Security researchers to AV vendors: “Stop intercepting HTTPS traffic”

Posted 08 February 2017 19:14 CET by Jan Willem Aldershoff

Google, Mozilla, Cloudflare, and researchers from two Universities have criticised the interception of HTTPS traffic by antivirus software. According to the researchers and companies this has far-reaching consequences for the safety of users and their internet connection.

By default it’s not possible for antivirus software to access HTTPS traffic. By installing an own root certificate on the user’s computer the antivirus applications have found a way to be able to analyze the content of encrypted internet connections. This method is frequently used by antivirus vendors. However, the way the software intercepts HTTPS traffic decreases the security of it. Even worse, the virus scanners introduce all kinds of new vulnerabilities, according to a report released by the researchers and companies.

For the report, the researchers analyzed 8 billion secured connections to the Firefox update servers, to several popular e-commerce websites and to Cloudflare’s content distribution network. About 4% of the connections to the Firefox servers was intercepted, 6.2% of the e-commerce websites and 10.9% of the connections to Cloudflare was intercepted.

The researchers also analyzed the security impact of the intercepted connections. About 97% of Firefox, 32% of e-commerce, and 54% of Cloudflare connections that were intercepted became less
secure.

“Alarmingly, not only did intercepted connections use weaker cryptographic algorithms, but 10–40% advertised support for known-broken ciphers that would allow an active man-in-the-middle attacker to later intercept, downgrade, and decrypt the connection,” according to the researchers.

While it was already known that security software intercepted HTTPS traffic, the researchers were still surprised, “while the security community has long known that security products intercept connections, we have largely ignored the issue, believing that only a small fraction of connections are affected. However, we find that interception has become startlingly widespread and with worrying consequences.”

Thy hope that security vendors will start using alternatives to HTTPS interception as, “interception products drastically reduce connection security.”



coolcolors
MyCE Resident
Posted on: 08 Feb 17 18:21
Quote:
Originally Posted by DoMiN8ToR
We've just posted the following news: Security researchers to AV vendors: “Stop intercepting HTTPS traffic”[newsimage]http://www.myce.com/wp-content/image...ions-95x75.gif[/newsimage]

Read the full article here: http://www.myce.com/news/security-re...traffic-81436/

Please note that the reactions from the complete site will be synched below.
Quote:
Even worse, the virus scanners introduce all kinds of new vulnerabilities, according to a report released by the researchers and companies.
Really is that the best they can do??

Quote:
For the report, the researchers analyzed 8 billion secured connections to the Firefox update servers, to several popular e-commerce websites and to Cloudflare’s content distribution network.
I notice no lags or lost connections or lost funds-this is a scare tactics to let them use their malware stealth installs on unsuspecting users to do data mining.

Quote:
Thy hope that security vendors will start using alternatives to HTTPS interception as, “interception products drastically reduce connection security.”
They need to stop drinking the koolaid here....A/V is here to stay.
0 Agree

TSJnachos117
MyCE Resident
Posted on: 18 Feb 17 23:37
The AV vendors doing this truly should be ashamed of themselves. No one liked it when SuperFish weakened HTTPS, so why should AV programs do just that? It makes no sense for security supplement software to do something that has been known to degrade security.

@CoolColors: They aren't asking AV vendors to stop making AV software. Rather, they're asking AV vendors to stop interfering with HTTPS.
0 Agree

coolcolors
MyCE Resident
Posted on: 18 Feb 17 23:51
Quote:
Originally Posted by TSJnachos117
The AV vendors doing this truly should be ashamed of themselves. No one liked it when SuperFish weakened HTTPS, so why should AV programs do just that? It makes no sense for security supplement software to do something that has been known to degrade security.

@CoolColors: They aren't asking AV vendors to stop making AV software. Rather, they're asking AV vendors to stop interfering with HTTPS.
https has been fooled before so they have reason to protect their investments.
0 Agree

TSJnachos117
MyCE Resident
Posted on: 19 Feb 17 03:44
Investments be darned, sure HTTPS has been fooled many times, but that's no reason to weaken it. Of course, I'm never going to be much of a business manager, so I guess I'm not the best person to comment on protecting one's investments, but honestly, I really don't care.
0 Agree

Xercus
Moderator
Posted on: 19 Feb 17 13:41
Quote:
Originally Posted by coolcolors
https has been fooled before so they have reason to protect their investments.
Oh, so that makes it ok for any application to lower https security then?

Fact is we don't really need AV anymore unless we handle old software. How many virus infections have we seen lately? What we see is ransomware and other types of malware.

In other words, what we need is a more thorough approach including sandboxed environments, default outbound block in our firewall, mitigation to make sure no ransomwares can encrypt umpteen thousand files in our computers without being stopped and protect against process hollowing/hooking to make a mention of a few counter measures.

What we don't need is security applications (any other application for that matter) that lowers our security and so the article is valid with no koolaid added.
0 Agree

Reactions closed

Sorry, you can't comment on this item anymore. It's either too old or comments are disabled for this post.

Myce.com settings

Several settings at Myce.com can be changed, they are stored in cookies, which means they will be reset if you clear Myce.com cookies

Background

Change the background to a plain color or trianglified image (similar to the default image)

No tracking features

At Myce most social media feature are done server side and impose no privacy risk to the visitor when not used. Several features use Javascript with you can turn off here

Layout

Switch to the List layout for an index with chronologycally listed news items or Grid layout for a block based layout. To see the change you need to reload the page

×