Author Topic: Anti-Virus users should be aware (Read 737 times)

Skuzzy · « **on:** February 09, 2017, 01:56:09 PM »

You guys running anti-xxxx software might want to take a gander at this. Even ESET got an 'F'.

http://www.zdnet.com/article/google-and-mozillas-message-to-av-and-security-firms-stop-trashing-https/

Finally makes sense why so many secure connections are getting violated.

pembquist · « **Reply #1 on:** February 09, 2017, 05:00:31 PM »

Oh Joy! So what exactly is a user supposed to do?

Chalenge · « **Reply #2 on:** February 09, 2017, 06:51:03 PM »

I believe that I tried to warn you of this and immediately got poo-pooed.

This story was broken by Steve Gibson at GRC.com about two weeks ago, and I immediately posted a link to his tech video about it in this forum.

Skuzzy · « **Reply #3 on:** February 10, 2017, 09:05:37 AM »

Quote from: pembquist on February 09, 2017, 05:00:31 PM

Oh Joy! So what exactly is a user supposed to do?

Not sure what to tell you here. I have never run any anti-xxxx software on my computers and have never gotten infected with anything. Then again, I do not run anything remotely close the the default configuration of Windows.

Occasionally I run into infected WEB sites trying their best to introduce something to my computer, but so far, after all these years, nothing has gotten through yet.

Vulcan · « **Reply #4 on:** February 10, 2017, 08:12:57 PM »

Quote from: Skuzzy on February 09, 2017, 01:56:09 PM

You guys running anti-xxxx software might want to take a gander at this. Even ESET got an 'F'.

http://www.zdnet.com/article/google-and-mozillas-message-to-av-and-security-firms-stop-trashing-https/

Finally makes sense why so many secure connections are getting violated.

Google and Mozilla are morons. If we cannot inspect your https traffic then the virus writers will have you over a barrel with the arm half way up your colon. Neither google nor mozilla are security companies, and have got zero clue how bad things are right now.

Bad guys use https (legit with legit certs and all). If you don't inspect https then you let them in. Simple as that.

We inspect https traffic on the wire to look for bad stuff then re-encrypt. Google nuked custom CAs in Android 7 so Android 7 users are already screwed (I rolled my device back to 6).

Vulcan · « **Reply #5 on:** February 10, 2017, 08:15:26 PM »

Quote from: Chalenge on February 09, 2017, 06:51:03 PM

I believe that I tried to warn you of this and immediately got poo-pooed.

This story was broken by Steve Gibson at GRC.com about two weeks ago, and I immediately posted a link to his tech video about it in this forum.

He is clueless tbh. It's like taking advice from some guy who wired up his home network to design your corporate/enterprise network.

TequilaChaser · « **Reply #6 on:** February 10, 2017, 11:40:47 PM »

Quote from: Vulcan on February 10, 2017, 08:15:26 PM

He is clueless tbh. It's like taking advice from some guy who wired up his home network to design your corporate/enterprise network.

WOW, I have even posted links to GRC over the years to this very sub-forum and PM's and emailed players, since I have been here, and have used Steve Gibson's advice among other things he had done/designed/created etc.. since before I ever started AH, iirc.....if not before it was right at about the same time frame, anyway....

that's the first time I have ever seen anyone give Gibson a negative view...

TC

Skuzzy · « **Reply #7 on:** February 11, 2017, 05:55:52 AM »

Quote from: Vulcan on February 10, 2017, 08:12:57 PM

Google and Mozilla are morons. If we cannot inspect your https traffic then the virus writers will have you over a barrel with the arm half way up your colon. Neither google nor mozilla are security companies, and have got zero clue how bad things are right now.

Bad guys use https (legit with legit certs and all). If you don't inspect https then you let them in. Simple as that.

We inspect https traffic on the wire to look for bad stuff then re-encrypt. Google nuked custom CAs in Android 7 so Android 7 users are already screwed (I rolled my device back to 6).

I am not concerned about the inspection as much as I am concerned about those products which downgrade the connection security level. That's wrong.

Although if I was writing a virus I think I might focus on getting between the decryption and encryption the anti-xxxx product might be doing doing.

Lusche · « **Reply #8 on:** February 11, 2017, 06:36:17 AM »

Quote from: Skuzzy on February 10, 2017, 09:05:37 AM

Not sure what to tell you here. I have never run any anti-xxxx software on my computers and have never gotten infected with anything. Then again, I do not run anything remotely close the the default configuration of Windows.

Admit it - you are browsing the internet with a teletype. Security by antiquity!

Vulcan · « **Reply #9 on:** February 11, 2017, 11:58:03 AM »

Quote from: Skuzzy on February 11, 2017, 05:55:52 AM

I am not concerned about the inspection as much as I am concerned about those products which downgrade the connection security level. That's wrong.

Although if I was writing a virus I think I might focus on getting between the decryption and encryption the anti-xxxx product might be doing doing.

Well that is exactly the two issues. First is some vendors do a poor job on their protocol support, for ours we quite often offer better encryption than the browser is doing.

The second issue is the neither chrome nor mozilla have perfect products.

For the laymen this is how SSL decrypt works (for appliances like firewalls in a business):
- at some stage user installs a trusted root CA on their device. This helps make the SSL decrypt be a little more seamless. On iOS and Android devices the user does get a warning, and on desktops you can inspect the cert.
- the user browses to an HTTPS site, the firewall presents its resigning cert between it and the user. It also establishes a session with the remote HTTPS site.
- So traffic between the users browser and firewall, and firewall to remote https site are encrypted.
- Traffic within the firewall itself is cleartext so the firewall can inspect for web filtering, applications, virus's, malware and intrusions.

Any bad stuff can be blocked before it hits the client. The virus/malware protection can actually be a lot better than the client software, especially if you're doing cloud based sandboxing.

BUT.... if you listen to what google and chrome want none of your HTTPS traffic can be inspected. People will say AHH! But I have desktop AV! Here's the catch, the HTTPS traffic goes straight to your browser, if your browser is vulnerable then bam you're infected before your desktop AV is able to protect you. This goes for browser plugins like flash player etc, there was even a webex URL attack released a couple of weeks ago.

So, no decrypt = you rely entirely on the goodness of google and mozilla to keep their software absolutely perfect (which has never happened, ever) - as well as all those plugins.

Now this applies mostly to business users (or the odd nutcase home user like me).

TC with regards to GRC, best I can describe it he is giving advice way above his paygrade.

Aces High Bulletin Board

Author Topic: Anti-Virus users should be aware (Read 737 times)

Skuzzy

Anti-Virus users should be aware

pembquist

Re: Anti-Virus users should be aware

Chalenge

Re: Anti-Virus users should be aware

Skuzzy

Re: Anti-Virus users should be aware

Vulcan

Re: Anti-Virus users should be aware

Vulcan

Re: Anti-Virus users should be aware

TequilaChaser

Re: Anti-Virus users should be aware

Skuzzy

Re: Anti-Virus users should be aware

Lusche

Re: Anti-Virus users should be aware

Vulcan

Re: Anti-Virus users should be aware