- May 11, 2014
- 1,639
All the anti-virus applications checked - Avast, Kaspersky and ESET - lower the security of TLS connections in one way or another says Hanno Bock.
The problem was revealed last Sunday by German security blogger and journalist Hanno Bock, who called Kaspersky “extremely irresponsible”.
Bock said that Kaspersky and other AV apps lower the security of websites when they check their encrypted traffic - because they create a TLS connection and certificate when they intercept such traffic, but typically fail to do so in a secure way.
TLS (Transport Layer Security) is the successor encryption protocol to SSL, designed to protect communications over the web.
“I had a closer look at three apps - Avast, Kaspersky and ESET,” Bock said. “All the anti-virus applications I checked lower the security of TLS connections in one way or another.”
Bock said AV systems even undermine the security offered by other software, like web browsers. The result is that sites are more vulnerable to attacks like FREAK, BEAST, CRIME, Lucky Thirteen and others that exploit vulnerabilities in TLS.
Rounding on Kaspersky, he said: “It is vulnerable to the FREAK attack, a vulnerability in several TLS libraries that was found recently. Even worse: it seems this issue has been reported publicly in the Kaspersky Forums more than a month ago and it is not fixed yet.
“Kaspersky enables the HTTPS interception by default for sites it considers as especially sensitive, for example banking web pages. Doing that with a known security issue is extremely irresponsible.”
In response, Kaspersky said in a statement emailed to SCMagazineUK.com that it is working on a patch for its Internet Security for Windows product that will close the vulnerability. The update is due to be delivered automatically before the end of May.
In his blog, Bock detailed multiple other problems with the AV systems he examined: “Each and every TLS-intercepting application I tested breaks HTTP Public Key Pinning (HPKP) which allows a web page to pin public keys of certificates in a browser. It is a very effective protection against malicious or hacked certificate authorities issuing rogue certificates.”
He added: “ESET doesn't support TLS 1.2 and therefore uses a less secure encryption algorithm. Avast and ESET don't support OCSP stapling. Kaspersky enables the insecure TLS compression feature that will make a user vulnerable to the CRIME attack.
“Both Avast and Kaspersky accept nonsensical parameters for Diffie Hellman key exchanges with a size of 8 bit.”
Bock said Avast even undermines the protection offered by the Chrome browser: “Avast is especially interesting because it bundles the Google Chrome browser. It installs a browser with advanced HTTPS features and lowers its security right away.”
He added: “All three tested anti-viruses don't intercept traffic when Extended Validation (EV) certificates are used. The message they are sending seems clear: if you want to deliver malware from a web page, you should buy an Extended Validation certificate.”
Like Kaspersky, Avast is promising to deal with some of Bock's criticisms.
Lukas Rypacek, programme manager at Avast, admitted to SCMagazineUK.com via email: “We don't support OCSP stapling at the moment, but do provide other methods for checking revoked certificates, including CRL and OCSP. Moreover, we will release OCSP stapling support with our next program update.
“Also, we are currently investigating how to add more features like the Public Key Pinning Extension for HTTP, and we are investigating the point regarding the Diffie Hellman parameters.”
But Rypacek insisted: “We are using the OpenSSL library 1.0.2 and therefore are not vulnerable to the FREAK attack. So if a user has an older browser version but uses Avast, they will be protected from FREAK.”
In his blog, Berlin-based Bock criticises the way that AV products generally intercept HTTPS traffic and create their own TLS connections, similar to the way ‘man in the middle' attacks work.
“Man in the middle used to be a description of an attack technique. It seems strange that it turned into something people consider a legitimate security technology.
“I question the value of anti-virus software in a very general sense, I think it's an approach that has very fundamental problems in itself and often causes more harm than good.
“But at the very least they should try not to harm other working security mechanisms. Browsers do a lot these days to make your HTTPS connections more secure. Please don't mess with that.”
Avast's Rypacek defended its approach: “Today, it is easy to host an HTTPS site with malware, so security providers who take security risks seriously must also scan and inspect HTTPS connections.
“To detect malicious files on HTTPS sites, Avast must remove the SSL certificate and add its self-generated certificate. If users do not want Avast to scan HTTPS traffic, they have the option of disabling the feature in the Avast settings.”
Commenting on the rights and wrongs of the AV approach, independent cyber-security expert Amar Singh, chair of the ISACA UK Security Advisory Group, told SCMagazineUK.com via email: “I can see why AV vendors would want to offer to intercept encrypted traffic - in the name of ‘we will ensure that you are not attacked or that you don't fall victim to a fake website'.
“But that view itself raises the overall question of how much trust should be placed on the current certificate-based trust infrastructure on the web.
“I am on record as calling for the end of AV products as we know them, but on balance I think it's probably better to have an AV than not. I would rather organisations spend the time ensuring organisations focus on the basics like user training, awareness of phishing and credential-stealing emails and the like before uninstalling all the AV products.”
ESET emailed SC to comment: “ESET has been aware of TLS interception issues for some time. In current ESET products, TLS inspection, or SSL protocol scanning as we call it, is not enabled as a default setting, as it is an advanced feature.
“ESET is taking these issues very seriously, and our developers are working on an update that is scheduled for release as soon as testing is complete. All ESET customers will be updated automatically.”
In its statement to SCMagazineUK.com, Kaspersky said that while it will issue its fix: “It is important to note that in order to exploit the FREAK vulnerability, it is necessary to employ a man-in-the-middle attack, which is not easy to implement. In order to succeed, both the addressed server and the client have to support the technology that allows it to lower the level of encryption strength.
“On account of this, it is very unlikely that Kaspersky Lab customers could become targeted by such an attack, a view supported by freakattack.com which shows that the share of vulnerable websites is rapidly decreasing and now is down to approximately 11.8 percent.”
