itman 1,758 Posted June 9, 2016 Share Posted June 9, 2016 Just want to be sure Eset is aware of this since I posted details in another thread: https://forum.eset.com/topic/8609-eset-secure-browser-issue/?p=45687 Link to comment Share on other sites More sharing options...
ESET Insiders xxJackxx 95 Posted June 9, 2016 ESET Insiders Share Posted June 9, 2016 I can duplicate this with the beta Internet Security 10. Link to comment Share on other sites More sharing options...
itman 1,758 Posted June 10, 2016 Author Share Posted June 10, 2016 (edited) Allowing SSL 3.0 connections makes you vulnerable to a POODLE attack: https://www.us-cert.gov/ncas/alerts/TA14-290A I am disabling Eset SSL protocol scanning until Eset fixes this issue which I hope is soon. -EDIT- This issue appears to be not related to Eset SSL protocol scanning after all. After disabling it, I can still connect to the Bank of India web site: https://www.onlinesbi.com/ So there is something definitely "fishy" about this web site in that it has the ability to somehow override IE 11's setting not to allow SSL 3.0 connections. As I showed in the original thread on this subject, this web site is using SSL 3.0 protocol. Edited June 10, 2016 by itman Link to comment Share on other sites More sharing options...
Administrators Marcos 5,298 Posted June 10, 2016 Administrators Share Posted June 10, 2016 I received a warning from a browser that the website supports an insecure protocol or something along that line but in the end TLS 1.2 was used regardless of whether SSL scanning was enabled or not. Link to comment Share on other sites More sharing options...
itman 1,758 Posted June 10, 2016 Author Share Posted June 10, 2016 Below is a screen shot from QUALS noting that its simulated IE 11 running on Win 7 connection to the Bank of India is connecting at TLS 1.2. Note that this is a simulated connection and not an actual one. My take on what is going on is an external MITM is occurring for the connection. Its purpose is to do a phony SSL 3.0 to TLS 1.2 upgrade on connection to the browser and the reverse on the connection from the browser to BOI's server. The manipulation is not perfect and my IE 11 browser sees the connection as SSL 3.0. Link to comment Share on other sites More sharing options...
itman 1,758 Posted June 10, 2016 Author Share Posted June 10, 2016 Here's what happens when I connect to another URL associated with this State Bank of India. QUALS does verify that this site supports TLS 1.0, 1.1, and 1.2. IE11 won't let me connect to this site due to the insecure cyphers it uses: Link to comment Share on other sites More sharing options...
itman 1,758 Posted June 11, 2016 Author Share Posted June 11, 2016 Marcos, looks like you are correct about the TLS 1.2 protocol connection status for https://www.onlinesbi.com/ For some inexplicable reason, IE11 will on occasion not show the real protocol connection status of a web page upon initial browser display of it. Appears to have something to do with web page caching as best as I can determine. A refresh of the web page will show the actual protocol connection status. Link to comment Share on other sites More sharing options...
rugk 397 Posted July 7, 2016 Share Posted July 7, 2016 (edited) Actually if you look at the SSLLabs scan the site does support SSL 3.0 and TLS 1.0 up to TLS 1.2. That's why a cli8ent can connect to it using a higher protocol version. Of course the site should not support SSL 3.0, but that must be reported to the site owners. To really test whether ESETs SSL scanning (or any other thing such as browsers or other Man-in-the-middle software) is vulnerable to Poodle (that's how the attack using SSL 3.0 as a fallback is called) you can use this test site: https://www.poodletest.com/ As for ESET I've already proposed the option to being able to disable SSL 3 completely a long time ago, but there was no reaction from ESET and until now it is not there (also not in the ESS 10 Beta), which I think is sad as they already have this option for SSL 2, so it would only be logical to also add it for SSL 3. Edited July 7, 2016 by rugk Link to comment Share on other sites More sharing options...
Recommended Posts