I'm not totally ignorant of what SSL/TLS is and how websites use certificates to identify themselves and encrypt traffic, but I'm at something of a loss to understand the real purpose/benefit of the ESS Web and Email SSL/TLS Enable SSL/TLS protocol setting, or what it does under the hood. I can take it on faith that it offers some useful benefit, but it also offers a general inconvenience in that I can't examine the certificate presented by a server myself, and it also prevents me from administering the settings on my own router.
In a browser like Chrome (but also Firefox, Edge, Safari), when connecting to a website through https, the address bar has an indication whether or not the browser trusts the certificate presented by the website. Through various browser-dependent methods, you can ask to see the certificate details yourself. But when SSL/TLs filtering is enabled, doing that typically shows a certificate issued by "ESET SSL Filter CA". And as far as I can tell, there is no way to see the actual certificate being presented by the website. That's an annoying inconvenience for sites that have certificates I maintain. It doesn't happen for some well-known sites like google.com or Microsoft.com, but it does happen for my own sites whether they have free certificates from letsencrypt or certificates from a well-known CA like Digicert.
I have Verizon FIOS as my internet provider, with a Quantum router that I administer through its web interface at hxxp://192.168.1.1. No problems for years, until on February 28 Verizon "upgraded" the router firmware remotely without informing me. This caused a request to hxxp://192.168.1.1 to bring up a page as follows:
Apparently the myfiosgateway.com site is specially recognized by the router itself and doesn't cause internet access, it just gets mapped to https://192.168.1.1. But of course the browser complains about the lack of connection security because of the self-signed certificate. So I follow the browser-specific steps to go to the site anyway. But when I do that, I just get back to the page saying the connection is not secure. I am stuck in this loop and unable to get to the router's login page. I actually called Verizon support and spent a long time with them, eventually convincing them that their firmware update broke me. It wasn't until a few days later that I discovered that if I disable ESET's SSL/TLS filtering, then clicking the link to go to the site anyway actually works.
I vaguely recall reading once that this filtering works by inserting eset's own certificate somehow "further up the chain", but I'd really like to know how doing that actually protects me from problems - aren't the certificate checks done by modern-day browsers "good enough". But more importantly, is this behavior a bug in ESS, or a bug in my router's firmware? If it works for "real" websites with bad certificates, why shouldn't it work for my router?
In the absence of a response, I'll probably leave the Eset filtering turned on (in Automatic mode), and just disable it on those rare occasions I need to login to my router. I guess it would also be nice if there were a convenient/easy way to make an exception for 192.168.1.1.
And it would be super nice if someone had some ironclad technical ammo I could point at Verizon technical support to get them to fix their router 🙂
