itman 1,746 Posted April 20, 2017 Share Posted April 20, 2017 (edited) Win 10 x64 1607, Smart Security 10.0.390. This is a weird one. I use IE11 private mode as my primary Internet access mode. What I have observed is that in IE11 PM, ekrn.exe never establishes a separate UDPv6 connection. This indicate to me that certificate validations for HTTPS IPv6 web sites are not being performed. When running IE11 in normal mode, ekrn.exe does establish an UDPv6 connection with counts being incremented indicating certificate validations are being performed. Edited April 20, 2017 by itman Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,163 Posted April 21, 2017 ESET Moderators Share Posted April 21, 2017 Hello itman, I tried to visit a secured site with untrusted certificate via IE 11 from both normal and private mode and I got a prompt from ESSP if I would like to proceed so the certificate got validated by us. Can you maybe try to perform the same test? Regards, P.R. Link to comment Share on other sites More sharing options...
itman 1,746 Posted April 21, 2017 Author Share Posted April 21, 2017 1 hour ago, Peter Randziak said: Hello itman, I tried to visit a secured site with untrusted certificate via IE 11 from both normal and private mode and I got a prompt from ESSP if I would like to proceed so the certificate got validated by us. Can you maybe try to perform the same test? Regards, P.R. I need an IPv6 web site with an invalid cert.. Hard to find. Do you know of any such URLs? Link to comment Share on other sites More sharing options...
itman 1,746 Posted April 21, 2017 Author Share Posted April 21, 2017 Still looking for an IPv6 web site with a bad cert.. Wiil report that Eset doesn't detect a cert. issue on this rather well known bad cert. web site: https://tv.eurosport.com/ i.e. invalid common name. Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,163 Posted April 24, 2017 ESET Moderators Share Posted April 24, 2017 Hello Itman, it seems that tv.eurosport.com si not available via IPv6 at all :-( "nslookup tv.eurosport.com Non-authoritative answer: Name: a1846.w3.akamai.net Addresses: 23.67.56.65 23.67.56.17 Aliases: tv.eurosport.com static.eurosport.edgesuite.net" Sadly do not know such site and I do not have IPv.6 so I can't test it myself. You stated, that you think in IE11 private mode the certificate validation is not performed for sites served via IPv.6, right? Are the sites with not valid certificate blocked / validated on: IE11 standard mode? IE11 private mode for sites served via IPv.4 Thank you, P.R. Link to comment Share on other sites More sharing options...
itman 1,746 Posted April 24, 2017 Author Share Posted April 24, 2017 (edited) 4 hours ago, Peter Randziak said: it seems that tv.eurosport.com si not available via IPv6 at all :-( Yes, only IPv4. My point on this regard was Eset does not detect the bad cert.. IE11 does thankfully but zip alert from Eset. As far as Eset's IPv6 cert. validation, appears that it is indeed working OK. I do see ekrn.exe TCPv6 connections which I assume are to Eset designated servers to perform the cert. validation. Hard to tell for sure since Eset does not publish a listing of IPv6 address it uses as done for IPv4 addresses. As far as the lack of a ekrn.exe UDPv6 connection, additional research yielded that my ISP uses RD6 tunneling for IPv6 connections. That is, it is actually sending tunneled IPv4 packets to/from the router to its IPv6 DNS server and routing via IPv6 to the destination. Edited April 24, 2017 by itman Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,163 Posted April 25, 2017 ESET Moderators Share Posted April 25, 2017 Hello Itman, as far as I know we do not use a designated ESET servers to perform the certificate validation. On top of that you may have your own trusted certificate authorities imported so it won't work. So it currently seems that no certificates are validated by ESET for sites visited by IE11 in private mode, right? Regards, P.R. Link to comment Share on other sites More sharing options...
