Aggressive adware applications that break the trust between HTTPS (HTTP Secure) websites and users have been at the center of controversy lately. But over the past week, HTTPS interception flaws of varying severity were also found in security programs, with products from antivirus vendor Bitdefender being the latest example.
Carsten Eiram, the chief research officer of vulnerability intelligence firm Risk Based Security, found that the latest versions of several Bitdefender products, namely Bitdefender Antivirus Plus, Bitdefender Internet Security and Bitdefender Total Security, do not check the revocation status of SSL certificates before replacing them with new ones that are signed using a root certificate installed locally. The products use this technique in order to scan encrypted HTTPS traffic for potential threats.
While the certificate revocation oversight in Bitdefender products is not as serious as the HTTPS interception flaws found recently in other programs, like the Superfish adware preloaded on Lenovo laptops, its impact is not negligible, Eiram said.