What should I do about my antivirus preventing palemoon from connecting securely to specific Google subdomains? Topic is solved

[moon convert]

I've had a problem for a while connecting securely to certain Google sites. Specifically, Google docs, Google slides, and Google forms. I've attached a screenshot of the warning I get from the browser, showing technical details. I was recently able to do some troubleshooting, and I think the problem is my antivirus. I'm running kaspersky Internet security 17. I get the same warning whether I'm running the browser with my typical profile, in safe mode, or with a clean profile. My workhorse OS is Windows 7 Home Premium 64-bit. I have a small partition on my hard drive with Linux mint 18.1 XFCE installed. I have no problems connecting securely in my Linux partition, and I'm using roughly the same browser settings and add-ons in both operating systems. Considering all of this together, by process of elimination, I'm pretty sure my antivirus is causing the problem in Windows. This agrees with a few other forum posts related to similar issues. None of the posts I found seemed to describe what to do if the antivirus is indeed the problem. Is there a safe way to solve this problem in Windows? Interestingly, I don't have the connection issue with Firefox, although in Firefox all the sites that I've mentioned, docs, slides, and forms, run painfully slow.

Main system info:
Operating system: Windows 7 Home Premium 64-bit
Browser version: 27.3.0 32 bit
Problem URL:https://docs.google.com/
Theme: XMoon 1.5.1
Installed add-ons:
Name Version Enabled ID
BetterPrivacy 1.68.1-signed true {d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
checkCompatibility 1.3.1-signed.1-signed true check-compatibility@dactyl.googlecode.com
CipherFox 3.12.0 true cipherfox@mkfly
Cite This! 0.20.1-signed.1-signed true citethis@angelforge.org
Encrypted Web 5.1.5 true {4bf973fe-f2b7-43e1-b2ca-52f9c6f6fddf}
Extended Statusbar 2.0.5 true {daf44bf7-a45e-4450-979c-91cf07434c3d}
Find Button 1.0.4.1-signed.1-signed true findbutton@fbdev.x10.bz
Greasemonkey 1.15.1-signed true {e4a8a97b-f2ed-450b-b12d-ee082ba24781}
KESI Reader 2.2 true {0B37872F-D59F-4b47-B2FD-F37E3F979437}
Menu Icons Plus 3.2.1-signed.1-signed true menuiconsplus@codedawn.com
Menu Wizard 5.08 true s3menu@wizard
Metal Lion Australis Scrollbars II 2.0.1.5 true {FDBAD97E-A258-4fe3-9CF6-60CF386C4422}
Nuance PDF Convert 1 true nuance@pdf8
Pale Moon Commander 1.7.3 true commander@palemoon.org
Persona Switcher 2.0.4.1-signed.1-signed true drsjb80@gmail.com
Restart 3.0.2 true Restart@schuzak.jp
Search Site 7.0 true searchsite@DW-dev
Theme Font & Size Changer 53.0 true {f69e22c7-bc50-414a-9269-0f5c344cd94c}
uBlock Origin 1.12.4 true uBlock0@raymondhill.net
URL Tooltip 1.3 true url-tooltip@timothytate.net
uMatrix 0.9.3.6 false uMatrix@raymondhill.net
Installed plugins:
Nuance PDF
Nuance PDF Plugin
Dragon NaturallySpeaking Plugin
Dragon NaturallySpeaking HTML Component
VLC Web Plugin
VLC media player Web Plugin
Google Update
Microsoft Office 2010
Silverlight Plug-In
Java(TM) Platform SE 8 U131
Java Deployment Toolkit 8.0.1310.11
CANON iMAGE GATEWAY Album Plugin Utility for IJ
CANON iMAGE GATEWAY Album Plugin Utility Module for IJ
Shockwave for Director
Adobe Shockwave for Director Netscape plug-in, version 12.2.8.198
Shockwave Flash 25.0 r0

Auxiliary system info
Operating system:Linux mint 18.1 Serena 64-bit
Browser version: 27.3.0 64 bit
Problem URL:no problems
Theme: XMoon 1.5.1

[Pallid Planetoid]

Try clearing your google cookies.
STEP1:

Click where circled and then "More information..." button

STEP 2:

Click "View Cookies" button

STEP 3:

Select all the listed "google" cookies and click "Remove Cookies" button

You could also try flushing your DNS cache (a computer reboot will accomplish this or by alternatively taking the following steps below).

