I am not concerned about the inspection as much as I am concerned about those products which downgrade the connection security level. That's wrong.
Although if I was writing a virus I think I might focus on getting between the decryption and encryption the anti-xxxx product might be doing doing.
Well that is exactly the two issues. First is some vendors do a poor job on their protocol support, for ours we quite often offer better encryption than the browser is doing.
The second issue is the neither chrome nor mozilla have perfect products.
For the laymen this is how SSL decrypt works (for appliances like firewalls in a business):
- at some stage user installs a trusted root CA on their device. This helps make the SSL decrypt be a little more seamless. On iOS and Android devices the user does get a warning, and on desktops you can inspect the cert.
- the user browses to an HTTPS site, the firewall presents its resigning cert between it and the user. It also establishes a session with the remote HTTPS site.
- So traffic between the users browser and firewall, and firewall to remote https site are encrypted.
- Traffic within the firewall itself is cleartext so the firewall can inspect for web filtering, applications, virus's, malware and intrusions.
Any bad stuff can be blocked before it hits the client. The virus/malware protection can actually be a lot better than the client software, especially if you're doing cloud based sandboxing.
BUT.... if you listen to what google and chrome want none of your HTTPS traffic can be inspected. People will say AHH! But I have desktop AV! Here's the catch, the HTTPS traffic goes straight to your browser, if your browser is vulnerable then bam you're infected before your desktop AV is able to protect you. This goes for browser plugins like flash player etc, there was even a webex URL attack released a couple of weeks ago.
So, no decrypt = you rely entirely on the goodness of google and mozilla to keep their software absolutely perfect (which has never happened, ever) - as well as all those plugins.
Now this applies mostly to business users (or the odd nutcase home user like me).
TC with regards to GRC, best I can describe it he is giving advice way above his paygrade.