itman 1,746 Posted April 25, 2017 Author Share Posted April 25, 2017 (edited) 4 hours ago, Peter Randziak said: So it currently seems that no certificates are validated by ESET for sites visited by IE11 in private mode, right? No. For the most part, Eset is doing fine in regards to cert. validations in IE11; mode used is irrelevant. Only present issue is Eset is not performing the cert. common name validation properly; e.g. https://tv.eurosport.com/ i.e. invalid common name. Edited April 25, 2017 by itman Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,163 Posted April 26, 2017 ESET Moderators Share Posted April 26, 2017 Hello Itman, O.K. now it makes more sense to me, thank you for the clarification. I will check it with devs. Regards, P.R. Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,163 Posted April 26, 2017 ESET Moderators Share Posted April 26, 2017 Hello Itman, I checked it with the dev responsible and it is intentionally that way. Common name can only be checked with regard to the server the client is connecting to. Because of that Windows would display the certificate as valid even if it's used for a wrong server. Because of that we let the browsers handle the situation. Regards, P.R. Link to comment Share on other sites More sharing options...
itman 1,746 Posted April 26, 2017 Author Share Posted April 26, 2017 5 hours ago, Peter Randziak said: Hello Itman, I checked it with the dev responsible and it is intentionally that way. Common name can only be checked with regard to the server the client is connecting to. Because of that Windows would display the certificate as valid even if it's used for a wrong server. Because of that we let the browsers handle the situation. Regards, P.R. Thanks for the clarification on the common name cert. verification. Last issue is lately, I have been failing the SHA1 validation for intermediate cert. test on badssl.com web site. Assume that means Eset is allowing SHA1 for an intermediate cert using IE11.. This seems to be something recent since previously, I was passing that test. Might want to have the dev. check that out. Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,163 Posted April 27, 2017 ESET Moderators Share Posted April 27, 2017 Hello Itman, the currently released SSL scanner (part of Internet protection module) does not ask / block by default secured sites with SHA1 certificates. Not sure what is the ratio behind it, but I assume that there are still many sites with such certs, which would lead to bad user experience as they would be asked for / blocked. Regards, P.R. Link to comment Share on other sites More sharing options...
itman 1,746 Posted April 27, 2017 Author Share Posted April 27, 2017 10 hours ago, Peter Randziak said: Hello Itman, the currently released SSL scanner (part of Internet protection module) does not ask / block by default secured sites with SHA1 certificates. Not sure what is the ratio behind it, but I assume that there are still many sites with such certs, which would lead to bad user experience as they would be asked for / blocked. Regards, P.R. Thanks. Appears to be another "dubious" badssl.com validation since Microsoft based browsers will only be enforcing the SHA-1 deprecation for trusted root CA certificates as noted below. However if the intermediate root certificate chained to a Microsoft Trusted Root CA certificate, then Eset should be alerting on the cert.. I will retest on May 9 and see if IE11 blocks it which would suffice. Some additional details from Microsoft: Update (4/26/2017): Starting on May 9, 2017, Microsoft Edge and Internet Explorer 11 will prevent sites that are protected with a SHA-1 certificate from loading and will display an invalid certificate warning. Additionally, the Windows 10 Creators Update blocks SHA-1 by-default in the browser. Customers who would like to disable SHA-1 today may do so with the instructions below. This will only impact SHA-1 certificates that chain to a Microsoft Trusted Root CA. Manually-installed enterprise or self-signed SHA-1 certificates will not be impacted, although we recommend for all customers to quickly migrate to SHA-256. Ref.: https://blogs.windows.com/msedgedev/2016/11/18/countdown-to-sha-1-deprecation/#zueZ5QBzQqQIWpOq.97 Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,163 Posted April 28, 2017 ESET Moderators Share Posted April 28, 2017 Hello Itman, thank you for sharing it. Chrome https://security.googleblog.com/2016/11/sha-1-certificates-in-chrome.html Firefox https://blog.mozilla.org/security/2016/10/18/phasing-out-sha-1-on-the-public-web/ It seems all the major browsers are keeping SHA1 support due to the enterprise customers. Regards, P.R. Link to comment Share on other sites More sharing options...
Recommended Posts