The problem was revealed last Sunday by German security blogger and journalist Hanno Bock, who called Kaspersky “extremely irresponsible”.
Bock said that Kaspersky and other AV apps lower the security of websites when they check their encrypted traffic - because they create a TLS connection and certificate when they intercept such traffic, but typically fail to do so in a secure way.
TLS (Transport Layer Security) is the successor encryption protocol to SSL, designed to protect communications over the web.
“I had a closer look at three apps - Avast, Kaspersky and ESET,” Bock said. “All the anti-virus applications I checked lower the security of TLS connections in one way or another.”
Bock said AV systems even undermine the security offered by other software, like web browsers. The result is that sites are more vulnerable to attacks like FREAK, BEAST, CRIME, Lucky Thirteen and others that exploit vulnerabilities in TLS.
Rounding on Kaspersky, he said: “It is vulnerable to the FREAK attack, a vulnerability in several TLS libraries that was found recently. Even worse: it seems this issue has been reported publicly in the Kaspersky Forums more than a month ago and it is not fixed yet.
“Kaspersky enables the HTTPS interception by default for sites it considers as especially sensitive, for example banking web pages. Doing that with a known security issue is extremely irresponsible.”
In response, Kaspersky said in a statement emailed to SCMagazineUK.com that it is working on a patch for its Internet Security for Windows product that will close the vulnerability. The update is due to be delivered automatically before the end of May.
In his blog, Bock detailed multiple other problems with the AV systems he examined: “Each and every TLS-intercepting application I tested breaks HTTP Public Key Pinning (HPKP) which allows a web page to pin public keys of certificates in a browser. It is a very effective protection against malicious or hacked certificate authorities issuing rogue certificates.”
He added: “ESET doesn't support TLS 1.2 and therefore uses a less secure encryption algorithm. Avast and ESET don't support OCSP stapling. Kaspersky enables the insecure TLS compression feature that will make a user vulnerable to the CRIME attack.
“Both Avast and Kaspersky accept nonsensical parameters for Diffie Hellman key exchanges with a size of 8 bit.”
Bock said Avast even undermines the protection offered by the Chrome browser: “Avast is especially interesting because it bundles the Google Chrome browser. It installs a browser with advanced HTTPS features and lowers its security right away.”
He added: “All three tested anti-viruses don't intercept traffic when Extended Validation (EV) certificates are used. The message they are sending seems clear: if you want to deliver malware from a web page, you should buy an Extended Validation certificate.”
Like Kaspersky, Avast is promising to deal with some of Bock's criticisms.
Lukas Rypacek, programme manager at Avast, admitted to SCMagazineUK.com via email: “We don't support OCSP stapling at the moment, but do provide other methods for checking revoked certificates, including CRL and OCSP. Moreover, we will release OCSP stapling support with our next program update.
“Also, we are currently investigating how to add more features like the Public Key Pinning Extension for HTTP, and we are investigating the point regarding the Diffie Hellman parameters.”
But Rypacek insisted: “We are using the OpenSSL library 1.0.2 and therefore are not vulnerable to the FREAK attack. So if a user has an older browser version but uses Avast, they will be protected from FREAK.”
In his blog, Berlin-based Bock criticises the way that AV products generally intercept HTTPS traffic and create their own TLS connections, similar to the way ‘man in the middle' attacks work.
“Man in the middle used to be a description of an attack technique. It seems strange that it turned into something people consider a legitimate security technology.
“I question the value of anti-virus software in a very general sense, I think it's an approach that has very fundamental problems in itself and often causes more harm than good.
“But at the very least they should try not to harm other working security mechanisms. Browsers do a lot these days to make your HTTPS connections more secure. Please don't mess with that.”
Avast's Rypacek defended its approach: “Today, it is easy to host an HTTPS site with malware, so security providers who take security risks seriously must also scan and inspect HTTPS connections.
“To detect malicious files on HTTPS sites, Avast must remove the SSL certificate and add its self-generated certificate. If users do not want Avast to scan HTTPS traffic, they have the option of disabling the feature in the Avast settings.”
Commenting on the rights and wrongs of the AV approach, independent cyber-security expert Amar Singh, chair of the ISACA UK Security Advisory Group, told SCMagazineUK.com via email: “I can see why AV vendors would want to offer to intercept encrypted traffic - in the name of ‘we will ensure that you are not attacked or that you don't fall victim to a fake website'.
“But that view itself raises the overall question of how much trust should be placed on the current certificate-based trust infrastructure on the web.
“I am on record as calling for the end of AV products as we know them, but on balance I think it's probably better to have an AV than not. I would rather organisations spend the time ensuring organisations focus on the basics like user training, awareness of phishing and credential-stealing emails and the like before uninstalling all the AV products.”
ESET emailed SC to comment: “ESET has been aware of TLS interception issues for some time. In current ESET products, TLS inspection, or SSL protocol scanning as we call it, is not enabled as a default setting, as it is an advanced feature.
“ESET is taking these issues very seriously, and our developers are working on an update that is scheduled for release as soon as testing is complete. All ESET customers will be updated automatically.”
In its statement to SCMagazineUK.com, Kaspersky said that while it will issue its fix: “It is important to note that in order to exploit the FREAK vulnerability, it is necessary to employ a man-in-the-middle attack, which is not easy to implement. In order to succeed, both the addressed server and the client have to support the technology that allows it to lower the level of encryption strength.
“On account of this, it is very unlikely that Kaspersky Lab customers could become targeted by such an attack, a view supported by freakattack.com which shows that the share of vulnerable websites is rapidly decreasing and now is down to approximately 11.8 percent.”
