Ditch the HTTPS Scanning feature of your Antivirus

Discussion in 'Off-topic' started by Gass, Mar 16, 2017.

  1. Gass

    Gass Member

    Joined:
    Jan 30, 2015
    Messages:
    437
    Sat. 11 March 2017
    Users might be vulnerable while accessing secure HTTPS websites, and their antivirus is to blame.
    A thorough research (https://zakird.com/papers/https_interception.pdf), conducted by experts at Mozilla Firefox, Google, Cloudflare and three American Universities, shows that several popular antivirus software “drastically reduce connection security” and expose users to decryption attacks. This isn't new by any means and the HTTPS interception technique used by anti-viruses has been the subject of debate for several years.

    Half of the world’s traffic is encrypted using the secure TCP/IP HTTPS protocol.
    Because traffic is encrypted, it’s not normally accessible for security inspections. However, antivirus products install their own root certificates on computers to be able to analyze HTTPS traffic.
    But instead of helping the user stay safe, this opens the gate to vulnerabilities, the study shows.

    And here's the problem:
    Security software vendors are poorly handing inspection after the TLS handshake, according to the researchers. They’ve looked at eight billion TLS handshakes generated by Firefox, Chrome, Safari, and Internet Explorer, with antivirus software on.
    Researchers have analyzed Firefox’s update servers, a set of popular e-commerce websites and the Cloudflare content distribution network.

    “In each case, we find more than an order of magnitude more interception than previously estimated,” the paper reads.
    They found interception happening on four percent of connections to Mozilla's Firefox update servers, 6.2 percent of e-commerce sites, and 10.9 percent of US Cloudflare connections. What’s worrying is that when intercepted, 97 percent of Firefox, 32 percent of e-commerce, and 54 percent of Cloudflare connections became less secure.

    “As a class, interception products drastically reduce connection security. Most concernedly, 62% of traffic that traverses a network middlebox has reduced security and 58% of middlebox connections have severe vulnerabilities,” the report reads.

    Not only do security software reduce connection security, but also introduce vulnerabilities such as failure to validate certificates.

    “While the security community has long known that security products intercept connections, we have largely ignored the issue, believing that only a small fraction of connections are affected. However, we find that interception has become startlingly widespread and with worrying consequences,” the researchers say.

    They’ve publish the result hoping to encourage manufacturers “to improve their security profiles and prompt the security community to discuss alternatives to HTTPS interception”.

    Another serious problem enabled by the HTTPS scanning feature is that it breaks HTTP Public Key Pinning (HPKP). HPKP is a technology enabling website operators to "remember" the public keys of SSL certificates in browsers, enforcing the use of specific public keys for specific websites. This reduces the risk of MiTM attacks using rogue/non authorized SSL certificates. But HTTPS scanning and HPKP can't work together, therefore if a website has HPKP enabled, when you access it the support for HPKP for that site will be disabled in the browser.

    For the sake of example, we tested 3 antiviruses (Eset, Kaspersky and BitDefender) with HTTPS scanning feature enabled against a HPKP test website. (https://projects.dm.id.lv/Public-Key-Pins_test)
    [​IMG]
    What to do:
    Meanwhile, our advice is to just disable the HTTPS scanning feature of your antivirus. This functionality contradicts the very idea of TLS/HTTPS point-to-point security and gives the users a false sense of security.

    This is how to disable it in the 3 security products tested.
    Eset Internet Security:
    Setup > Internet Protection > Web Access Protection > Web Protocols > uncheck Enable HTTPS checking

    Kaspersky Internet Security:
    Settings > Additional > Network > Encrypted connections scanning > Do not scan encrypted connections
    Note: By default it is scan encrypted connections upon request from security components which isn't so intrusive as with other products.

    BitDefender Internet Security:
    View Modules > Web Protection > disable Scan SSL

    Credit to the Author and source:
    vpn.ac - blog

    Further Reading:
    SSL/TLS/HTTPS: Keeping the public uninformed
    http://www.computerworld.com/articl...-tls-https-keeping-the-public-uninformed.html

    HPKP: HTTP Public Key Pinning
    https://scotthelme.co.uk/hpkp-http-public-key-pinning/

    Pinning hopes on pinning
    http://www.economist.com/blogs/babbage/2011/09/internet-security-0

    Would Adguard be considered a "network middlebox" and it's users needs to be concerned?
     
  2. Boo Berry

    Boo Berry Moderator + Beta Tester Moderator

    Joined:
    May 30, 2012
    Messages:
    3,948
    HPKP also fails when HTTPS filtering is enabled in Adguard.

    @avatar can this be addressed/supported/properly fixed (e.g. not using HTTPS exclusions)?
     
  3. avatar

    avatar Administrator Staff Member Administrator

    Joined:
    Oct 26, 2010
    Messages:
    13,140
  4. Gass

    Gass Member

    Joined:
    Jan 30, 2015
    Messages:
    437
    Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://xxxxxxx.com again.

