Jump to content

Archived

This topic is now archived and is closed to further replies.

jfroot

AV updates use non-encrypted username / password

Recommended Posts

Our security systems within our network notified us that all of our recently installed ESET clients are requesting AV updates using http with Basic authentication.

 

"ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted"

To: um21.eset.com

 

As basic authentication in HTTP is not-encrypted, it is trivial for anyone to intercept these requests and extract our username and password using any Base64 decoder. 

 

If you insist on using http over https, please utilize a more robust password hashing mechanism.

 

 

 

 

Share this post


Link to post
Share on other sites

If that's true then it's really a bad thing and it should be improved!

Especially because ESET also supports to use a proxy-server for updates and if this data is non-encrypted than every proxy server can freely read all usernames and passwords of users.

 

I also found another tip that indicates that updates are send over a HTTP connection. In the settings you can set a "HTTP-Proxy" and not a "HTTPS-Proxy":

post-3952-0-64933000-1403243971_thumb.png

Share this post


Link to post
Share on other sites

Hi,

 

Not that I fully understand the implication of "ESET updates over HTTP vs HTTPS" but seems a serious issue and would be interesting if someone can comment.

 

Thanks!

Share this post


Link to post
Share on other sites

ESET send much more data as only the username and password over an internet connection.

Here is a complete report what ESET sends (although there are also many open questions): AV-Comparatives - Data transmission in Internet security products

They also say there that the internet traffic is encrypted. But here it seems not so.

 

And it's not good when someone can steal your ESET license (username & password) data, because then he can get updates at the expensive of you. (Especially if you have a multi-device/-user-license it could be bad.)

 

So it would be good to get an answer from ESET stuff or moderators. Is the data encrypted? And what data is (not) encrypted?

Share this post


Link to post
Share on other sites

That's interesting discovery from OP. I hope we will get some answer or an update that will address this problem.

Share this post


Link to post
Share on other sites

No answer from ESET Moderators?

Share this post


Link to post
Share on other sites

Hi Marcos,

 

Your input in this issue would be very match appreciated!

 

Thanks! 

Share this post


Link to post
Share on other sites

This is especially hilarious because in the e-mail that ESET sends which contains the license key it says:

 

 

PRECAUTIONS 
Keep your Username and Password confidential; misuse can result in the cancellation of your license.

 

How are we supposed to do that if its being sent unencrypted over the internet?

Share this post


Link to post
Share on other sites

Hey,

 

at first thanks to all who don't give up and say again and again... that this is quite a serious issue. But you not only criticize you also bring proves! That's very good. :D

 

But:

Somebody of the ESET stuff/moderators should really answer now! :angry:

 

What is going on? Do you ignore this topic? Do you didn't want to hear you made something wrong? Or what else?

Share this post


Link to post
Share on other sites

No, we don't ignore it. I'm trying to get as much information as possible before I post an official reply. Definitely this is not a serious issue, personally I assume that using https would cause many more issues with updates than with http plus it would make troubleshooting update issues much more difficult.

Share this post


Link to post
Share on other sites

Oh, such a quick answer of you... :o

 

Definitely this is not a serious issue

 

You think so? I already said what can be badly:

 

And it's not good when someone can steal your ESET license (username & password) data, because then he can get updates at the expensive of you. (Especially if you have a multi-device/-user-license it could be bad.)

 

And I think if I go to an internet café and the next day I want to install ESET on another PC - and I want to activate it with a multi user license - and then it "says" that the license is already in use* although I know that the number of

devices I can use is not overstepped (and also not the equal) then I wouldn't say this is not a serious issue.

 

personally I assume that using https would cause many more issues with updates than with http plus it would make troubleshooting update issues much more difficult.

 

OK if it's difficult then make it like jfroot already suggested:

 

If you insist on using http over https, please utilize a more robust password hashing mechanism.

 

Just encrypt it using other methods.

 

* I don't know if it really would display this. Maybe it only would stop updating.
 

Share this post


Link to post
Share on other sites

Thank you Marcos for your response. Glad to know that this issue is not ignored. Will wait till you get all the info needed for official response. 

Share this post


Link to post
Share on other sites

So, I think we waited quite long... :huh:

 

So what's your answer ESET?

Share this post


Link to post
Share on other sites

I am curious too, Marcos.

 

Thanks!

Share this post


Link to post
Share on other sites

Perhaps this is why there are so many NOD32 "Username/Password" combinations easily available for download on the web !!

