HTTPS sites unaccessible when using vpn application

[esetUsr1 0]

I'm using ESS 9.0.381 on win 8.1 64bit with firefox browser. I'm having trouble accessing secure sites (https) that gives a firefox error page "Secure Connection Failed" when using vpn/proxy applications. At first I thought this was caused by firefox's vpn addon, so i tried using another vpn addon from firefox's official addon site (e.g. hoxx, zenmate) and another that is non-addon (e.g. betternet, zenmate windows version) but still unsuccessful. However, fortunately non-secure (http) sites can be accessed whether using the vpn application or not.

After days of web searching, I came upon this eset forum post that addresses about firefox addon update problem which does not occur to me. However, thanks to the post, i got the hint that my problem is due to ESET's certificate handling when ssl protocol filtering is enabled. I solve this issue by turning the ssl protocol filtering mode to interactive and then to wait for eset to pop out prompts when i enable/run the vpn application to manually ignore and remember action for the certificates used by the proxy application. For non-tech savvy or advanced user such as I, the solution is somewhat a hassle and troublesome thing to do. Therefore, there's another easier solution which is to entirely disable the ssl protocol filtering under "web and email" or https checking under "web access protection" which is also not a favourable method to those who care a lot about extra security which I also am because by doing so will "remove a layer of security and could expose your system to security risks", which was mentioned in here.

I noticed that when you disable ssl protocol filtering, the https checking slide bar is grayed out (not toggleable). Therefore, what happens when I enable ssl protocol filtering but disable https checking? What difference does it make compared to disabling ssl protocol filtering?

May I remind once more that this only occur when i'm using a vpn application/program to access sites that happen to be secure and trusted such as google, yahoo mail, youtube etc. Is this a problem/matter that has not yet been addressed by ESET? If so, please fix this issue in the upcoming versions of the software. Thank you.

[Marcos 5,070]

I noticed that when you disable ssl protocol filtering, the https checking slide bar is grayed out (not toggleable). Therefore, what happens when I enable ssl protocol filtering but disable https checking? What difference does it make compared to disabling ssl protocol filtering?

 

The difference between filtering and checking/scanning is that the former means if an https, pop3s and imaps communication will go through ekrn. The latter means if that communication will also be checked/scanned for malware or simply ignored. When disabling SSL filtering completely and re-enabling it, a new root certicate will be generated. If you only disable https scanning, the current ESET root certificate will remain installed.

[esetUsr1 0]

The difference between filtering and checking/scanning is that the former means if an https, pop3s and imaps communication will go through ekrn. The latter means if that communication will also be checked/scanned for malware or simply ignored. When disabling SSL filtering completely and re-enabling it, a new root certicate will be generated. If you only disable https scanning, the current ESET root certificate will remain installed.

 

So let's say if the ssl communication that went through ekrn contains malware, will it be ignored if https scanning disabled? Will there be another layer of protection by ESS to detect the malware after being ignored by https scanner?

What is the use of having those communications go through ekrn if their not scanned for malware? If nothing, then does that mean enabling ssl protocol filtering (or in other words making https, pop3s and imaps communication go through ekrn) is useless when disabling https scanning (or in other words ignore those communications for malware)? Please correct me if I'm wrong.

I would love to keep both settings (ssl protocol filtering and https scanning) enabled for more security. However, i find it quite troublesome due to the https connection issue it causes on vpn applications. Please tell me that it's still safe if I only disable https scanning and keep enabling ssl protocol filtering.

I apologize in advance if my words seems offensive as i have no intention to do so. Just trying to be straightforward as much as possible for clarity sake. I'm new about these anti-malware related terms and stuff. Thank you again.

Edited June 25, 2016 by esetUsr1

[itman 1,659]

I noticed that when you disable ssl protocol filtering, the https checking slide bar is grayed out (not toggleable). Therefore, what happens when I enable ssl protocol filtering but disable https checking? What difference does it make compared to disabling ssl protocol filtering?

I don't believe you can disable https checking and enable ssl protocol scanning. When you enable ssl protocol scanning, Eset will automatically enable HTTPS scanning.

 

Your only option I know of is to disable ssl protocol scanning and enable https scanning. In that setting, non-encrypted port 443 web traffic will be scanned for malware at the network level. Encrypted web traffic will not be scanned. Neither will any client e-mail encrypted traffic be scanned for malware at the network level. However, all e-mail and attachments will be scanned once they are opened in the e-mail client. 

[esetUsr1 0]

I don't believe you can disable https checking and enable ssl protocol scanning. When you enable ssl protocol scanning, Eset will automatically enable HTTPS scanning.

It seems that what you said about the toggling of ssl protocol filtering and https scanning is opposite to ESS configuration. Just as I have mentioned in previous post, the ssl protocol filtering is the one that controls the toggle for https scanner. If it is disabled, the https scanner will also be disabled whereas if enabled, the https scanner can be toggled on and off which is also described in the ESET help article that quotes "Encrypted communication will be not scanned. To enable the scanning of encrypted communication and view the scanner setup, navigate to SSL/TLS in Advanced setup section, click Web and email > SSL/TLS and enable the Enable SSL/TLS protocol filtering option." which is also what ESS9 that i'm using is configured to follow.

