German journalist and researcher Hanno Böck has analyzed three popular antivirus products and determined that each one of them lowers security when they intercept HTTPS traffic.
Böck was featured in several news articles in February after the world learned that Lenovo had pre-installed a piece of adware known as Superfish on laptops. Superfish came into the spotlight when experts discovered that it broke the security of HTTPS connections in order to inject ads into web pages. After the Superfish incident came to light, Böck revealed that Privdog, a tool promoted by Comodo and designed to replace ads with ones from trusted sources, was “worse than Superfish.”
Now, the expert has analyzed the impact of antivirus products on HTTPS security. Security solutions are designed to intercept HTTPS traffic in order to see if it contains any malicious elements. In order to do this, they conduct a man-in-the-middle (MitM) attack by replacing the SSL certificate with a root certificate installed on the user’s system.
All of the three solutions analyzed by Böck — Avast, ESET and Kaspersky Lab — are capable of intercepting HTTPS traffic. By default, Avast intercepts all encrypted traffic, Kaspersky intercepts traffic to certain important websites (e.g. banking sites), and ESET doesn’t intercept any traffic unless the user enables this option.
Following reports of TLS vulnerabilities such as BEAST, Lucky 13, and FREAK, organizations, particularly browser vendors, have started paying more attention to HTTPS security. However, many products, including antiviruses, still expose users to attacks due to the improper handling of TLS connections.
According to Böck, all of the security products he tested break Public Key Pinning Extension for HTTP (HPKP), a security feature designed to prevent MitM attacks leveraging forged certificates by instructing the web client to associate a cryptographic key with a certain web server.
“Browsers made a compromise when introducing HPKP. They won’t enable the feature for manually installed certificates. The reason for that is simple (although I don’t like it): If they hadn’t done that they would’ve broken all TLS interception software like these antivirus applications. But the applications could do the HPKP checking themselves. They just don’t do it,” the expert explained in a blog post.
The researcher reported that Kaspersky’s product is vulnerable to FREAK attacks, in which an attacker can force clients to use weaker, export-grade RSA encryption. This can be problematic considering that Kaspersky intercepts HTTPS traffic by default for important websites, the expert said.
“I also found a number of other issues. ESET doesn’t support TLS 1.2 and therefore uses a less secure encryption algorithm. Avast and ESET don’t support OCSP stapling. Kaspersky enables the insecure TLS compression feature that will make a user vulnerable to the CRIME attack,” Böck reported. “Both Avast and Kaspersky accept nonsensical parameters for Diffie Hellman key exchanges with a size of 8 bit. Avast is especially interesting because it bundles the Google Chrome browser. It installs a browser with advanced HTTPS features and lowers its security right away.”
The expert also pointed out that none of the security products he tested intercept traffic when Extended Validation (EV) certificates are used, most likely because it would cause browsers not to display the green bar in the address line. Antivirus companies often advise users to check for the presence of the green bar and the padlock icon next to a site’s URL to ensure that a website is legitimate, so causing the security symbol not to be displayed would probably cause concern.
“The message the antivirus companies are sending seems clear: If you want to deliver malware from a web page you should buy an Extended Validation certificate,” Böck said.
The researcher noted that while modern web browsers handle TLS connections properly, the use of these antivirus applications actually lowers HTTPS security.
“I think these technologies are a misguided approach. The problem is not that they make mistakes in implementing these technologies, I think the idea is wrong from the start. Man in the Middle used to be a description of an attack technique,” the researcher said.
“It seems strange that it turned into something people consider a legitimate security technology. Filtering should happen on the endpoint or not at all. Browsers do a lot these days to make your HTTPS connections more secure. Please don’t mess with that.”
ESET representatives said the company is aware of the issues presented by the researcher.
“We are aware of this issue and we’ve prepared an update, which will be released soon, to ensure that our users can enjoy the web securely,” stated Juraj Malcho, Chief Research Officer, Core Research and Development, ESET.
Kaspersky is also working on a patch to mitigate the FREAK vulnerability, but the company believes it’s unlikely that its customers will be targeted in such attacks.
“Kaspersky Lab is aware of this issue but it is important to note that in order to exploit the SSL/TSL encryption protocol vulnerability (known as FREAK) it is required to employ a Man-in-the-Middle attack, which is not always easy to implement. In order to succeed, both the addressed server and the client have to support the technology that allows it to lower the level of encryption strength,” the company told SecurityWeek. “On account of this, it is very unlikely that Kaspersky Lab customers could become targeted by such an attack, a view supported by freakattack.com which shows that the share of vulnerable web-sites is rapidly decreasing and now is down to approximately 11.8%.”
“However, in order to further reduce the possibility, Kaspersky Lab is working on a patch that closes the vulnerability by using the latest encryption protocols. The relevant update for Kaspersky Internet Security for Windows is scheduled to be delivered automatically before the end of May,” Kaspersky added.
Avast provided a detailed explanation on how it handles HTTPS traffic interception and its plans for addressing some of the issues highlighted by Böck.
“Today, it is easy to host an HTTPS site with malware, so that security providers who take security risks seriously must also scan and inspect HTTPS connections. The pure fact that a connection is encrypted with HTTPS doesn’t mean much any longer,” Lukas Rypacek, Program Manager at Avast Software, told SecurityWeek.
“The Avast Web Shield scans HTTPS sites for malicious files. To detect malicious files on HTTPS sites, Avast must remove the SSL certificate and add its self-generated certificate. Our certificates are added into the root certificate store in Windows and in major browsers,” Rypacek explained. “By scanning HTTPS traffic, we can protect our users against threats coming over HTTPS traffic that otherwise could not be detected.”
Avast advises users who don’t want their antivirus to scan HTTPS traffic to disable the “Enable HTTPS scanning” feature in the settings menu under Active Protection -> Web Shield.
“We are using the OpenSSL library 1.0.2 and therefore are not vulnerable to the FREAK attack. So if a user has an older browser version but uses Avast, he will be protected from the FREAK attack,” noted Rypacek. “We don’t support OCSP stapling at the moment, but do provide other methods for checking revoked certificates, including CRL and OCSP. Moreover, we will release OCSP stapling support with our next program update. Also, we are currently investigating how to add more features like the Public Key Pinning Extension for HTTP, and we are investigating the point regarding the Diffie Hellman parameters.”