Why do you recommend not using HTTPS/TLS filtering?

[Cavehomme]

Moderator note: split off, in response to FAQ entry, https://forum.palemoon.org/viewtopic.php?f=24&t=14122

Great article. Can you please point us in the direction of learning which current antivirus / internet security products do and don't use https/tls filtering? From my experience I know that Kasperky does, and it is very overt and caused problems with my banking site. I'd like to know about which others do it too. Thanks and keep up the great work on this superb browser - goodbye Mozilla and Firefox, hello Pale Moon...perhaps it will become Bright Sun one day!?

[dark_moon]

Here a overview:

(Source: http://t3n.de/news/antivirus-https-verb ... -broken_2/)

I dont know if the table is correct but all AVs on the list manipulate your TLS.

[Falna]

I dont know if the table is correct but all AVs on the list manipulate your TLS.

...I've no reason to doubt the table as an overview, but as a long-term user of ESET I can advise that their filtering is optional, and the default is no filtering. So maybe that applies to other products in the list too.

[Falna]

Here's the link to the full paper containing the table above: The Security Impact of HTTPS Interception, Zakir Durumeric et al

• https://jhalderm.com/pub/papers/interception-ndss17.pdf

And on a similar topic: Killed by Proxy: Analyzing Client-end TLS Interception Software, X. de Carné de Carnavalet and M. Mannan

• https://madiba.encs.concordia.ca/~x_decarn/papers/tls-proxy-ndss2016.pdf

[Moonchild]

The table gives a very good indication of what I stated in my FAQ. The connection between the interceptor (IS) and the target server (meaning between you computer and the server, over the Internet) is severely degraded and/or vulnerable. The browser does a much better job, security wise, than any of these products, and is completely shielded from noticing these bad connections. So it confirms, without a doubt, that you cannot and should not use HTTPS/TLS filtering in any of these products.

[hackerman1]

Here's the link to the full paper containing the table above: The Security Impact of HTTPS Interception, Zakir Durumeric et al

• https://jhalderm.com/pub/papers/interception-ndss17.pdf

Dead link.
I did a search but could not find the document anywhere, it seems to have disappeared from the web...
I finally managed to find it by using Internet Archive Wayback Machine:
https://web.archive.org/web/20170213173512/https://jhalderm.com/pub/papers/interception-ndss17.pdf

[Moonchild]

it seems to have disappeared from the web...

Hmm.. censored because the combined AV producers don't want it floating about?

For safekeeping, since archive.org can be asked to remove things from its archives as well: here is it, attached to this post.

[hackerman1]

it seems to have disappeared from the web...

Hmm.. censored because the combined AV producers don't want it floating about?

Exactly what i was thinking...
Sensitive subject...?
The document has disappeared from two (2) of the authors own homepages...
Although it can still be viewed, but not downloaded, on one of them: https://crypto.dance/projects/6356834

And the problem with SSL-filtering is nothing new, i read about it years ago.

[Moonchild]

Well hate to bring the bad news but the information is out there. And will be out there, and remain out there.

[hackerman1]

Well hate to bring the bad news but the information is out there. And will be out there, and remain out there.

[back2themoon]

I think this is relevant: HTTPS interception: What Emsisoft customers need to know

[Moonchild]

I think this is relevant: HTTPS interception: What Emsisoft customers need to know

It is. Because basically they are saying that they don't do this. Instead, they make sure bad host names don't resolve - with the end result that you can't visit those URLs either. So, let's hope the others follow in stopping these bad practices.

[Fedor2]

How one can check for his https not being filtered? I mean not only pc itself, but other network hardware routers, isp etc. For example i can install https filter on the gateway, can it be detected by users for sure?

[Moonchild]

How one can check for his https not being filtered? I mean not only pc itself, but other network hardware routers, isp etc. For example i can install https filter on the gateway, can it be detected by users for sure?

Because HTTPS is end-to-end encryption, any intermediate intercepting this will immediately be known. By definition, this kind of filtering can only be done on the PC itself (with a certificate installed in the client allowing it) because otherwise (at least in Pale Moon's case) the connection will be flagged as untrusted (since it will be an MitM attack). You can't have "transparent" HTTPS filtering; that's one of the reasons the "S" means "Secure". An ISP, router, gateway, etc. trying to do this will not be trusted by the browser.

