What happens when antivirus breaks your software?
Ask a developer about antivirus meddling with their own software’s security, and you’ll get an earful. Matthew Holt is the author of the Caddy web server and has battled antivirus to keep his software working properly.
“A trusted, uncompromised website used a modern certificate with elliptic curve cryptography,” he explains. “Browsers already supported this emerging technology at the time, so a direct TLS connection between the browser and the website would have succeeded.
“However, users who were running antivirus software or were behind some corporate/university firewalls observed ERR_ CONNECTION_ CLOSED errors ,” he adds .“They were not able to access the site at all. Inspecting packet transmissions with Wireshark revealed that the connection was being downgraded to TLS 1.1. This is highly suspicious since the site supported HTTP/2 which requires TLS 1.2.
“Bizarrely, disabling antivirus or going off-campus made it possible to connect to the site using the exact same computer and browser.”
It became clear that the antivirus program – in this instance, Avast, although Holt’s previously had issues with AVG, Kaspersky and others – and university firewalls were severing the TLS connection, then creating their own between them and the server so they could decrypt the traffic in between.
“Unfortunately, the TLS stack used by the firewall and the antivirus programs were outdated and did not support modern protocols or cipher suites. This not only broke the connection in this case and many others, but compromised the security of all other HTTPS connections it made, even if the server supported more secure configurations that the browser would have preferred!” he explains.
Holt argues antivirus firms should stop using this “man-inthe-middle” technique, given the havoc it wreaks on browserlevel security. “Both Chrome and Firefox support saving session keys to a file (if the user enables it). This is already useful for debugging connections with Wireshark, and it should provide AV products with the access they need without compromising network security. This is passive inspection; no [manin-the-middle]
required.”