 

Your only option I know of is to disable ssl protocol scanning and enable https scanning. In that setting, non-encrypted port 443 web traffic will be scanned for malware at the network level. Encrypted web traffic will not be scanned. Neither will any client e-mail encrypted traffic be scanned for malware at the network level. However, all e-mail and attachments will be scanned once they are opened in the e-mail client.

Again as I mentioned earlier, I cannot enable https scanning if ssl protocol filtering is disabled, hence I'm unable to follow what you suggested. Besides, there's also a separate option for enabling non-secure http scanner described in the mentioned ESET help article.

Edited July 13, 2016 by esetUsr1

[Marcos 5,070]

With SSL protocol filtering enabled, you can disable HTTPS scanning. This give you an option to keep POP3S and IMAPS scanning enabled. Of course, disabling HTTPS scanning is not recommended as it's required for both scanning the HTTPS communication for malware and for blocking https websites via the Parental Control (home products) or Web Control (Endpoint products).

[esetUsr1 0]

With SSL protocol filtering enabled, you can disable HTTPS scanning. This give you an option to keep POP3S and IMAPS scanning enabled.

So in other words, what you mean here is, if SSL protocol filtering is enabled with HTTPS scanner disabled, the scanning of malware on HTTPS is ignored while the other communications (i.e. POP3S and IMAPS) will still be scanned for malware. Am I correct? Just to be absolutely sure.

 

Of course, disabling HTTPS scanning is not recommended as it's required for both scanning the HTTPS communication for malware and for blocking https websites via the Parental Control (home products) or Web Control (Endpoint products).

I see. I did not know that it is relative to Parental Control. Thanks for the new info.

 

And what about the HTTPS connection issue that occurs during the use of VPN application? Does HTTPS scanning supposed to work with VPN application in which it doesn't to me? Does anyone else encounter this problem or am I the only one? I guess I just have to stick with excluding the certificates used by the application from scanning.

Edited June 26, 2016 by esetUsr1

[esetUsr1 0]

Just like what I've mentioned in my previous posts, ESS has a bit of problem granting VPN applications access to HTTPS sites. This probably has something to do with the HTTPS scanning option that keeps refusing to verify the authenticity of the certificate used by the application to connect the browser to the proxy server with certificate/s that is/are issued by trusted certificate authority. For now, I will keep the certificate exclusions on tab since that's the most efficient and secure way for me rather than turning of SSL protocol filtering and/or HTTPS scanner. I hope that this issue will be fixed in future release of ESS.

[Marcos 5,070]

If the plug-in does not honor CA certificates in the Firefox trusted root CA certificate store, then there's nothing we could do about that. If it supports importing custom CA certificates, you should be able to export and import the ESET root certificate manually.

[esetUsr1 0]

If the plug-in does not honor CA certificates in the Firefox trusted root CA certificate store, then there's nothing we could do about that.

That's quite odd because the plug-in does honor CA certificates in the Firefox trusted root CA certificate store when HTTPS scanning disabled. The issue only happens when I enable HTTPS scanning. That is why I suspect HTTPS scanner causes the issue and not the plug-in.

 

If it supports importing custom CA certificates, you should be able to export and import the ESET root certificate manually.

Unfortunately, neither of the plugins and non-plugins previously mentioned support importing custom CA certificates. Why does the ESET root SSL certificate is self signed when it should be signed/issued by other trusted CA for validity?

Edited June 27, 2016 by esetUsr1

[itman 1,659]

Appears to me this FireFox VPN plug-in is designed to detect local man-in-the-middle activity that is performed using self-signed root CA store certificates. Since the certificate used by Eset for SSL protocol scanning falls in this category, the only solution is to get Mozilla to allow AV vendor self-signed root CA certificates for this VPN plug-in option. I seriously doubt that will happen. 

[esetUsr1 0]

Appears to me this FireFox VPN plug-in is designed to detect local man-in-the-middle activity that is performed using self-signed root CA store certificates. Since the certificate used by Eset for SSL protocol scanning falls in this category, the only solution is to get Mozilla to allow AV vendor self-signed root CA certificates for this VPN plug-in option. I seriously doubt that will happen. 

I see. So it seems the cause of failed HTTPS connection is due to the VPN application/server not verifying ESET self-signed SSL root certificate that is used to perform local man-in-the-middle activity between the client (firefox) and proxy server (VPN) for scanning purpose (HTTPS scanner). Well that's a bummer. Anyhow thanks for the info.

[rugk 397]

Appears to me this FireFox VPN plug-in is designed to detect local man-in-the-middle activity that is performed using self-signed root CA store certificates.

Exactly this seems to be the case. Actually this is a very good thing of the add-on, but in your particular case it is of course unwanted.

So basically one has to decide between ESET HTTPS scanning and using the VPN add-on. Always note that any files arriving on your disk are still scanned by ESET, so it is not too bad to disable HTTPS scanning unless you use features such as parental control.