And you can check for HTTPS filtering by examining the certificate chain. Invariably, these kinds of filters will need to have a certificate that covers all domains (a super-wildcard certificate) so if you see a certificate like that identifying the website you are visiting (as opposed to a certificate specifically naming domains) then you know your connection is being filtered.

[joe04]

Because HTTPS is end-to-end encryption, any intermediate intercepting this will immediately be known. By definition, this kind of filtering can only be done on the PC itself (with a certificate installed in the client allowing it) because otherwise (at least in Pale Moon's case) the connection will be flagged as untrusted (since it will be an MitM attack).

Thanks for uploading the PDF of this substantive paper. Regarding Pale Moon detection of MITM, are you referring to the use of NSS, as described on page 3 of the paper?

Firefox was the most consistent of the four
browsers, and by default, each version produces a nearly
identical Client Hello message regardless of operating system
and platform. ...Mozilla maintains its own TLS implementation,
Mozilla Network Security Services (NSS) [42]. NSS specifies
extensions in a different order than the other TLS libraries
we tested, which allows it to be easily distinguished from
other implementations. The library is unlikely to be directly
integrated into proxies because it is seldom used in server-side
applications.

And as an FYI, this blog from one of the long-time Mozilla stalwarts, Robert O'Callahan, advises only using Windows Defender for real-time AV. (He was in the trenches of Firefox development for many years, so his opinion carries a lot of weight in this regard. And coincidentally, I see that Moonchild ported one of his patches today.)

[back2themoon]

And as an FYI, this blog from one of the long-time Mozilla stalwarts, Robert O'Callahan, advises only using Windows Defender for real-time AV. (He was in the trenches of Firefox development for many years, so his opinion carries a lot of weight in this regard.

Must be one of the worst pieces of advice I've heard in quite a while.

[dark_moon]

And as an FYI, this blog from one of the long-time Mozilla stalwarts, Robert O'Callahan, advises only using Windows Defender for real-time AV. (He was in the trenches of Firefox development for many years, so his opinion carries a lot of weight in this regard.

Must be one of the worst pieces of advice I've heard in quite a while.

In fact this is the best advice. Only Microsoft know how Windows realy works, so they can make the best extra protection (in this case the AV).
Microsoft AV doesnt breake your SSL/ TLS security nor include ads, nor does other creepy stuff.
For Win8 and higher the internal Windows Defender is the best recommendation. For Win7 it is Microsoft Security Essentials.
(In Win8 and higher Security Essentials is part of Windows Defender)

[back2themoon]

In fact this is the best advice. Only Microsoft know how Windows realy works, so they can make the best extra protection (in this case the AV).

In that case, we should also use Notepad instead of any other text editor, Windows Media player, IE/Edge (why Pale Moon? Microsoft knows how Windows works best), Paint and the list goes on.

The main (only?) argumentation here is that some A/V's interfere with Firefox's auto-updates. Turning that minor issue into "ALL A/V's are problematic and MS knows best" is ridiculous and as far as security is concerned (the truly important part) Defender is a sub-standard solution. It has been proven and everybody knows it. Adequate for some, sure. Improved over the years? Sure. Better that everything else? Delusional and suspiciously misleading.

Oh, and Defender has caused me (and many others) more trouble with 3rd-party programs (Pale Moon too, at some point) than any other A/V software.

[back2themoon]

About Microsoft's "expertise" on the matter, let's not forget that they acquired another company to do this, so Defender was/is actually based on a 3rd-party product (GIANT AntiSpyware).

[Moonchild]

About Microsoft's "expertise" on the matter, let's not forget that they acquired another company to do this, so Defender was/is actually based on a 3rd-party product (GIANT AntiSpyware).

If that's your argument, then I really hope you're not using any product from Symantec, Norton, PCTools, or AVG who don't do anything but "acquire and exploit" of 3rd party software, often without having any means to even maintain it let alone bugfix it.