Don't use ESET SSL Protocol filtering in v8 ?

[Daffie 11]

https://device5.co.uk/blog/do-not-use-eset-ssl-protocol-filtering.html

 

After reading this article I am not so convinced I am doing the right thing by enabling SSL protocol filtering in Smart Security v8.

They seem to be making valid points in this article.

 

Not only that, the ESET application downloads page (and the download itself) is served over unencrypted HTTP, meaning malicious actors can easily serve up modified and/or malicious versions of the ESET application without raising suspicion.

 

This seems still valid, download of the installer is over unencrypted HTTP.

 

 

Not only that, inspecting SSL negotiation with Wireshark shows the ESET application actually downgrades your SSL connection to TLSv1.0 even if your browser and the site you are visiting would normally use the much stronger TLSv1.1 or TLSv1.2.

You may remember that TLSv1.0 is vulnerable to the BEAST attack and should generally not be used.

 

Also this part about TLSv1.0 seems worrying to me!

 

They end the article with :

So, should you use ESET SSL protocol filtering? In my opinion, no. Leave it switched off. It isn’t worth giving a proprietary program access to view and alter all your secure communications on the off-chance it might catch a threat occasionally. It also results in false-positives, claiming that valid certificates have issues and should not be trusted. If you want to take advantage of the part of this feature that restricts using SSLv2, then there you should use your browser settings to do this instead of using ESET.

 

I would appreciate feedback from ESET on this article.

I am using the ESET SSL protocol filtering at the moment but I am not so sure anymore after reading this.

Edited December 29, 2015 by Daffie

[itman 1,659]

Not only that, inspecting SSL negotiation with Wireshark shows the ESET application actually downgrades your SSL connection to TLSv1.0 even if your browser and the site you are visiting would normally use the much stronger TLSv1.1 or TLSv1.2.

You may remember that TLSv1.0 is vulnerable to the BEAST attack and should generally not be used.

Also this part about TLSv1.0 seems worrying to me!

 

Not a problem with the latest .319 ver. of SS 8. All my https: web pages show TLS 1.2. You can verify this using your browser.

 

You can also exclude privacy sensitive web sites from protocol scanning; I do. 

 

SSL protocol scanning is a bit like "you're damned if you do, and you're damned if you don't" quandary. I will say I have been using it for a while now and never encountered a HTTPS web site that Eset alerted to as malicious.

[Daffie 11]

 

Not only that, inspecting SSL negotiation with Wireshark shows the ESET application actually downgrades your SSL connection to TLSv1.0 even if your browser and the site you are visiting would normally use the much stronger TLSv1.1 or TLSv1.2.

You may remember that TLSv1.0 is vulnerable to the BEAST attack and should generally not be used.

Also this part about TLSv1.0 seems worrying to me!

 

Not a problem with the latest .319 ver. of SS 8. All my https: web pages show TLS 1.2. You can verify this using your browser.

 

You can also exclude privacy sensitive web sites from protocol scanning; I do. 

 

SSL protocol scanning is a bit like "you're damned if you do, and you're damned if you don't" quandary. I will say I have been using it for a while now and never encountered a HTTPS web site that Eset alerted to as malicious.

 

 

I also checked this in my browser (Waterfox latest version) and it showed TLS 1.0 !

How can this be?

 

I had to manually install the ESET ssl root certificate because I am using a portable installation of Waterfox. But that should have nothing to do with it.

Any ideas why it is showing TLS 1.0 here?

[Marcos 5,074]

Not only that, inspecting SSL negotiation with Wireshark shows the ESET application actually downgrades your SSL connection to TLSv1.0 even if your browser and the site you are visiting would normally use the much stronger TLSv1.1 or TLSv1.2.

You may remember that TLSv1.0 is vulnerable to the BEAST attack and should generally not be used.

 

This is a problem of Schannel which ignores the information that TLS 1.2 is supported. If the remote server used 1.2 though, it would work but some rely on the inaccurate information provided by Schannel. Not sure if MS has addressed this in a hotfix, will try to get more info from our devs.

[Daffie 11]

Thanks Marcos, looking forward to it.

 

I am using Windows 7 Enterprise x64 by the way.

[Daffie 11]

 

Not only that, inspecting SSL negotiation with Wireshark shows the ESET application actually downgrades your SSL connection to TLSv1.0 even if your browser and the site you are visiting would normally use the much stronger TLSv1.1 or TLSv1.2.

You may remember that TLSv1.0 is vulnerable to the BEAST attack and should generally not be used.

 

This is a problem of Schannel which ignores the information that TLS 1.2 is supported. If the remote server used 1.2 though, it would work but some rely on the inaccurate information provided by Schannel. Not sure if MS has addressed this in a hotfix, will try to get more info from our devs.

 

 

Hi Marcos, any news about this yet?

 

If I understand your post correctly, you are saying that although my browser is saying TLSv1.0 in fact it is using TLSv1.2 ?

 

I need to be sure, I do not want to be more exposed than needed.

 

If this is not the case, I am better of turning SSL protocol filtering off in ESET.

[Daffie 11]

https://madiba.encs.concordia.ca/~x_decarn/papers/tls-proxy-ndss2016.pdf

 

Reading these kind or reports is not making me less concerned.

I have put SSL protocol filtering OFF for now until someone from ESET can explain why ESET is vulnerable to BEAST and FREAK. This is not acceptable for a product that should make you more secure, not less.

[Megachip 5]

Doing a mitm attack for security reason is never a good decision. Also most apps will not support certificate hijacking and with cert pinning it will also not work...

[Daffie 11]

Anyone from ESET looking into this?