Here is how to fix possibly corrupted DNS cache.
1. Click the Microsoft Start logo in the bottom left corner of the screen
2. Click All Programs
3. Click Accessories
4. RIGHT-click on Command Prompt
5. Select "Run As Administrator"
6. In the command window type the following and then hit enter: ipconfig /flushdns
7. You will see the following confirmation: "Windows IP Configuration Successfully flushed the DNS Resolver Cache."

[coffeebreak]

I was recently able to do some troubleshooting, and I think the problem is my antivirus.

If you use "https filtering" in your antivirus, you should turn that off.
See this post https://forum.palemoon.org/viewtopic.php?f=15&t=15620#p113191

For why, see https://forum.palemoon.org/viewtopic.php?f=24&t=14122

[moon convert]

Thank you! The two posts you linked to about "https filtering" were really helpful. I feel much better understanding the “why” behind the recommendation. I did some googling and adjusted a setting in Kaspersky. The problem seems to be solved now. The setting was pretty well buried, and tinkering with the firewall is definitely out of my comfort zone. Could someone please confirm that I did this the correct way? Settings-> Protection-> Firewall-> Configure Application Rules-> Moonchild Productions-> [from the drop-down menu] Palemoon Web Browser [double-clicked the menu entry to open a dialogue box] -> Exclusions. Changed the drop-down menu in the screenshot from “don’t scan all traffic” to “don’t scan encrypted traffic,” then checked the checkbox and confirm the change. The screenshot shows the last step. Does everything look in seem right?

[Moonchild]

What you should do is switch this off globally in kaspersky, not just for one application.

[moon convert]

Okay. I found the global override option for encrypted traffic scanning. When I tried to disable it, I got a rather unsettling warning message about how this would cripple many of kaspersky's features. Then, I decided to do some research. I read several forum threads and one security white paper. As I'm currently seeing the issue, there's a huge privacy problem, because a third-party software, the antivirus, is effectively decrypting everything.
On the other hand, the I.S./antivirus actually takes over the function of detecting malicious sites, bad connections, and man in the middle attacks, from the browser. So, it's not that you're not protected from these things, it's just that your antivirus is doing the protection. This has the unfortunate effect of blinding the browser to the problem, but in that case, the antivirus should warn you and block the connection right?
Of course, if there's an exploitable vulnerability in your antivirus, that undermines everything, but I'm not sure how this is different from, or more likely than, an exploitable vulnerability in the browser. Is it because browsers are updated and patched more frequently?
There's also of course the possibility that the antivirus itself is doing something nefarious, like sending all your information to the KGB. But this seems a bit paranoid.
Additionally, browsers have mechanisms for reporting bad and malicious connections back to the user. ITunes, and lots of other applications connect to the Internet, and I'm considerably less certain of their connection checking and issue reporting mechanisms.
Based on the linked posts, and my additional reading, here's what I'm thinking of doing. I'll certainly leave encrypted connections scanning disabled for palemoon, which I trust completely. Also, based on the privacy issue, I'm going to disable it for Kleopatra/Gpg4win. and possibly my Firefox. On the other hand, for something like Internet Explorer, that I would permanently remove if doing so didn't break Windows updates, or for other web facing applications, I think it probably makes sense to let kaspersky do the guarding. The majority opinion on the malwaretips forum also seems to be in favor of leaving it globally enabled and making application-specific exceptions. Have I missed something crucial?

[Moonchild]

Have I missed something crucial?

