Ignoring A Topic Is Not An Answer.....

[novice 20]

Dear Marcos,

 

Several weeks ago an user asked a question about  "AV updates use non encrypted user name / password"

The question was ignored by any ESET officials and bounced back and forth for a while.

 

Finally, you decided to acknowledge the topic and asked for more time to get more information before posting an official answer.

 

It's been a month since the OP posted the question; if you have an answer, please provide it.

 

If the answer is inconvenient for ESET or ESET doesn't want to provide an answer, please lock the topic.

 

 

Just ignoring the question shows lack of consideration for all ESET users.

 

Thanks!

 

Respectfully,

novice 

[Arakasi 549]

What a wonderful provocative thread.

 

Patience is a virtue.

 

They also already provided half of the response for you :
 

How would we then be able to inspect packets and troubleshoot update issues if the communication was encrypted?

Definitely this is not a serious issue, personally I assume that using https would cause many more issues with updates than with http plus it would make troubleshooting update issues much more difficult.

 

As rugk blatantly pointed out, he is worried about license misuse. My opinion on this is that there isn't that much license misuse if any on "legitimate" "real" licenses", only a lot of trash and misuse going on with trial accounts.

 

Take this scenario as an example:

If you have a license for 5 computers, and you are using all 5 on a network. If someone stole your license, and applied it on 1 computer. Only 4 of your computers would receive updates every hour. 1 of them would fail or quit working and you would know. Which would prompt you to call ESET or your provider of ESET. If someone applied all 5 , then you would really be having retarded issues because none of them would be working properly.

If you purchased many licenses from ESET for less or more computers, and are not watching them, working on them, or similar, then that is your own fault or the fault of your IT admin for not paying close attention to your network and security. If its for home use and you have 1 license, you would know if someone took it and was using it. What would you do ? Ignore it , or contact ESET support to find out why its having issues.

 

In a sense i repeat the following statement:

Partners, Distributors and ESET alike keep a close eye on the licenses and the clients they are assigned to. This is a fact. Any wrongful use, is looked in to immediately and appropriate action is put forth.

I have 100+ license under my belt that i take care of so far and if anything was going on i would know about it. Some partners have much much more and they are just as responsible.

 

My opinion about this is that ESET in a short answer said "don't worry about it, and we will provide an accurate and reasonable answer about the situation when we have the best answer to respond with".

I imagine they have already had meetings and discussions over this, as well as thoughts of implementing https updates, in which they will come to a conclusion and post back for us to see.

 

I might try to be defending ESET here, but i am a partner and it is almost in my direction as well because i sell the product and use it everyday on people, clients, friends and my family to stay protected.

 

Please have patience while they prepare, what most likely wil be a very huge response and may even make the press channel if big changes are implemented. The importance of the question is high and everyone knows it.

 

Thanks novice for posting

[Marcos 5,074]

Exactly, everything has been said and explained already. Maybe in the future there will be an option to switch to https but this should be optional not only because of adding balancers responsinble for SSL offloading to update servers but also to make it possible to use http and capture the traffic for analysis in the case of an update issue which would be impossible to do with https.

[novice 20]

Hi Marcos,

 

As you can see from previous post , it doesn't seem that "everything has been said and explained already"

 

Arakasi and some other users are still waiting for a "very huge response" and "even make the press channel" ; it has been highlighted that "The importance of this question is high and EVERYONE KNOWS IT" 

 

If this is all you have to offer, I will take it like a "YES, ESET does not encrypt user name and password" .

 

Than you for your answer!

novice

[rugk 397]

Just another scenario:

I bought a multi device license with 5 devices. Now I get a username and a password:

* username: EAV-0215366499

  password: **********

 

This licence now I can use for up to 5 devices. So after this I activated it on this 3 devices (and I want to activate the remaining devices later):

• PC: ESS
• Notebook: ESS
• Mobile: EMS for Android

So then I use a public (unknown) WLAN. Theoretically someone who uses the same WLAN could read out this license data (because it's sent unencrypted!). After this he can use it for some other devices.

But if he is clever he don't activates 10 other devices with this license, because then of course an overuse will be detected. So he just activates 2 ESET products. And then we have a problem:

• I: I don't know that my license data was stolen, because nowhere I can see it.
• ESET: In this case ESET also don't knows that the license data was stolen, because it isn't overused. Only 5 of 5 devices are using the license.

Effects:

And what this effects are I already described in another post.

 

I have 100+ license under my belt that i take care of so far and if anything was going on i would know about it.

No! How you should know? A license could be stolen and you don't notice it. That's the system of Man-in-the-middle attacks.

 

The solution:

sounds quite simple. Of course it isn't such simple because you have to improve the update and license system in many things, but it must be...

Encrypt the license data or at least the password!

 

And what Marcos said sounds quite good!

 

Maybe in the future there will be an option to switch to https but this should be optional not only because of adding balancers responsinble for SSL offloading to update servers but also to make it possible to use http and capture the traffic for analysis in the case of an update issue which would be impossible to do with https.

If they encrypt the update traffic in newer version this problem is solved.

And I also advocate to make it optional (for the reasons he said). But it should be set by default, because you should only disable HTTPS for troubleshooting and then you can switch back to the secure alternative.

 

* Of course this licence data is faked...

Edited July 30, 2014 by rugk
Password hidden.

[Arakasi 549]

No! How you should know? A license could be stolen and you don't notice it. That's the system of Man-in-the-middle attacks.

 

 

For 1 , the database i have

2. If its one home user, their ESET would quit working and they would call me.

3 if its a business, i manage all their computers from ERA, i would know when 1 quit working.

 

Let me put it clearly. IMPOSSIBLE FOR ANY OF MY CLIENTS LICENSES TO GET STOLEN AND I NOT KNOW ABOUT IT.

 

there...... *breath*, *pant*

:)

[rugk 397]

It's a home user. So nothing with ERA.

 

And if ESET works correctly (see my scenario), because no overuse occurred?

[Arakasi 549]

It's a home user

 

They would call me, trust me, everyone of my clients live near me and have my contact info.

 

Sorry Rugk, which scenario are you referring to ?