFP but I doubt there can be an API or SDK that allows a functional interception & replacement of SSL certs in the general case without help from an addon.
I'm not 100% sure if they achieve this through WFP (sorry if I accidentally mislead you because that was definitely not my intention - I do not use Kaspersky and don't intend on installing it in an analysis environment to check). As far as I know, they do use WFP for system-wide filtering of the network, preferably through an NDIS driver. I'm guessing all of this though (I was using phrases like, "as far as I know" or "I believe" for this very reason, since what I was saying were not confirmed and validated .

I think the best thing you can do at this point to get the answers you're looking for is to contact Kaspersky directly and ask to speak to an engineer, and if that fails, try and locate one on social media who will respond to you.

Edit:
The Illustrated TLS Connection: Every Byte Explained - general resource and it is pretty good, it was shared on the forum by @In2an3_PpG recently here.
 
Last edited by a moderator:

notabot

Level 8
It’s not the installed certificate that is pushed per newly visited site

How it looks like without interception (some simplifications made):
A root CA certificate is for a trusted authority that’s ultimately responsible for signing certificates of domains or delegating the signing of domain certificates. The root CA certificate is installed in a local repo the browser queries and that repo is often maintained by the browser

User goes to xyz.com and gets a certificate that PuK-xyz is the public key of xyz.com and in the simplest scenario this certificate has been signed by the root CA. The user trusts the root CA because their public key is in the browsers certificate repository.

How it looks like with interception (small simplifications made):
An interception & replacement works as follows. The AV co intercepts the original certificate, generates a certificate for domain xyz.com and passes that to the browser . The intercepted certificate says this is the public key of xyz.com and this time it is signed by the AV co.

For the users browser not to complain that the certificate is not signed by a trustworthy authority, the AV cert must be installed in its root CA resopitory.

During visiting a site the user does not see the AV root installed cert but the AV root cert is used to validate the “replacement cert” the AV created.

The AV part is just to fit the usecase under discussion. A more classic use case (not security related) is in high availability services where for load balancing reasons a reverse proxy effectively does mitm your backend http servers. The reverse proxy of course uses legitimate certificates but still your browser doesn’t see the https server’s certificate, it sees the reverse proxy’s - the whole process is legitimate, this is a non-security example of ssl interception works but still the principle is that it works because the user’s browser trusts the “pushed certificate” for site xyz.com by the reverse proxy because it can validate it using the root certificates in it’s repository.

In the above there’s no discussion about how to setup an encrypted channel , we’re only discussing how a server authenticates to the browser client. public key cryptography is of course used to validate the signatures but in this discussion we did not need to discuss anything about an encrypted channel ( tls does establish an encrypted channel but this is not relevant for the certificate validation part )

The issue with installing the AV root certificate as a 1-off during installation is that it complicates maintaining it , eg revoking & replacing it - though not impossible - it is probably simpler to maintain it when there’s a browser addon

I find certificate interception invasive and to be honest I don’t see why an antivirus vendor can do better certificate validation than Google (I trust Google more). Probably the only reason they intercept is to be able to decrypt the https traffic and scan that for malware - but at the cost of handing them ownership of the certificate validation process
 
Last edited:

Local Host

Level 16
Verified
Based on images shared by @harlan4096, it appears Kaspersky Safe Money does mess with the certificates, unless the HTTPS scanning is enabled and that is the one responsible for it.

You can see on the image shared in the post above that it says that the certificate was verified/issued by Kaspersky... but it should say it was issued by DigiCert. Also, the expiration date for the real certificate is July, 2019... not in November.

Looking at the hash data, it's a different certificate, which confirms it once and for all as it not being the real, official one.
Kaspersky has multiple certificates, and the one from November is legit,

Untitled.jpg
 
E

Eddie Morra

Kaspersky has multiple certificates, and the one from November is legit,
By the way, when I said "real, official one", I was referring to it not being the original one by the service provider. I wasn't saying that Kaspersky's certificates are fake.

I can see why my wording could cause a misunderstanding... my apologies. That's my mistake.
 
  • Like
Reactions: harlan4096