Jump to content

Sour Grapes?


itman
 Share

Recommended Posts

https://www.bleepingcomputer.com/news/security/former-mozilla-engineer-disable-your-antivirus-software-except-microsofts/

Remember the browser wars?

If Microsoft would have been allowed to integrate the browser into the OS as should have been done, we wouldn't have the malware plague that exists today. Neither would there a Chrome, FireFox, or all the other browsers in existence.

Sorry Google and Mozilla, I don't buy the argument that your product be accommodated by using a repeatedly demonstrated inferior security solution.

Link to comment
Share on other sites

  • Most Valued Members

He seems to like a good moan about everything except mozilla and microsoft. I use firefox myself, but its funny that he never mentions the amount of security updates that have been released to fix security holes in windows and firefox over the years :D.

I doubt many people will take his little rant seriously.
 

Link to comment
Share on other sites

Here's the original blog post: http://robert.ocallahan.org/2017/01/disable-your-antivirus-software-except.html

My advice to Eset and the other major AV vendors is to start "reading the tea leaves" being dropped by Microsoft, Google, and Mozilla and realize you have become their "whipping boy" for all the defects in their products.

There is a solution to this. This solution will also greatly reduce your costs in the log run and generate considerable revenue. It will most importantly result in a more secure solution for the end user. The solution? Develop your own secure browser tightly intergrated with your particular security software. Then tell Google and Mozilla "to kiss your you know what ........"

Link to comment
Share on other sites

The demonizing continues today:

A couple of months back, Justin Schuh, Google Chrome's security chief, and indeed one of the world's top infosec bods, said that antivirus software is "my single biggest impediment to shipping a secure browser." Further down the thread he explains that meddling AV software delayed Win32 Flash sandboxing "for over a year" and that further sandboxing efforts are still on hold due to AV. The man-in-the-middle nature of antivirus also causes a stream of TLS (transport layer security) errors, says Schuh, which in turn breaks some elements of HTTPS/HSTS. 

Ref.: https://arstechnica.com/information-technology/2017/01/antivirus-is-bad/

Link to comment
Share on other sites

  • Most Valued Members

I wouldn't go as far as saying that is a demonizing column, more about reporting the facts. Although the title of the article "It might be time to stop using Antivirus" is misleading.

I could sit here and write a massive 10 page reply myself but you can shorten it all down to a few key facts.

1, Is my computer safer with an AV product installed = YES of course
2, Will there always be compatibility issues with software = YES to a certain degree
3, Does any security software slow down my computer = YES to varying degrees
4, Will updating my OS and any software i use keep me completely safe = NO new exploits are found every day, otherwise there would be no patch cycle for OS's and other software.
5, Skeptical computing has always been key, nobody in the street walks up to you and offers you a tax refund or £3,000,000 if you give them all your personal details and the same thing applies online. The same thing applies to any file attachments on emails (even from people in your contact list/address book)

These are by far NEW revelations , and could have been written over 20 years ago.

The guy should have written a help column rather than a misleading one.
 

Link to comment
Share on other sites

To get realist on development of a browser, such activity would be very expensive. So I propose the following.

The major AV vendors form a consortium to share costs and resultant profits. Formation of same could model the creation of Malwarebytes "many moons" ago. The browser developed would have a common interface that would be shared by all stakeholders. Project management development could be farmed out to a neutral third party that is familiar to the participants such as AMTSO. 

Resultant costs of maintaining existing participants security software would drop dramatically since the majority of those costs are being incurred  for compatibility costs to accommodate existing browsers and most dramatically from the Internet delivered malware from existing browsers.

It also may be very well that such proposed browser development will result in a "change of attitude" by Google and Mozilla;)

 

Edited by itman
Link to comment
Share on other sites

On 1/27/2017 at 10:30 AM, itman said:

Here's the original blog post: hxxp://robert.ocallahan.org/2017/01/disable-your-antivirus-software-except.html

My advice to Eset and the other major AV vendors is to start "reading the tea leaves" being dropped by Microsoft, Google, and Mozilla and realize you have become their "whipping boy" for all the defects in their products.

There is a solution to this. This solution will also greatly reduce your costs in the log run and generate considerable revenue. It will most importantly result in a more secure solution for the end user. The solution? Develop your own secure browser tightly intergrated with your particular security software. Then tell Google and Mozilla "to kiss your you know what ........"

Other AV vendors have already developed their own browser. Qihoo, though theirs is more aim at the chinese userbase. And Avira, which developed Avira Scout based on Chromium. Don't recall any others.

