AV updates use non-encrypted username / password

[jfroot 2]

Our security systems within our network notified us that all of our recently installed ESET clients are requesting AV updates using http with Basic authentication.

 

"ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted"

To: um21.eset.com

 

As basic authentication in HTTP is not-encrypted, it is trivial for anyone to intercept these requests and extract our username and password using any Base64 decoder. 

 

If you insist on using http over https, please utilize a more robust password hashing mechanism.

 

 

 

 

[rugk 397]

If that's true then it's really a bad thing and it should be improved!

Especially because ESET also supports to use a proxy-server for updates and if this data is non-encrypted than every proxy server can freely read all usernames and passwords of users.

 

I also found another tip that indicates that updates are send over a HTTP connection. In the settings you can set a "HTTP-Proxy" and not a "HTTPS-Proxy":

Edited June 20, 2014 by rugk

[novice 20]

Hi,

 

Not that I fully understand the implication of "ESET updates over HTTP vs HTTPS" but seems a serious issue and would be interesting if someone can comment.

 

Thanks!

[rugk 397]

ESET send much more data as only the username and password over an internet connection.

Here is a complete report what ESET sends (although there are also many open questions): AV-Comparatives - Data transmission in Internet security products

They also say there that the internet traffic is encrypted. But here it seems not so.

 

And it's not good when someone can steal your ESET license (username & password) data, because then he can get updates at the expensive of you. (Especially if you have a multi-device/-user-license it could be bad.)

 

So it would be good to get an answer from ESET stuff or moderators. Is the data encrypted? And what data is (not) encrypted?

Edited June 23, 2014 by rugk

[hqsec 12]

That's interesting discovery from OP. I hope we will get some answer or an update that will address this problem.

[sky7 19]

No answer from ESET Moderators?

[novice 20]

Hi Marcos,

 

Your input in this issue would be very match appreciated!

 

Thanks! 

[EsetUser 1]

This is especially hilarious because in the e-mail that ESET sends which contains the license key it says:

 

 

PRECAUTIONS 
Keep your Username and Password confidential; misuse can result in the cancellation of your license.

 

How are we supposed to do that if its being sent unencrypted over the internet?

[rugk 397]

Hey,

 

at first thanks to all who don't give up and say again and again... that this is quite a serious issue. But you not only criticize you also bring proves! That's very good.

 

But:

Somebody of the ESET stuff/moderators should really answer now!

 

What is going on? Do you ignore this topic? Do you didn't want to hear you made something wrong? Or what else?

Edited June 25, 2014 by rugk

[Marcos 5,074]

No, we don't ignore it. I'm trying to get as much information as possible before I post an official reply. Definitely this is not a serious issue, personally I assume that using https would cause many more issues with updates than with http plus it would make troubleshooting update issues much more difficult.

[rugk 397]

Oh, such a quick answer of you...

 

Definitely this is not a serious issue

 

You think so? I already said what can be badly:

 

And it's not good when someone can steal your ESET license (username & password) data, because then he can get updates at the expensive of you. (Especially if you have a multi-device/-user-license it could be bad.)

 

And I think if I go to an internet café and the next day I want to install ESET on another PC - and I want to activate it with a multi user license - and then it "says" that the license is already in use* although I know that the number of

devices I can use is not overstepped (and also not the equal) then I wouldn't say this is not a serious issue.

 

personally I assume that using https would cause many more issues with updates than with http plus it would make troubleshooting update issues much more difficult.

 

OK if it's difficult then make it like jfroot already suggested:

 

If you insist on using http over https, please utilize a more robust password hashing mechanism.

 

Just encrypt it using other methods.

 

* I don't know if it really would display this. Maybe it only would stop updating.
 

Edited June 25, 2014 by rugk

[hqsec 12]

Thank you Marcos for your response. Glad to know that this issue is not ignored. Will wait till you get all the info needed for official response. 

[rugk 397]

So, I think we waited quite long...

 

So what's your answer ESET?

[novice 20]

I am curious too, Marcos.

 

Thanks!

[DerekWilliamsUK@gmail.com 0]

Perhaps this is why there are so many NOD32 "Username/Password" combinations easily available for download on the web !!

[Arakasi 549]

Perhaps this is why there are so many NOD32 "Username/Password" combinations easily available for download on the web !!

Hello

 

I imagine those are from carelessness and trials. None of my accounts are compromised. I use encrypted e-mails. Rackspace hosts. An encrypted drive, Deslock. I follow the company rules and guidelines.

