itman

IE11 IPv6 SSL Protocol Scanning Issue

14 posts in this topic

Posted (edited)

Win 10 x64 1607, Smart Security 10.0.390.

This is a weird one.

I use IE11 private mode as my primary Internet access mode. What I have observed is that in IE11 PM, ekrn.exe never establishes a separate UDPv6 connection. This indicate to me that certificate validations for HTTPS IPv6 web sites are not being performed.

When running IE11 in normal mode, ekrn.exe does establish an UDPv6 connection with counts being incremented indicating certificate validations are being performed.

Edited by itman

Share this post


Link to post
Share on other sites

Hello itman,

I tried to visit a secured site with untrusted certificate via IE 11 from both normal and private mode and I got a prompt from ESSP if I would like to proceed so the certificate got validated by us.

Can you maybe try to perform the same test?

Regards, P.R.

Share this post


Link to post
Share on other sites
1 hour ago, Peter Randziak said:

Hello itman,

I tried to visit a secured site with untrusted certificate via IE 11 from both normal and private mode and I got a prompt from ESSP if I would like to proceed so the certificate got validated by us.

Can you maybe try to perform the same test?

Regards, P.R.

I need an IPv6 web site with an invalid cert.. Hard to find. Do you know of any such URLs? 

Share this post


Link to post
Share on other sites

Still looking for an IPv6 web site with a bad cert..

Wiil report that Eset doesn't detect a cert. issue on this rather well known bad cert. web site: https://tv.eurosport.com/ i.e. invalid common name.

Share this post


Link to post
Share on other sites

Hello Itman,

it seems that tv.eurosport.com si not available via IPv6 at all :-( 

"nslookup tv.eurosport.com
Non-authoritative answer:
Name:    a1846.w3.akamai.net
Addresses:  23.67.56.65
          23.67.56.17
Aliases:  tv.eurosport.com
          static.eurosport.edgesuite.net"

Sadly do not know such site and I do not have IPv.6 so I can't test it myself.

 

You stated, that you think in IE11 private mode the certificate validation is not performed for sites served via IPv.6, right?

Are the sites with not valid certificate blocked / validated on:

IE11 standard mode?

IE11 private mode for sites served via IPv.4

Thank you, P.R.

Share this post


Link to post
Share on other sites

Posted (edited)

4 hours ago, Peter Randziak said:

it seems that tv.eurosport.com si not available via IPv6 at all :-( 

Yes, only IPv4. My point on this regard was Eset does not detect the bad cert.. IE11 does thankfully but zip alert from Eset.

As far as Eset's IPv6 cert. validation, appears that it is indeed working OK. I do see ekrn.exe TCPv6 connections which I assume are to Eset designated servers to perform the cert. validation. Hard to tell for sure since Eset does not publish a listing of IPv6 address it uses as done for IPv4 addresses.

As far as the lack of a ekrn.exe UDPv6 connection, additional research yielded that my ISP uses RD6 tunneling for IPv6 connections. That is, it is actually sending tunneled IPv4 packets to/from the router to its IPv6 DNS server and routing via IPv6 to the destination. 

Edited by itman

Share this post


Link to post
Share on other sites

Hello Itman,

as far as I know we do not use a designated ESET servers to perform the certificate validation.

On top of that you may have your own trusted certificate authorities imported so it won't work.

So it currently seems that no certificates are validated by ESET for sites visited by IE11 in private mode, right? 

Regards, P.R.

Share this post


Link to post
Share on other sites

Posted (edited)

4 hours ago, Peter Randziak said:

So it currently seems that no certificates are validated by ESET for sites visited by IE11 in private mode, right? 

No. For the most part, Eset  is doing fine in regards to cert. validations in IE11; mode used is irrelevant.

Only present issue is Eset is not performing the cert. common name validation properly; e.g. https://tv.eurosport.com/ i.e. invalid common name.

Edited by itman

Share this post


Link to post
Share on other sites

Hello Itman,

O.K. now it makes more sense to me, thank you for the clarification.

I will check it with devs.

Regards, P.R.

Share this post


Link to post
Share on other sites

Hello Itman,

I checked it with the dev responsible and it is intentionally that way.

Common name can only be checked with regard to the server the client is connecting to. Because of that Windows would display the certificate as valid even if it's used for a wrong server. Because of that we let the browsers handle the situation.

Regards, P.R.

Share this post


Link to post
Share on other sites
5 hours ago, Peter Randziak said:

Hello Itman,

I checked it with the dev responsible and it is intentionally that way.

Common name can only be checked with regard to the server the client is connecting to. Because of that Windows would display the certificate as valid even if it's used for a wrong server. Because of that we let the browsers handle the situation.

Regards, P.R.

Thanks for the clarification on the common name cert. verification.

Last issue is lately, I have been failing the SHA1 validation for intermediate cert. test on badssl.com web site. Assume that means Eset is allowing SHA1 for an intermediate cert using IE11.. This seems to be something recent since previously, I was passing that test. Might want to have the dev. check that out.

Share this post


Link to post
Share on other sites

Hello Itman,

the currently released SSL scanner (part of Internet protection module) does not ask / block by default secured sites with SHA1 certificates.

Not sure what is the ratio behind it, but I assume that there are still many sites with such certs, which would lead to bad user experience as they would be asked for / blocked. 

Regards, P.R.

Share this post


Link to post
Share on other sites
10 hours ago, Peter Randziak said:

Hello Itman,

the currently released SSL scanner (part of Internet protection module) does not ask / block by default secured sites with SHA1 certificates.

Not sure what is the ratio behind it, but I assume that there are still many sites with such certs, which would lead to bad user experience as they would be asked for / blocked. 

Regards, P.R.

Thanks. Appears to be another "dubious" badssl.com validation since Microsoft based browsers will only be enforcing the SHA-1 deprecation for trusted root CA certificates as noted below. However if the intermediate root certificate chained to a Microsoft Trusted Root CA certificate, then Eset should be alerting on the cert.. I will retest on May 9 and see if IE11 blocks it which would suffice.

Some additional details from Microsoft:

Update (4/26/2017): Starting on May 9, 2017, Microsoft Edge and Internet Explorer 11 will prevent sites that are protected with a SHA-1 certificate from loading and will display an invalid certificate warning. Additionally, the Windows 10 Creators Update blocks SHA-1 by-default in the browser. Customers who would like to disable SHA-1 today may do so with the instructions below.

This will only impact SHA-1 certificates that chain to a Microsoft Trusted Root CA. Manually-installed enterprise or self-signed SHA-1 certificates will not be impacted, although we recommend for all customers to quickly migrate to SHA-256.

Ref.: https://blogs.windows.com/msedgedev/2016/11/18/countdown-to-sha-1-deprecation/#zueZ5QBzQqQIWpOq.97

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.