Link to comment
Share on other sites

  • Most Valued Members

The problem is more browsers means more issues. It's already a pain for web developers trying to support multiple browsers -  not as bad as in the past but still an issue. Also there's then those who rely on extensions and other stuff.

Link to comment
Share on other sites

10 hours ago, Azure Phoenix said:

Don't recall any others.

The free version of Bitdefender Safe Pay, their online banking solution, uses a "hardened version" of Chromium that Bitdefender modified.

1 hour ago, peteyt said:

It's already a pain for web developers trying to support multiple browsers -  not as bad as in the past but still an issue

Agreed. What I am suggesting is a common browser that would be used by all participating AV vendors. Any custom modification would be done in the common interface used; not within the browser itself. Interface would only be accessible by participating AV vendor software.

BTW - Google and Mozilla could have built such an interface but chose not to. Probably due to fear that once a backdoor is allowed, malware will eventually discover it -or- to ensure their built-in spyware activities would not be publically exposed. 

In reality, the security industry including its governing bodies have to get "their act together" in regards to the use and effectiveness of encrypted SSL data. The original purpose was to ensure sure point-to-point transmission of data. It has evolved into being used for purposes for which it was never designed for.

Edited by itman
Link to comment
Share on other sites

  • 1 month later...

BTW - it's not just the browser vendors bashing the AV security industry but high ranking government officials as noted in this posting: http://www.securityweek.com/fighting-cyber-security-fud-and-hype .

Appears the AV industry is indeed the favored "whipping boy" target these days. Reasonable to assume that because after all, they do reside at the bottom of the target malware hill and as such will receive the full impact of the "malware dung heap" rolling down the hill.

I do know one thing for sure. The esculation of the finger point by involved parties of malware targeted attacks is a sure sign that malware is winning the war; one battle at a time. 

Link to comment
Share on other sites

Looks like the AV vendor bashing has "jump the pond" with the U.S. now joining in. CERT just issued this advisory: https://www.us-cert.gov/ncas/alerts/TA17-075A . I am repeating below my comments posted on wilderssecurity.com about this advisory.

In regards to this recommendation to use the web site, badssl.com, by CERT:

The website badssl.com [3] is a resource where clients can verify whether their HTTPS inspection products are properly verifying certificate chains. Clients can also use this site to verify whether their HTTPS inspection products are enabling connections to websites that a browser or other client would otherwise reject.

My response:

The badssl.com test was specifically designed to test Chrome SSL configuration. So how accurate it is against other browsers remains to be determined. For example, the pinning test performed on the badssl web site is for HPKP pinning:

HPKP is supported in Firefox and Chrome,[7] but not in Internet Explorer/Edge.[8]

Ref.: https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning

What I think is behind the CERT advisory:

I do question CERT's recommendation to use of a SSL test that does not apply to all browsers. I also question the motivation behind this alert issue. SSL protocol scanning has been a topic for at least two years. However, the recent WikiLeaks CIA revelations include a recommendation to their agents not to use SSL/TLS encryption because it is insecure. I find it a bit too coincidental that this CERT report was released a few days thereafter. My take is it's a diversion to shift emphasis away from the real issue which is fixing the insecurities in the SSL/TLS encryption protocol by again bashing the AV vendors as somehow part of the issue. This also lines up nicely with Google's and Mozilla's goal of eliminating AV vendor SSL/TLS protocol scanning altogether since it costs them more in developmental costs.
 

 

 

Edited by itman
Link to comment
Share on other sites

In regards to this CERT advisory, it based the advisory on the research report I referenced in this posting: https://forum.eset.com/topic/10953-another-research-report-that-gives-esets-ssl-scanning-a-grade-of-f/ .

What I didn't fully realize till today was that this report wasn't independently funded but:

Research paper triggered CERT warning

The CERT advisory came after a group of security experts published a research paper at the start of the month titled "The Security Impact of HTTPS Interception."

The research team, made up of experts from Google, Mozilla, Cloudflare, and the University of Michigan, showed that around 62% of the HTTPS connections they've studied featured "reduced security," while 58% contained "severe vulnerabilities."

Ref.: https://www.bleepingcomputer.com/news/security/us-cert-security-products-that-perform-https-interception-weaken-security/

So there it is, "proof in the pudding" that Google and Mozilla are resorting to whatever tactics necessary to further their own end objectives.

Edited by itman
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...