SSL Protocol Filtering Bug In Version 8

[itman 1,659]

Situation

 

I have SSL Protocol Filtering enabled. I have excluded one or more web sites from all web filtering using the url exclusion list in Web Access Protection.

 

Next I verified using the option provided in url exclusion that indeed, Eset was not monitoring those web sites. However, when I access an excluded SSL web site, Eset's root certificate still appears for that web site.

 

Appears Eset is still performing certificate pinning for excluded SSL web sites. I contend that if a SSL web site is excluded from all filtering, that includes the use of Eset's root certificate for the site.

[Marcos 5,074]

I was unable to reproduce it. Could you check if the appropriate certificate is in the Excluded certificates list ?

[itman 1,659]

The reason for exclusion of my bank web site by using url exclusion is that exclusion by SSL certificate exclusion method is not practical. My bank uses a unique SLL cert. for each web page it displays. For example, the url exclusion, https://*.bankname.com/*, covers 10+ unique SSL certs.. 

 

Additionally, the following factors apply. The bank will frequently replace existing SSL certs.. I have also discovered in testing that if for some reason the Eset root cert. is replaced, all previously excluded SSL certificates are no longer currently excluded and the whole process has to be repeated all over again. Appears Eset links excluded SSL certs. to a specific Eset root cert..

 

I contend that url exclusion and SSL certificate exclusion methods should be mutually exclusive. If a web site url is excluded from web filtering, it is excluded from all Eset web filtering - both http and https. This includes all aspects of SSL protocol filtering such as certificate pinning. In other words when I display an excluded url bank's SSL web page, all aspects of the bank's EV cert. are in effect - the address toolbar is displayed in green, the cert. path for the bank's SLL cert. is chained to its issuing intermediate and root CA's, etc..

Edited January 29, 2016 by itman

[itman 1,659]

I was unable to reproduce it. Could you check if the appropriate certificate is in the Excluded certificates list ?

Marcos, I am attaching the source html code for my bank's home web page as a .txt file. Hopefully, you will forward to the developers as an example of the problem with current SSL certificate exclusion processing.

 

The home page has 16 https links; many of which are dynamically linked to when the home page is displayed in the browser. So the problem is not in excluding the EV certificate for a given web site page but all the associated https: links that might appear on that page and on subsequently accessed sub-domain web pages. 

 

I have no issue with manually excluding EV certificates although the process is burdensome. I do have issues with excluding all the other https certs. referenced on a given web page.

 

I also believe that the whitelisting done for EV certs. in ver. 9 is misleading since Eset is not excluding all https web content on a EV cert. web site but only the html content associated with that web page. Again if EV cert web sites are to be excluding from SSL protocol scanning, that means all content for that page is excluded.

 

Bank of America — Banking, Credit Cards, Mortgages and Auto Loans.txt

[Daffie 11]

@itman : I would not expect much response from ESET to this problem. Seems to me they have given up on SSL in v8. My topic is still unsolved after weeks.

https://forum.eset.com/topic/7050-dont-use-eset-ssl-protocol-filtering-in-v8/

Edited February 5, 2016 by Daffie

[Marcos 5,074]

Bank of America uses separate certificates for each of the subdomains, ie. not just one with CN="*.bankofamerica.com". As a result, in interactive mode (if Ask about non-visited sites is selected) ESET asks you about each certificate:

 

V9 is the first that has EV and some other trusted certificates excluded by default and doesn't nag you with prompts whenever a new certificate is detected.