    Okay when I see this (above) I disable Adguard and I can then reach the site(s) that I get this on - Not a lot but enough to know it's a setting I've enabled in Adguard making this happen. Does this have anything to do wiih this Thread?
    What setting is most likely to generate it?
    How's that New Knowledge Base write up for Adguard and it's settings coming?
    Will we get to see it before Adguard v6.2 comes along.

    PS: KIS is not set to scan encrypted connections.
    Adguard:
    Use WFP Network Driver - NO
    Filter HTTPS Protocol - YES
    Do Not Filter Websites With EV Certificates - YES
    Thanks,
    Gass :D
     
    Last edited: Mar 17, 2017
  5. Boo Berry

    Boo Berry Moderator + Beta Tester Moderator

    Joined:
    May 30, 2012
    Messages:
    3,948
    Gass likes this.
  6. Gass

    Gass Member

    Joined:
    Jan 30, 2015
    Messages:
    437
    That's cool :)
    Thank You BB.
    But is there going to be a write up (as for Adguard installed on Windows) a do's and don'ts of settings for Stealth Mode and Advanced settings?
    Something for a noob to understands between the defaults installed Adguard settings and then tweaking in any settings a user would do in customizing their Adguard install from the defaults?
    Yes I Just briefly thumbed through it.

    Gass
     
  7. vasily_bagirov

    vasily_bagirov Administrator Staff Member Administrator

    Joined:
    Jul 1, 2014
    Messages:
    6,903
    We can't really tell our users "you have to enable this option and disable that option". What we can do is provide the detailed info what each setting in Stealth Mode/Advanced setting does and what may be the consequences of enabling/disabling it. This is more or less what the article about Stealth Mode looks like now, maybe we can go more in-depth (but not too much, this is a knowledgebase after all, and not a specialized forum).
     
    Gass likes this.
  8. Gass

    Gass Member

    Joined:
    Jan 30, 2015
    Messages:
    437
    Hey howdy - you doing good in 2017 I hope :)

    I can see your point and I see the glass half full too. (as opposed to half empty).
    I haven't spent much time in the KB yet - so I'm looking forward to, when I can spend a half a day there at least.
    I'm sure many of my questions have answers found there. Who ever the author(s) are deserve a "job well done and an atta boy" thanks. @avatar had mentioned this awhile back in https://forum.adguard.com/index.php?threads/clarity-of-traffic-filtration.13766/#post-101943
    If that's still the same person I thank you but won't name you personally right now.

    As you've said "it's a knowledgebase after all, and not a specialized forum" - so could we be seeing a devoted department/compartment for Stealth Mode and Advanced settings combined here in the Adguard's forums like that's offered of Different OS that Adguard supports , Adguard Browser Extensions or Filter Rules in the forums already and having at some point it be expanded to cover these topics. Possibly breaking it down into sub-categories of subsections like general discussion, technical support, feature requests, release notes.

    Not a 1,2,3's or A,B,C's to enable this option and/or disable that option, but not being a fact of trial an error to the user either as it's mostly been - some happy medium place. With this kind of a structured place the Adguard Knowledge Base can prosper with new information to add, and Adguard users can have an outlet here in the forums to use specifically for Stealth Mode and Advanced settings talks and questions.

    Somewhere devoted in the forums to Stealth Mode and Advanced settings for a go to place and would contain relevant information and discussions for/from the noob to the expert users to sharing, caring, learning, teaching, and experiencing Adguard fully.

    As always I think a lot and talk to much.
    Thanks, Gass :D

    From my prior thoughts on the subject back in Dec.2016-
     
    Last edited: Mar 18, 2017
  9. vasily_bagirov

    vasily_bagirov Administrator Staff Member Administrator

    Joined:
    Jul 1, 2014
    Messages:
    6,903
    There are mostly basic things there, along with solutions to some of the most common problems/questions. We plan on adding much more content over time.

    I don't see it being implemented now - there's always a possibility to create a new thread about Stealth Mode issues within 'Adguard for Windows' forum. If Stealth Mode grows big and becomes cross-platform, we might consider doing so.
     
  10. Gass

    Gass Member

    Joined:
    Jan 30, 2015
    Messages:
    437
    @vasily_bagirov
    It's a dream I have to see the Stealth Mode and Advanced settings topics covered by having it's own labeled part in the Adguard Forums, as the Adguard program came to know it from the (Adguard Developers) addition of it, and then the end users seen it implemented in version 6. It's still a mostly taboo subject being covered (partly or fully) anywhere to the users questions for answers and of it's knowledge sought by them.

    As you've said before many users will be happy with it's default settings (Stealth Mode) and for those who are not - are only among the 10% that would change something of it. That's totally overlooking that there does exists the options to change settings afforded to the end user to actually make some changes within the "Stealth Mode" and the "Advanced" settings menu's of each. It's only normal to leave something alone when you know nothing of it, or maybe have tried a changed setting which has caused an ill effect as to the result.

