Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Antivirus Software Weakens HTTPS Security: Researcher

German journalist and researcher Hanno Böck has analyzed three popular antivirus products and determined that each one of them lowers security when they intercept HTTPS traffic.

German journalist and researcher Hanno Böck has analyzed three popular antivirus products and determined that each one of them lowers security when they intercept HTTPS traffic.

Böck was featured in several news articles in February after the world learned that Lenovo had pre-installed a piece of adware known as Superfish on laptops. Superfish came into the spotlight when experts discovered that it broke the security of HTTPS connections in order to inject ads into web pages. After the Superfish incident came to light, Böck revealed that Privdog, a tool promoted by Comodo and designed to replace ads with ones from trusted sources, was “worse than Superfish.”

Now, the expert has analyzed the impact of antivirus products on HTTPS security. Security solutions are designed to intercept HTTPS traffic in order to see if it contains any malicious elements. In order to do this, they conduct a man-in-the-middle (MitM) attack by replacing the SSL certificate with a root certificate installed on the user’s system.

All of the three solutions analyzed by Böck — Avast, ESET and Kaspersky Lab — are capable of intercepting HTTPS traffic. By default, Avast intercepts all encrypted traffic, Kaspersky intercepts traffic to certain important websites (e.g. banking sites), and ESET doesn’t intercept any traffic unless the user enables this option.

Following reports of TLS vulnerabilities such as BEAST, Lucky 13, and FREAK, organizations, particularly browser vendors, have started paying more attention to HTTPS security. However, many products, including antiviruses, still expose users to attacks due to the improper handling of TLS connections.

According to Böck, all of the security products he tested break Public Key Pinning Extension for HTTP (HPKP), a security feature designed to prevent MitM attacks leveraging forged certificates by instructing the web client to associate a cryptographic key with a certain web server.

“Browsers made a compromise when introducing HPKP. They won’t enable the feature for manually installed certificates. The reason for that is simple (although I don’t like it): If they hadn’t done that they would’ve broken all TLS interception software like these antivirus applications. But the applications could do the HPKP checking themselves. They just don’t do it,” the expert explained in a blog post.

The researcher reported that Kaspersky’s product is vulnerable to FREAK attacks, in which an attacker can force clients to use weaker, export-grade RSA encryption. This can be problematic considering that Kaspersky intercepts HTTPS traffic by default for important websites, the expert said.

Advertisement. Scroll to continue reading.

“I also found a number of other issues. ESET doesn’t support TLS 1.2 and therefore uses a less secure encryption algorithm. Avast and ESET don’t support OCSP stapling. Kaspersky enables the insecure TLS compression feature that will make a user vulnerable to the CRIME attack,” Böck reported. “Both Avast and Kaspersky accept nonsensical parameters for Diffie Hellman key exchanges with a size of 8 bit. Avast is especially interesting because it bundles the Google Chrome browser. It installs a browser with advanced HTTPS features and lowers its security right away.”

The expert also pointed out that none of the security products he tested intercept traffic when Extended Validation (EV) certificates are used, most likely because it would cause browsers not to display the green bar in the address line. Antivirus companies often advise users to check for the presence of the green bar and the padlock icon next to a site’s URL to ensure that a website is legitimate, so causing the security symbol not to be displayed would probably cause concern.

“The message the antivirus companies are sending seems clear: If you want to deliver malware from a web page you should buy an Extended Validation certificate,” Böck said.

The researcher noted that while modern web browsers handle TLS connections properly, the use of these antivirus applications actually lowers HTTPS security.

“I think these technologies are a misguided approach. The problem is not that they make mistakes in implementing these technologies, I think the idea is wrong from the start. Man in the Middle used to be a description of an attack technique,” the researcher said.

“It seems strange that it turned into something people consider a legitimate security technology. Filtering should happen on the endpoint or not at all. Browsers do a lot these days to make your HTTPS connections more secure. Please don’t mess with that.”

ESET representatives said the company is aware of the issues presented by the researcher.

“We are aware of this issue and we’ve prepared an update, which will be released soon, to ensure that our users can enjoy the web securely,” stated Juraj Malcho, Chief Research Officer, Core Research and Development, ESET.

Kaspersky is also working on a patch to mitigate the FREAK vulnerability, but the company believes it’s unlikely that its customers will be targeted in such attacks.

“Kaspersky Lab is aware of this issue but it is important to note that in order to exploit the SSL/TSL encryption protocol vulnerability (known as FREAK) it is required to employ a Man-in-the-Middle attack, which is not always easy to implement. In order to succeed, both the addressed server and the client have to support the technology that allows it to lower the level of encryption strength,” the company told SecurityWeek. “On account of this, it is very unlikely that Kaspersky Lab customers could become targeted by such an attack, a view supported by freakattack.com which shows that the share of vulnerable web-sites is rapidly decreasing and now is down to approximately 11.8%.”

“However, in order to further reduce the possibility, Kaspersky Lab is working on a patch that closes the vulnerability by using the latest encryption protocols. The relevant update for Kaspersky Internet Security for Windows is scheduled to be delivered automatically before the end of May,” Kaspersky added.

Avast provided a detailed explanation on how it handles HTTPS traffic interception and its plans for addressing some of the issues highlighted by Böck.

“Today, it is easy to host an HTTPS site with malware, so that security providers who take security risks seriously must also scan and inspect HTTPS connections. The pure fact that a connection is encrypted with HTTPS doesn’t mean much any longer,” Lukas Rypacek, Program Manager at Avast Software, told SecurityWeek

“The Avast Web Shield scans HTTPS sites for malicious files. To detect malicious files on HTTPS sites, Avast must remove the SSL certificate and add its self-generated certificate. Our certificates are added into the root certificate store in Windows and in major browsers,” Rypacek explained. “By scanning HTTPS traffic, we can protect our users against threats coming over HTTPS traffic that otherwise could not be detected.”

Avast advises users who don’t want their antivirus to scan HTTPS traffic to disable the “Enable HTTPS scanning” feature in the settings menu under Active Protection -> Web Shield.

“We are using the OpenSSL library 1.0.2 and therefore are not vulnerable to the FREAK attack. So if a user has an older browser version but uses Avast, he will be protected from the FREAK attack,” noted Rypacek. “We don’t support OCSP stapling at the moment, but do provide other methods for checking revoked certificates, including CRL and OCSP. Moreover, we will release OCSP stapling support with our next program update. Also, we are currently investigating how to add more features like the Public Key Pinning Extension for HTTP, and we are investigating the point regarding the Diffie Hellman parameters.”

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.