itman 1,806 Posted April 14, 2015 Posted April 14, 2015 I thought from what was given in the SS 8 manual that if a HTTPS address was entered in the "list of addresses excluding from filtering", the domain would be excluded from SSL scanning. SSL protocol scanning is set to always. I tried various formats such as https://www.bankofamerica.com, https://*.bankofamerica.com/*, etc., yet Eset SLL protocol scanning is still enabled by virtue of it's cert. being used on the above domain web page.
rugk 397 Posted April 14, 2015 Posted April 14, 2015 (edited) You have to enter the domain without any protocol. So instead of https://*.eicar.org, e.g. enter *.eicar.org. I used this example, because you can test it with the eicar file quite well. But why would you like to exclude https://www.bankofamerica.com? I mean it's a legitimate site, but what would be the advantage to exclude it? However there is also another (better) way how to exclude sites completely from SSL scanning: In the SSL scanning settings, under "certificates" there is a list of excluded certificates. You can add certificates there by following the following steps: Set SSL scanning to "Ask about non-visited sites (exclusions can be set)". (the last part is the interesting part for us ) Visit the site you want to exclude. You should be presented with a prompt, which asks you what you want to do: And finally there you can click on "Exclude" button at the left. Edited April 14, 2015 by rugk
itman 1,806 Posted April 14, 2015 Author Posted April 14, 2015 (edited) You have to enter the domain without any protocol. So instead of https://*.eicar.org, e.g. enter *.eicar.org. I used this example, because you can test it with the eicar file quite well. But why would you like to exclude https://www.bankofamerica.com? I mean it's a legitimate site, but what would be the advantage to exclude it? However there is also another (better) way how to exclude sites completely from SSL scanning: In the SSL scanning settings, under "certificates" there is a list of excluded certificates. You can add certificates there by following the following steps: Set SSL scanning to "Ask about non-visited sites (exclusions can be set)". (the last part is the interesting part for us ) Visit the site you want to exclude. You should be presented with a prompt, which asks you what you want to do:SSLScanning_CertificatePrompt.png And finally there you can click on "Exclude" button at the left. Well, the *.bankofamerica.com url exclusion only worked on the www. domain; not on any of the 8+ other domain names it uses. It uses a cert. for each web page it displays on its web site. So I went the certificate exclusion route for those. I also decided to let Eset's SSL protocol fllter check the other domains I encountered on that site such as *.vo.mscnd.net, x.cardlytics.com, image.get.bills.com and God knows what else. You can't even trust your bank these days! A suggestion to Eset is to follow Avast's lead and auto exclude all bank and major financial web sites from SSL filtering. Would save a lot of work for us poor users. BTW - I exported Eset's certificate into Thunderbird and changed to it to web site verification and that appears to be working OK. Question - There was a web posting last year about Eset's SSL protocol downgrading TLS connections to ver 1.0. From what I can determine, that appears to be fixed . Is this indeed the case? Edited April 14, 2015 by itman
rugk 397 Posted April 15, 2015 Posted April 15, 2015 Normally the exclusion (*.domain.com) should work on all subdomains. About the thing with Avast: What advantage would it have to exclude all banking sites from SSL scanning? About TLS support: I didn't found a post about this from last year, but a much more recent one: SSL Inspection TLS 1.2 Support? And there you can read that TLS 1.2 support is already implemented, but with Firefox it often falls down to TLS v 1.1. I tested it and in my test the "newest" TLS version I could get was 1.0: tested with Internet protection module: 1173B.3 (20150324) But as you see a fix will be released in Internet protection module 1181+.
itman 1,806 Posted April 16, 2015 Author Posted April 16, 2015 (edited) About the thing with Avast: What advantage would it have to exclude all banking sites from SSL scanning? Nothing should be intercepting encrypted data to sensitive web sites such as your banking sites and the like for any reason. It violates the whole principle behind SSL encryption. Sorry, I don't trust anyone when it comes to my financial data. I use EMET's certificate pinning for those sites to verify that the certificate authorization chain is intact. If you can't trust your banking web site to be malware free, you need to find a different bank to do business with. Edited April 16, 2015 by itman
rugk 397 Posted April 18, 2015 Posted April 18, 2015 Okay, I can understand this. Then you can exclude them. Adding this by default wouldn't be a good idea I think. Additionally there are many banking sites worldwide, so this would be a high effort for ESET. But BTT you could exclude it now successfully?
itman 1,806 Posted April 18, 2015 Author Posted April 18, 2015 Okay, I can understand this. Then you can exclude them. Adding this by default wouldn't be a good idea I think. Additionally there are many banking sites worldwide, so this would be a high effort for ESET. But BTT you could exclude it now successfully? Yes, was able to successfully able to exclude what I had to cert-wise. Was an interesting exercise in that I picked up a dodgy hidden cert. on the bank web site. One solution would be for an option for Eset to allow cert path verification for excluded certs. but not scan the traffic using the SSL protocol feature. As I understand it, once the web site cert. is excluded, Eset will not verify the cert. chaining path to the Trusted Root CA store?
rugk 397 Posted April 19, 2015 Posted April 19, 2015 One solution would be for an option for Eset to allow cert path verification for excluded certs. but not scan the traffic using the SSL protocol feature. As I understand it, once the web site cert. is excluded, Eset will not verify the cert. chaining path to the Trusted Root CA store?No if it's excluded not. This will then be done - like it's normally done - by your browser.However it doesn't matter "who" it does. The only advantage (besides the malware scanning of course) would be that you can (theoretically) check the certificates yourself and built up a list of trusted certificates with ESET. To do so you of course would need to use the mode "Ask...".
Recommended Posts