Jump to content

Purpose of SSL/TLS filtering, and is this an ESET or router bug?


Recommended Posts

I'm not totally ignorant of what SSL/TLS is and how websites use certificates to identify themselves and encrypt traffic, but I'm at something of a loss to understand the real purpose/benefit of the ESS Web and Email SSL/TLS Enable SSL/TLS protocol setting, or what it does under the hood. I can take it on faith that it offers some useful benefit, but it also offers a general inconvenience in that I can't examine the certificate presented by a server myself, and it also prevents me from administering the settings on my own router.

In a browser like Chrome (but also Firefox, Edge, Safari), when connecting to a website through https, the address bar has an indication whether or not the browser trusts the certificate presented by the website. Through various browser-dependent methods, you can ask to see the certificate details yourself. But when SSL/TLs filtering is enabled, doing that typically shows a certificate issued by "ESET SSL Filter CA". And as far as I can tell, there is no way to see the actual certificate being presented by the website. That's an annoying inconvenience for sites that have certificates I maintain. It doesn't happen for some well-known sites like google.com or Microsoft.com, but it does happen for my own sites whether they have free certificates from letsencrypt or certificates from a well-known CA like Digicert.

I have Verizon FIOS as my internet provider, with a Quantum router that I administer through its web interface at hxxp://192.168.1.1. No problems for years, until on February 28 Verizon "upgraded" the router firmware remotely without informing me. This caused a request to hxxp://192.168.1.1 to bring up a page as follows: 

 

Quote

 

Verizon takes your privacy and internet security seriously. To better ensure security, Your router is automatically being redirected to https://myfiosgateway.com.

The redirected site is protected with a self-signed certificate, and your internet browser will prompt you with a security warning to accept the router's self-signed certificate before proceeding. This is a standard prompt for any self-signed certificate to help ensure the security of your internet connection.

 

 
Apparently the myfiosgateway.com site is specially recognized by the router itself and doesn't cause internet access, it just gets mapped to https://192.168.1.1. But of course the browser complains about the lack of connection security because of the self-signed certificate. So I follow the browser-specific steps to go to the site anyway. But when I do that, I just get back to the page saying the connection is not secure. I am stuck in this loop and unable to get to the router's login page. I actually called Verizon support and spent a long time with them, eventually convincing them that their firmware update broke me. It wasn't until a few days later that I discovered that if I disable ESET's SSL/TLS filtering, then clicking the link to go to the site anyway actually works.
 
I vaguely recall reading once that this filtering works by inserting eset's own certificate somehow "further up the chain", but I'd really like to know how doing that actually protects me from problems - aren't the certificate checks done by modern-day browsers "good enough". But more importantly, is this behavior a bug in ESS, or a bug in my router's firmware? If it works for "real" websites with bad certificates, why shouldn't it work for my router?
 
In the absence of a response, I'll probably leave the Eset filtering turned on (in Automatic mode), and just disable it on those rare occasions I need to login to my router. I guess it would also be nice if there were a convenient/easy way to make an exception for 192.168.1.1.
 
And it would be super nice if someone had some ironclad technical ammo I could point at Verizon technical support to get them to fix their router 🙂

 

 
Edited by sootsnoot
correct hxxp->http
Link to comment
Share on other sites

I just tried twice to correct the typo "hxxp" to "http" in the original post. The site let me make the edit, and accept my comment about the edit I made, but the edit did not show up in the post itself. I couldn't find a button specifically to submit or save the edit, I just pressed "Enter" after typing the explanation for the edit. Sorry, guess I'm just dumb...

Link to comment
Share on other sites

20 hours ago, sootsnoot said:

I'm not totally ignorant of what SSL/TLS is and how websites use certificates to identify themselves and encrypt traffic, but I'm at something of a loss to understand the real purpose/benefit of the ESS Web and Email SSL/TLS Enable SSL/TLS protocol setting, or what it does under the hood.

Its primary purpose is to allow Eset to intercept encrypted SSL/TLS traffic prior to entering the browser or e-mail client. Note however that Eset now scans all incoming SSL/TLS source. So all incoming app web traffic is being scanned.

It then decrypts the traffic and examines it for malware. It then re-encrypts the traffic and forwards it to the target app. Without decryption, there is no way Eset can examine the traffic. Note that today with the almost all web sites and servers being HTTPS, disabling Eset' SSL/TLS protocol scanning puts one at considerable risk to Internet sourced malware.

As far as your

20 hours ago, sootsnoot said:

Verizon FIOS as my internet provider, with a Quantum router

goes, it appears to be some type of hybrid router administration setup. Normally when one connects to their router/gateway via its locally assigned IP address, the connection never leaves the local network. Verizon appears to have "cloud" sourced some its router's admin functions. In other words, your actually connecting to Verizon servers to configure your router which is a bit strange.

In any case, the Verizon alert you posted previously appears to be related to you having to accept the installation of its own self-signed root CA store certificate that will allow Verizon to also intercept  SSL/TLS communication to/from your router. Most likely to perform the same type of malware scanning Eset's SSL/TLS scanning possibly;  just for router admin maintenance purposes; or who knows what else they are doing? -EDIT- Another possibility is the connection to the router is now https based versus the usual http connection. Whereas the Verizon root CA store certificate to allow https router configuration is a legit use, that same certificate could be used to intercept all your https traffic for inspection by Verizon. This is highly unusual and personally something I would never allow my ISP to perform.

Did you verify with Verizon that the certificate install request is legit? It could be a "spoofed" alert from an attacker to allow him to perform a man-in-the-middle attack

Edited by itman
Link to comment
Share on other sites

On ‎3‎/‎17‎/‎2019 at 1:17 PM, sootsnoot said:

Apparently the myfiosgateway.com site is specially recognized by the router itself and doesn't cause internet access, it just gets mapped to https://192.168.1.1. But of course the browser complains about the lack of connection security because of the self-signed certificate. So I follow the browser-specific steps to go to the site anyway. But when I do that, I just get back to the page saying the connection is not secure.

I did a little experiment and connected to my router via https and experienced the same behavior. As far as I am aware of, all connections to the router's admin GUI have to be made via http except in your case it appears.

Try this. Refer to the below screen shot and add the IP address for your router, 192.168.1.1, to the excluded address for Eset's Protocol Filtering. This should eliminate any interference by Eset in your connection the router.

Eset_SSL_Exclude.thumb.png.fa86edba4c9e7f354c8b8ef612e09983.png

 

 

Edited by itman
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...