Jump to content

Keeping protection at a high level without HTTPS scanning


Recommended Posts

Hi,

in principle I don't like the idea of HTTPS scanning or TLS interception. I share views and arguments that TLS interception weakens the idea of a secure, private (encrypted) tunnel between a client and a server. I can't imagine why I want anyone to scan that information. In my opinion it s a matter of privacy. I am still not convinced that https scanning does more good than harm.

If I am right ESET scans HTTPS traffic by default. I guess the idea behind is to catch bad encrypted traffic. So far I turned HTTPS/SSL scanning off.

Isn't there any other way blocking bad https encrypted websites without tls interception? How much of protection do I have to sacrifice by turning HTTPS/SSL scanning off?

Cheers.

Link to comment
Share on other sites

  • Administrators

Without SSL/TLS filtering, it's not possible to scan the communication and therefore possible malware on https sites may be downloaded undetected or malicious https urls may not be blocked. Also with future versions of Chrome marking all http sites as not secure, even more malicious websites will change to https.

Link to comment
Share on other sites

For web sites where privacy is a concern such as healthcare providers and the like, you can exclude their associated certificates from being scanned. I do.

Also note that Eset's SSL protocol scanning does not scan every HTTPS site. Those that are trusted via internal whitelist and many sites with EV certificates are not scanned.

Link to comment
Share on other sites

Isn't there any way of blocking https:// encrypted sites without tls interception?

E.g. adding some kind of "browsing protection" checking the sites that are being visited against lists of reported phishing and malware-spreading sites.

Link to comment
Share on other sites

  • Administrators

With SSL/TLS filtering disabled you can block the hostname, e.g. https://domain.com but not https://domain.com/malware and urls with a path on the blacklist won't be applied either.

Also if an application (malware) communicates with a server over https, this communication cannot be scanned unless you enable SSL/TLS filtering.

Link to comment
Share on other sites

I checked some of the settings and was wondering why programs like my password manager or my cloud encryption tool are being scanned too? They appear in the "List of SSL filtered applications". These are trustable software applications. I am not concerned that any of this peace of software would throw malware at me. 

Link to comment
Share on other sites

  • Administrators
7 minutes ago, senna said:

I checked some of the settings and was wondering why programs like my password manager or my cloud encryption tool are being scanned too? They appear in the "List of SSL filtered applications". These are trustable software applications. I am not concerned that any of this peace of software would throw malware at me. 

Because they communicate over https and the certificate they use is not an EV certificate (typically used by banks for instance). You can exclude particular applications or certificates from filtering.

Link to comment
Share on other sites

I am undiceded on this topic, following some of the news, e.g.  "the security Impact of https interception" or "https interceptions weakens tls security".

You may find some examples and arguments why https scanning does more harm than good. I definitely feel uncomfortable knowing of software scanning my encrypted connections.

Edited by senna
Link to comment
Share on other sites

  • Administrators

If SSL/TLS filtering is not properly implemented then yes, it can cause more harm then good. However, that is not the case of ESET. Whether a website uses http or https doesn't tell anything about whether it can be trusted or not or whether it's benign or malicious. As we have already said, not all https communication is filtered and scanned; EV certificates and trusted sites are excluded by default.

Link to comment
Share on other sites

The problem is simply everything in short order will be HTTPS communication. This is because the browser manufactures wish it so and existing initiatives such as HTTPS Everywhere.

The real solution lies with browser manufactures allowing an interface into the browsers for AV vendors to scan HTTPS traffic after it decrypts. That will never happen since as far as the browser manufacturers are concerned, the AV vendors need to stay out of the browsers period; this includes hook injection. Also the AV vendors are a "favorite whipping boy" for the browser manufactures in that they will always blame them first for any operational or security issues with their browsers whether related or not. 

The bottom line is SSL/TLS is horrible broken and that really needs to be fully addresses by the global security community. Search the web for related articles on this issue.

Link to comment
Share on other sites

Thanks for all the comments on this topic. I appreciate alot. I am very interested how ESET handles HTTPS scanning in detail. What happens to my data, how does it de- and encrypt my connection? How does ESET handle scanned traffic including usernames, passwords, pivate data (documents, pictures, etc.)?

I couldn't find any detailed information on this so far.

Link to comment
Share on other sites

In addition to my questions above: I am also a Mac user. As far as I know ESET is not scanning HTTPS traffic on Macs. Why is this handeled differently?

Edited by senna
Link to comment
Share on other sites

  • ESET Moderators

Hello @senna,

3 hours ago, senna said:

how ESET handles HTTPS scanning in detail

We decrypt the traffic to scan it so the appropriate rules can be evaluated and also the objects of our interest (like executables, scripts and so) can be sent to the scanner.

If the scanner finds malicious object / it matches blocking rule, the traffic is stopped. If the content is O.K. we encrypt it again and send to the original destination i.e. the browser.

11 minutes ago, senna said:

In addition to my questions above: I am also a Mac user. As far as I know ESET is not scanning HTTPS traffic on Macs. Why is this handeled differently?

The SSL/TLS scanning is not yet implemented on the macOS platform, but we plat to have it there as well. 

Regards, P.R.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...