What hap­pens when ANTIVIRUS breaks your SOFT­WARE?

PC & Tech Authority - - FEATURE -

Ask a de­vel­oper about antivirus med­dling with their own soft­ware’s se­cu­rity, and you’ll get an ear­ful. Matthew Holt is the au­thor of the Caddy web server and has bat­tled antivirus to keep his soft­ware work­ing prop­erly.

“A trusted, un­com­pro­mised web­site used a mod­ern cer­tifi­cate with el­lip­tic curve cryp­tog­ra­phy,” he ex­plains. “Browsers al­ready sup­ported this emerg­ing tech­nol­ogy at the time, so a di­rect TLS con­nec­tion be­tween the browser and the web­site would have suc­ceeded.

“How­ever, users who were run­ning antivirus soft­ware or were be­hind some cor­po­rate/uni­ver­sity fire­walls ob­served ERR_CONNECTION_CLOSED er­rors,” he adds. “They were not able to ac­cess the site at all. In­spect­ing packet trans­mis­sions with Wire­shark re­vealed that the con­nec­tion was be­ing down­graded to TLS 1.1. This is highly sus­pi­cious since the site sup­ported HTTP/2 which re­quires TLS 1.2.

“Bizarrely, dis­abling antivirus or go­ing off-cam­pus made it pos­si­ble to con­nect to the site us­ing the ex­act same com­puter and browser.”

It be­came clear that the antivirus pro­gram – in this in­stance, Avast, al­though Holt’s pre­vi­ously had is­sues with AVG, Kasper­sky and oth­ers – and uni­ver­sity fire­walls were sev­er­ing the TLS con­nec­tion, then cre­at­ing their own be­tween them and the server so they could de­crypt the traf­fic in be­tween.

“Un­for­tu­nately, the TLS stack used by the fire­wall and the antivirus pro­grams were out­dated and did not sup­port mod­ern pro­to­cols or ci­pher suites. This not only broke the con­nec­tion in this case and many oth­ers, but com­pro­mised the se­cu­rity of all other HTTPS con­nec­tions it made, even if the server sup­ported more se­cure con­fig­u­ra­tions that the browser would have pre­ferred!” he ex­plains. Holt ar­gues antivirus firms should stop us­ing this “man-in-the-mid­dle” tech­nique, given the havoc it wreaks on browser-level se­cu­rity. “Both Chrome and Fire­fox sup­port sav­ing ses­sion keys to a file (if the user en­ables it). This is al­ready use­ful for de­bug­ging con­nec­tions with Wire­shark, and it should pro­vide AV prod­ucts with the ac­cess they need with­out com­pro­mis­ing net­work se­cu­rity. This is pas­sive in­spec­tion; no [manin-the-mid­dle] re­quired.”

Newspapers in English

Newspapers from Australia

© PressReader. All rights reserved.