I have 108 + mine, my families, my friends. Growing.....

As soon as i even remotely thought of some kind of license issue, i would be on the phone getting it dealt with.

 

As far as the credentials transmitted back and forth.........

We still just need to be patient and await a company response. Assumptions get us no where.

Edited July 14, 2014 by Arakasi

[rugk 397]

Yeah we wait, but it's especially bad because ESET (alias Marcos) said that the network traffic is encrypted and like you see here it don't seems so...

[Marcos 5,074]

We are working on a new license management system where administrators will be able to manage particular licenses. This should also address the concerns mentioned in this topic. As for home users, the appropriate distributor should send a notification if a license leaks or is being overused.

[rugk 397]

As I wrote here it's difficult for ESET to find out if an unauthorized person is using the licence. I could also activated the licence so if it don't exceed the count of devices that I (ans also the "bad guy"  ) can use it. How ESET should get out that there's something wrong?

And it's nice that system administrators can manage licenses, but this topic is in the "ESET Home User Products"-part, so we want a solution for home user products.

 

I also don't see a really solution. The easiest and best solution is to encrypt the password or also just send it all over an HTTPS connection. So what it difficult about this? You also use HTTPS at this forum so more than ever you should use it at the updates.

 

You have to solve the problem at the cause. That ESET would maybe minimize the effect if a licence will be stolen is good, but it don't solves the problem.

To minimize the effect it would also be good to have an online dashboard were you can see yourself if a licence is used by a device that you don't known and then you should be able to delete the licence directly from the online dashboard (without calling ESET or something cumbersome).

Edited July 14, 2014 by rugk

[Marcos 5,074]

I also don't see a really solution. The easiest and best solution is to encrypt the password or also just send it all over an HTTPS connection. So what it difficult about this? You also use HTTPS at this forum so more than ever you should use it at the updates.

 

How would be then able to inspect packets and troubleshoot update issues if the communication was encrypted? Troubleshooting update issues and using SSL on this forum are very different things. We don't spy on you and don't strictly check the number of licenses being used. However, as already said, our distributors are able to check license use and notify the user if overuse is detected and take appropriate measures to prevent unauthorized users from using the license. Home users have up to 5 licenses so the argument that one wouldn't remember on which devices a license was installed sounds weird to say the least.

[Arakasi 549]

I just got a phone call 5 minutes ago from 1 of my clients who cannot update.

It is my job to find out why, and troubleshoot. This is one example.

If a distributor cannot maintain and secure his clients, they should not be a distributor and i am sure ESET takes the appropriate action.

Of course ESET can detect license misuse also.

 

I have to agree, someone incapable of keeping up with 5 devices seems to escape me.

[rugk 397]

Troubleshooting update issues and using SSL on this forum are very different things.

 

Yes, I admit that this would be maybe a problem. But then just make a setting where the user can put off the encryption (HTTPS --> HTTP), only for temporary troubleshooting.

 

We don't spy on you and don't strictly check the number of licenses being used.

OK,    piracy protection... very good! ^^

I also don't know what this have to do with this topic? Should it mean "Hey, guys outside - just steal the licence information of some users - We anyway don't check how many devices are using the licence!"?

 

However, as already said, our distributors are able to check license use and notify the user if overuse

 

Yeah; I already said that if the license is overused then there is of course no problem for your distributors to find it out. But if I e.g. only use 2 of my 3 devices license and then somebody steals my licence and activates another device the license isn't overused and I can't detected it!

Edited July 14, 2014 by rugk

[rugk 397]

@Arakasi: I'm not quite sure what you want to say with this. This topic isn't a topic called "How can ESET prevent software piracy?". It's just about an issue in their update system.

 

Like I described many times with this issue a licence can theoretically be stolen and activated on another device. This has 2 (or 3) effects:

1. Maybe the licence get's overused. Then it's a problem for ESET (software piracy). But this is is a offtopic.
2. The user will probably arouse suspicion, because ESET thinks he (= the user) maybe wanted to overuse his license.
3. The user maybe will not be able to use the licence on another device, because it will be locked.

Edited July 14, 2014 by rugk

[Arakasi 549]

Heys

 

I agree with the misuse being a little off-topic.

[rugk 397]

So back to topic.

 

I only wanted to link to this topic because here @novice complains about the fact that we didn't get good answers to this topic in a appropriate time...