    I still say that the "new" Adguard Knowledge Base article can prosper with new information to add to it from that which is gained right here in the Adguard Forums - in the discussions of users having a dedicated outlet to pursue in more of an understanding of this mystic creature (Stealth Mode) and the settings there of, the Adguard program as a whole, and not to mention if understood better maybe some in features to be requested by the end users to being added as in new privacy modules, where as to the times we live in that technology continues bombarding the privacy of our daily lives.

    In 2017/2018 - so to should it be that the Adguard forums be a place to cover all it's Adguard program features in devoted topic departments for users discussions and input. Otherwise for most Adguard end users to understand it's proper use still remains an out of reach topic for the most part. Then the only end users really contributing here in the Adguard Forums are the one's reporting that of troubles they've had or reports of the program missed something, or not doing/allowing this or that.

    The Adguard Forums should be more of a well rounded nature for all end users who purchased a license, with given directions, guides, tutorials, classes in putting it on the Adguard map for all licensed holders to understand it, for users questions and their answers sought - but - are all mere words for now, to the interactivity between the program and end users benefits in it's program own topics to devoted departments of learning with teacher/user conversations within the Adguard Forums.

    Most everything (and I did say MOST) already covered on the Adguard Forums could very well have been added in the https://github.com/AdguardTeam directory there, the way end users see and use the forums is less than desirable to the Adguard name and program reputation, its forums repertoire reads as lacking, troubles, didn't get it right, when will this be corrected, and regards to esteem with a favorable and publicly recognized name to standing for merit, achievement, reliability are hardly even seen here within the forums. Not a good selling point in the least would you say and I ask, why not change this to where 85% of this kind of forums talk moves to the link I given above for that anyways.

    It's only if a user spends some time here or is part of a current conversation do they find out that Adguard knows, cares and is working for a solution(s). Then if these forums as being of 85% geared to a learning experience open to the end users - all united end users with the purpose to learn and understand Adguard as a program and then in time going on to being a contributing force as a team member of it's advancement here and of the Adguard program at large. Then the remaining 15% be geared to general announcements to problems solved, open invitations to help or work on in those areas needed the attentions of to a workable resolve.

    Who couldn't use and extra 1,000 and up more in contributors of a positive nature to shooting up the ego's of the over worked here already to the highest levels possible. I personally don't feel cheated as much as I feel I could do more if given the chance to understand and learn of the program itself, so to knowing of just how to apply myself on the forums or of a general troubleshooting, reproducing an error or failure to helping out more with the resolve.

    Hope that you don't mind if I dream a little :)
    Gass :D

    It takes more personal energy to frown than to smile.
    It's all to common for the human species to find fault than to give praise.
    Still energy used to complain could be energy used to finding a solution and only
    the lazy find that complaining meaningful as a resolve to their problems. . .
     
    Last edited: Mar 23, 2017
  11. vasily_bagirov

    vasily_bagirov Administrator Staff Member Administrator

    Joined:
    Jul 1, 2014
    Messages:
    6,903
    @Gass I absolutely don't mind that :) We'll keep in mind your suggestion.
     
  12. Gass

    Gass Member

    Joined:
    Jan 30, 2015
    Messages:
    437
    @vasily_bagirov
    Your comment came in as I was editing my previous comment - so hope you still feel the same.
    I truly do understand that Adguard is somewhat a small Company - so to could rely on advanced users, beta testers and smart users all license holders of Adguard to advance the Adguard Forums in the direction I've suggested.

    In the end or as results driven more (so many more people - Adguard License holders) will find a stake here to help out, as each generation teaches the next new ones. Thinking of the longevity to Adguard's existence into the future, and then in the way technology has been being used by evil doers as it advances, these are areas to add to Adguard over time. The bigger or higher Adguard is to grow, it's most important to have a broad, wide, solid foundation to rise up from in to the highest levels possible.
    (generation for clarity here - is meaning year to year)

    I do have dreams enough for us all :)
    Every computer / smart device sold or any internet connection purchased should seek an Adguard License - I mean Adguard is seeking to being that good, but part of the equation to being that good is for people to understand just how really good it is, and this is where teaching on the forums in learning how to use Adguard for all is needed - that's in the greatest needs of it to be taught right here in the Adguard Forums, and with members feeling accomplishments to mastering it's knowledge fully, then to being carried over in the idle conversations of it's members base in their walks of life enough to be overheard by non-members, and then would-be future Adguard License holders. Every Adguard License holder is a salesperson for the next generation coming to Adguard. Think about that for a minute and then to live it everyday.

    The developers of Adguard and the Adguard Team was the initial foundation, but every license holder is like a shareholder to stock in the Adguard product and name and should be considered a constant in this broad foundation model as well. Think or rethink of the possibilities Adguard, and of each new tomorrow and when the sun sets on that day, where could of Adguard in that day have been better handled to getting up and keeping with that growing momentum to bring every online user into the Adguard family to buying a license.

    Longevity is not just a person buying a license today, but to keeping them coming back year after year or investing for their lifetime, that's where using Adguard learning comes into play and the Adguard Forums should be of an important roll here - if not looked upon as it's foundation extension to growth and sustainability.
    Gass :D
     
    Last edited: Mar 23, 2017