Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Some Bitdefender products break HTTPS certificate revocation


  • Please log in to reply
12 replies to this topic

#1 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,570 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:08:55 PM

Posted 01 March 2015 - 10:22 PM

 

Aggressive adware applications that break the trust between HTTPS (HTTP Secure) websites and users have been at the center of controversy lately. But over the past week, HTTPS interception flaws of varying severity were also found in security programs, with products from antivirus vendor Bitdefender being the latest example.

Carsten Eiram, the chief research officer of vulnerability intelligence firm Risk Based Security, found that the latest versions of several Bitdefender products, namely Bitdefender Antivirus Plus, Bitdefender Internet Security and Bitdefender Total Security, do not check the revocation status of SSL certificates before replacing them with new ones that are signed using a root certificate installed locally. The products use this technique in order to scan encrypted HTTPS traffic for potential threats.

While the certificate revocation oversight in Bitdefender products is not as serious as the HTTPS interception flaws found recently in other programs, like the Superfish adware preloaded on Lenovo laptops, its impact is not negligible, Eiram said.

http://www.networkworld.com/article/2889693/some-bitdefender-products-break-https-certificate-revocation.html

 

.

 



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:55 AM

Posted 02 March 2015 - 06:02 AM

Disabling the HTTPS scanning feature in Bitdefender products is “definitely not an option,”... Aside from this functionality being needed to detect potential malware served from HTTPS websites, it’s also used for parental control, identity protection and several other features, he said.

Eiram believes that while not critical, the issue is more serious than Bitdefender estimates.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:55 AM

Posted 02 March 2015 - 09:56 AM

Looks like we can except more Antivirus products to have flaws like these in the future. Now everyone's on that case, HTTPS and certificates, it's just a matter of time before someone compiles a list of trusted programs that have these flaws and all these companies find themself in hot water.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:55 AM

Posted 02 March 2015 - 03:01 PM

avast!, Lavasoft, Comodo, now Bitdefender. What vendor will be next?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:55 AM

Posted 02 March 2015 - 03:14 PM

I just hope that we won't see trusted and efficient vendors like ESET or Kaspersky. I really doubt that Emsisoft will ever get caught in something like that.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:55 AM

Posted 02 March 2015 - 04:01 PM

IMO it's no big deal as long as we have the option to disable.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:10:55 AM

Posted 02 March 2015 - 06:12 PM

I just hope that we won't see trusted and efficient vendors like ESET or Kaspersky. I really doubt that Emsisoft will ever get caught in something like that.

With the way Surf Protection works I doubt Emsisoft will do that.

AFAIK Kaspersky (Endpoint Security at least) does not offer HTTPS scanning, so they probably won't be intercepting connections.

Alex

#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:55 AM

Posted 02 March 2015 - 06:31 PM

Well it seems that some Kaspersky products have this feature, at least, 3 of them do, two which are home users oriented.

http://support.kaspersky.com/4467
http://support.kaspersky.com/6851
http://support.kaspersky.com/9927

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:55 AM

Posted 03 March 2015 - 06:07 AM

But does Kaspersky add an entry in the list of browser Root certificates like avast?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:10:55 AM

Posted 03 March 2015 - 06:39 AM

But does Kaspersky add an entry in the list of browser Root certificates like avast?

If Kaspersky does then do they leave it behind or remove it during uninstallation?

But then I used Endpoint Security, so it might be different.

Alex

#11 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:55 AM

Posted 03 March 2015 - 09:34 AM

I'll check today when I get on my computer if Kaspersky added a root certificate in my certificate store and I'll let you know, but I recall reading something about it yesterday in one of the support article I linked so I think it does.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:55 AM

Posted 03 March 2015 - 10:06 AM

Then it should be easily removed...same as with avast.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:55 AM

Posted 03 March 2015 - 12:11 PM

Yes, Kaspersky add it's own certificates on a system.
KxsRAL0.png

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users