Yes, you have:

1. Considering it will not intercept connections that don't specifically proxy through kaspersky's software, you're likely not getting any protection from malware that connects out. A built-in firewall may also not stop this if the HTTP back-end of Windows itself is leveraged by the malware. IE may be proxied, but the HTTP client can still be told to connect without proxy.
2. Protection offered by kaspersky will be based on (never fully current) lists of malicious domains. So you are exchanging your own verification with a blind trust in an automated system that by its very nature will never be able to catch everything. It's the 0-day problem you're facing.
3. By leaving it enabled globally, any background connections that require secure channels will become vulnerable. Think, for example, of downloading updates for software or the O.S. You are trusting what needs to be a direct connection to software vendors to a black box that won't tell you if the connection is secure or not. I'd hate to see your OS get hijacked by ransomware because Windows Updates happily installed an illegitimate update because it thought it was connecting to Microsoft servers. Yes, this is a very real threat if your immediate upstream gets compromised or your local traffic re-routed. Even more so in the case of roaming wifi hotspots with a laptop, for example. (also the reason why I always recommend to people to switch off any and all software updates if they are going to travel and use potentially untrusted networks)
4. Often, SSL/TLS capabilities of antivirus/internet security intercepting software are less than what client software uses. There's already been another thread on this forum where an overview was posted of the security of outbound (IS to server) connections was outlined, displaying some absolutely terrible levels of security and encryption.
5. By allowing the IS to MitM you, your connection to any site becomes dependent on the scrutiny of the back box, and if the box has a problem for whatever reason, you go down with it; i.e. you'll be relying on a single point of failure for all your network connectivity.

[moon convert]

Thanks for taking the time to explain further. I'll adjust the global setting now. Could you post a link to the thread you mentioned?

There's already been another thread on this forum where an overview was posted of the security of outbound (IS to server) connections was outlined, displaying some absolutely terrible levels of security and encryption.

I did a quick search, but I don't think I found the thread you were referring to, and I feel like I should probably read it. I try to be an informed technology user, but it's starting to feel like a little bit of a vortex. For instance, I've only been thinking about this thread for a little while, and it's already spawned at least five questions, that I never would've thought to consider a few days ago.

[coffeebreak]

In addition to this, it might be https://forum.palemoon.org/viewtopic.php?f=26&t=14725.

[Moonchild]

I was referring to viewtopic.php?f=26&t=14725

[moon convert]

Thanks guys! The thread you both linked to was extremely helpful. Durumeric et al., 2017, was much more scientifically rigorous than the paper I found before. My background is in the biological sciences, so I'm not sure I understood the more technical aspects, but if I'm reading the paper correctly, I'm at a minimum, 12% safer thanks to your advice. Thanks!

[Lux_Inlumino]

Hi

I'm having the same issue. I've read the thread and am hoping for a clear step by step on how to make this work. I too have Kaspersky and Pale Moon and can't connect to Google Docs and I need to for class. I'm not as tech saavy as y'all seem to be, but I'm hoping one of you can tell me how to turn off the filtering thing... but not the global one since someone here explained why not.

Thanks!

[moon convert]

Hi there. The global overwrite is actually the safest option. I'm not sure which post your referring to.

but not the global one since someone here explained why not.

If it's my post that begins

I found the global override option for encrypted traffic scanning. When I tried to disable it, I got a rather unsettling warning message about how this would cripple many of kaspersky's features.

I apologize for the confusion. my line of reasoning in that particular post was based on some bad info from the malwaretips forum. Moonchild points out my mistake in the next post. The encrypted connection scanning issue is a bit confusing, and I didn't feel like I really had my head wrapped around it until I read the threads others have linked to here, and this academic paper.
https://www.internetsociety.org/sites/default/files/ndss2017_04A-4_Durumeric_paper.pdf
In basic terms, my current understanding is that, in the service of trying to protect you from malware, kaspersky decrypts everything and goes through it. After it's done going through things, it encrypts the data again. At the time the paper came out, kaspersky wasn't doing a good job of re-securing the data. So your safer if kaspersky doesn't do this in the first place. I've attached a PDF showing step-by-step where you have to click to make the change. I have been running kaspersky without encrypted connection scanning for a while now, and have had no problems. I'm certainly still learning, so if I've misrepresented something, feel free to correct me.