rotate4all 0 Posted August 3, 2020 Share Posted August 3, 2020 Hello, Just noticed that my site's EV SSL certificate is being automatically replaced by ESET's certificate in all browsers for some unknown reason: This is with ESET NOD32 antivirus using default settings. However, for another site (which also uses an EV SSL certificate albeit issued by a different authority) interestingly ESET does NOT replace their certificate in any browser: The only way that I could see the certificate actually installed on my site is through disabling ESET's default SSL/TLS filtering: So why the discrimination? Very curious of ESET's arguments on this. Link to comment Share on other sites More sharing options...
itman 1,751 Posted August 3, 2020 Share Posted August 3, 2020 Eset maintains an internal whitelist of web sites that are excluded from its SSL/TLS protocol scanning. Unless things have changed, Eset does not absolutely exclude a web site from scanning because it is using an EV certficate. Link to comment Share on other sites More sharing options...
rotate4all 0 Posted August 3, 2020 Author Share Posted August 3, 2020 (edited) Sorry but that's plain WRONG! And it's DISCRIMINATION to say the least. Why does it make a difference between two valid EV SSL certificates? Additionally Firefox doesn't even recognize ESET's certificate: So how do you think this affects my business and website's credibility? Makes me wonder why I paid the extra $$$ for an EV SSL certificate when an antivirus software comes along and decides UNILATERALLY which site is to be trusted and which isn't ?! Edited August 3, 2020 by rotate4all Link to comment Share on other sites More sharing options...
itman 1,751 Posted August 3, 2020 Share Posted August 3, 2020 8 minutes ago, rotate4all said: Additionally Firefox doesn't even recognize ESET's certificate: Actually it does. Firefox, Chrome, and Edge all recognize Eset root CA certificate. Otherwise, they would be alerting about it. All FireFox is informing about is the certificate is not one contained within their own internal root CA certificate store. FireFox now defers to the Win root CA certificate store in this situation which does contain Eset's certificate. Cp3p0 1 Link to comment Share on other sites More sharing options...
rotate4all 0 Posted August 3, 2020 Author Share Posted August 3, 2020 (edited) 11 minutes ago, itman said: Actually it does. Well, tell that to someone who grew up learning all about Root CA certificates. It'll make perfect sense for them. Whereas for we regular mortals speak plain ENGLISH and the phrase "MOZILLA DOES NOT RECOGNIZE THIS CERTIFICATE ISSUER" means just that, regarding what technical arguments you may have against it. So I'm seeing this issue from layman's point of view, where my site's reputation is potentially being undermined by an antivirus software for no apparent reason. In any case, we wouldn't be talking about these issues here if ESET would not replace our perfectly valid certificate with their own inside the user's browser. Edited August 3, 2020 by rotate4all Link to comment Share on other sites More sharing options...
Cp3p0 6 Posted August 4, 2020 Share Posted August 4, 2020 Holy hell whats with you? You realize this isn't exclusive to ESET? Other AV's even Firewall solutions perform similar actions. You're joking if you think this is quote "plain WRONG! And it's DISCRIMINATION to say the least". Man, thank you for the good laugh. Link to comment Share on other sites More sharing options...
rotate4all 0 Posted August 4, 2020 Author Share Posted August 4, 2020 Well you keep on laughing as it seems you clearly missed the point here. My doubt here is why does ESET exclude some EV SSL secured sites from their SSL/TLS filtering system but not others/all? What are the criterias? In my opinion this is wrong and is discriminating because our EV SSL certificate is just as valid as any others'. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,278 Posted August 4, 2020 Administrators Share Posted August 4, 2020 While EV certificate used to matter and were excluded from filtering by default, this will change within the next few days and all communication will be scanned regardless of the type of certificate used. By the way, there is a big difference in trust between bank domains and ad providers. itman 1 Link to comment Share on other sites More sharing options...
Recommended Posts