Hello

 

I imagine those are from carelessness and trials. None of my accounts are compromised. I use encrypted e-mails. Rackspace hosts. An encrypted drive, Deslock. I follow the company rules and guidelines.

I have 108 + mine, my families, my friends. Growing.....

As soon as i even remotely thought of some kind of license issue, i would be on the phone getting it dealt with.

 

As far as the credentials transmitted back and forth.........

We still just need to be patient and await a company response. Assumptions get us no where. :);)

Share this post


Link to post
Share on other sites

We are working on a new license management system where administrators will be able to manage particular licenses. This should also address the concerns mentioned in this topic. As for home users, the appropriate distributor should send a notification if a license leaks or is being overused.

Share this post


Link to post
Share on other sites

As I wrote here it's difficult for ESET to find out if an unauthorized person is using the licence. I could also activated the licence so if it don't exceed the count of devices that I (ans also the "bad guy"  ;)) can use it. How ESET should get out that there's something wrong?

And it's nice that system administrators can manage licenses, but this topic is in the "ESET Home User Products"-part, so we want a solution for home user products.

 

I also don't see a really solution. The easiest and best solution is to encrypt the password or also just send it all over an HTTPS connection. So what it difficult about this? You also use HTTPS at this forum so more than ever you should use it at the updates.

 

You have to solve the problem at the cause. That ESET would maybe minimize the effect if a licence will be stolen is good, but it don't solves the problem.

To minimize the effect it would also be good to have an online dashboard were you can see yourself if a licence is used by a device that you don't known and then you should be able to delete the licence directly from the online dashboard (without calling ESET or something cumbersome).

Share this post


Link to post
Share on other sites

I also don't see a really solution. The easiest and best solution is to encrypt the password or also just send it all over an HTTPS connection. So what it difficult about this? You also use HTTPS at this forum so more than ever you should use it at the updates.

 

How would be then able to inspect packets and troubleshoot update issues if the communication was encrypted? Troubleshooting update issues and using SSL on this forum are very different things. We don't spy on you and don't strictly check the number of licenses being used. However, as already said, our distributors are able to check license use and notify the user if overuse is detected and take appropriate measures to prevent unauthorized users from using the license. Home users have up to 5 licenses so the argument that one wouldn't remember on which devices a license was installed sounds weird to say the least.

Share this post


Link to post
Share on other sites

I just got a phone call 5 minutes ago from 1 of my clients who cannot update.

It is my job to find out why, and troubleshoot. This is one example.

If a distributor cannot maintain and secure his clients, they should not be a distributor and i am sure ESET takes the appropriate action.

Of course ESET can detect license misuse also.

 

I have to agree, someone incapable of keeping up with 5 devices seems to escape me. :(

Share this post


Link to post
Share on other sites

Troubleshooting update issues and using SSL on this forum are very different things.

 

Yes, I admit that this would be maybe a problem. But then just make a setting where the user can put off the encryption (HTTPS --> HTTP), only for temporary troubleshooting.

 

We don't spy on you and don't strictly check the number of licenses being used.

OK,  :huh:  piracy protection... very good! ^^

I also don't know what this have to do with this topic? Should it mean "Hey, guys outside - just steal the licence information of some users - We anyway don't check how many devices are using the licence!"?

 

However, as already said, our distributors are able to check license use and notify the user if overuse

 

Yeah; I already said that if the license is overused then there is of course no problem for your distributors to find it out. But if I e.g. only use 2 of my 3 devices license and then somebody steals my licence and activates another device the license isn't overused and I can't detected it!

Share this post


Link to post
Share on other sites

@Arakasi: I'm not quite sure what you want to say with this. This topic isn't a topic called "How can ESET prevent software piracy?". It's just about an issue in their update system.

 

Like I described many times with this issue a licence can theoretically be stolen and activated on another device. This has 2 (or 3) effects:

  1. Maybe the licence get's overused. Then it's a problem for ESET (software piracy). But this is is a offtopic.
  2. The user will probably arouse suspicion, because ESET thinks he (= the user) maybe wanted to overuse his license.
  3. The user maybe will not be able to use the licence on another device, because it will be locked.

Share this post


Link to post
Share on other sites

Heys :)

 

I agree with the misuse being a little off-topic.

Share this post


Link to post
Share on other sites

So back to topic.

 

I only wanted to link to this topic because here @novice complains about the fact that we didn't get good answers to this topic in a appropriate time...

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...