Why do you recommend not using HTTPS/TLS filtering?

General discussion and chat (archived)

Moderator: satrow

Cavehomme
Newbie
Newbie
Posts: 4
Joined: 2015-02-10, 08:40
Location: Europe

Why do you recommend not using HTTPS/TLS filtering?

Post by Cavehomme » 2017-02-09, 14:23

Moderator note: split off, in response to FAQ entry, viewtopic.php?f=24&t=14122

Great article. Can you please point us in the direction of learning which current antivirus / internet security products do and don't use https/tls filtering? From my experience I know that Kasperky does, and it is very overt and caused problems with my banking site. I'd like to know about which others do it too. Thanks and keep up the great work on this superb browser - goodbye Mozilla and Firefox, hello Pale Moon...perhaps it will become Bright Sun one day!? :D

dark_moon

Re: Why do you recommend not using HTTPS/TLS filtering?

Post by dark_moon » 2017-02-09, 21:05

Here a overview:
Image
(Source: http://t3n.de/news/antivirus-https-verb ... -broken_2/)

I dont know if the table is correct but all AVs on the list manipulate your TLS.

Falna
Lunatic
Lunatic
Posts: 352
Joined: 2015-08-23, 17:56
Location: UK / France

Re: Why do you recommend not using HTTPS/TLS filtering?

Post by Falna » 2017-02-09, 21:56

dark_moon wrote:I dont know if the table is correct but all AVs on the list manipulate your TLS.
...I've no reason to doubt the table as an overview, but as a long-term user of ESET I can advise that their filtering is optional, and the default is no filtering. So maybe that applies to other products in the list too.
Last edited by Falna on 2017-02-09, 22:15, edited 1 time in total.

Falna
Lunatic
Lunatic
Posts: 352
Joined: 2015-08-23, 17:56
Location: UK / France

Re: Why do you recommend not using HTTPS/TLS filtering?

Post by Falna » 2017-02-09, 22:10

Here's the link to the full paper containing the table above: The Security Impact of HTTPS Interception, Zakir Durumeric et al And on a similar topic: Killed by Proxy: Analyzing Client-end TLS Interception Software, X. de Carné de Carnavalet and M. Mannan

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 25041
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: Why do you recommend not using HTTPS/TLS filtering?

Post by Moonchild » 2017-02-16, 21:35

The table gives a very good indication of what I stated in my FAQ. The connection between the interceptor (IS) and the target server (meaning between you computer and the server, over the Internet) is severely degraded and/or vulnerable. The browser does a much better job, security wise, than any of these products, and is completely shielded from noticing these bad connections. So it confirms, without a doubt, that you cannot and should not use HTTPS/TLS filtering in any of these products.
"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
Image

hackerman1
Lunatic
Lunatic
Posts: 378
Joined: 2013-12-19, 15:12
Location: Sweden

Re: Why do you recommend not using HTTPS/TLS filtering?

Post by hackerman1 » 2017-02-17, 13:47

Falna wrote:Here's the link to the full paper containing the table above: The Security Impact of HTTPS Interception, Zakir Durumeric et al
Dead link.
I did a search but could not find the document anywhere, it seems to have disappeared from the web...
I finally managed to find it by using Internet Archive Wayback Machine:
https://web.archive.org/web/20170213173512/https://jhalderm.com/pub/papers/interception-ndss17.pdf
Administrator on Windows Server to Workstation
Moderator (and "undercover" Admin) on The Windows Club Forum

Security: EAM, Comodo Firewall and HIPS, WinPatrol+, HOSTS-file, UAC (max), Sandboxie, NoScript and ADBlock.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 25041
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: Why do you recommend not using HTTPS/TLS filtering?

Post by Moonchild » 2017-02-17, 14:23

hackerman1 wrote:it seems to have disappeared from the web...
Hmm.. censored because the combined AV producers don't want it floating about?

For safekeeping, since archive.org can be asked to remove things from its archives as well: here is it, attached to this post.
Attachments
interception-ndss17.pdf
(321.69 KiB) Downloaded 75 times
"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
Image

hackerman1
Lunatic
Lunatic
Posts: 378
Joined: 2013-12-19, 15:12
Location: Sweden

Re: Why do you recommend not using HTTPS/TLS filtering?

Post by hackerman1 » 2017-02-17, 15:10

Moonchild wrote:
hackerman1 wrote:it seems to have disappeared from the web...
Hmm.. censored because the combined AV producers don't want it floating about?
Exactly what i was thinking... ;)
Sensitive subject...?
The document has disappeared from two (2) of the authors own homepages...
Although it can still be viewed, but not downloaded, on one of them: https://crypto.dance/projects/6356834

And the problem with SSL-filtering is nothing new, i read about it years ago.
Administrator on Windows Server to Workstation
Moderator (and "undercover" Admin) on The Windows Club Forum

Security: EAM, Comodo Firewall and HIPS, WinPatrol+, HOSTS-file, UAC (max), Sandboxie, NoScript and ADBlock.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 25041
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: Why do you recommend not using HTTPS/TLS filtering?

Post by Moonchild » 2017-02-17, 19:41

Well hate to bring the bad news but the information is out there. And will be out there, and remain out there.
"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
Image

hackerman1
Lunatic
Lunatic
Posts: 378
Joined: 2013-12-19, 15:12
Location: Sweden

Re: Why do you recommend not using HTTPS/TLS filtering?

Post by hackerman1 » 2017-02-17, 21:15

Moonchild wrote:Well hate to bring the bad news but the information is out there. And will be out there, and remain out there.
:D :D :D :D :D
Administrator on Windows Server to Workstation
Moderator (and "undercover" Admin) on The Windows Club Forum

Security: EAM, Comodo Firewall and HIPS, WinPatrol+, HOSTS-file, UAC (max), Sandboxie, NoScript and ADBlock.

User avatar
back2themoon
Board Warrior
Board Warrior
Posts: 1510
Joined: 2012-08-19, 20:32

Re: Why do you recommend not using HTTPS/TLS filtering?

Post by back2themoon » 2017-02-18, 00:35

Safe Mode / clean profile info: Help/Restart in Safe Mode
Information to include when asking for support - How to apply user agent overrides
How to download videos

Windows 10 Pro • Pale Moon x64 • Interlink x86 • Emsisoft Anti-Malware

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 25041
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: Why do you recommend not using HTTPS/TLS filtering?

Post by Moonchild » 2017-02-18, 09:39

back2themoon wrote:I think this is relevant: HTTPS interception: What Emsisoft customers need to know
It is. Because basically they are saying that they don't do this. Instead, they make sure bad host names don't resolve - with the end result that you can't visit those URLs either. So, let's hope the others follow in stopping these bad practices.
"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
Image

User avatar
Fedor2
Astronaut
Astronaut
Posts: 669
Joined: 2016-04-11, 01:26

Re: Why do you recommend not using HTTPS/TLS filtering?

Post by Fedor2 » 2017-02-21, 15:00

How one can check for his https not being filtered? I mean not only pc itself, but other network hardware routers, isp etc. For example i can install https filter on the gateway, can it be detected by users for sure?

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 25041
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: Why do you recommend not using HTTPS/TLS filtering?

Post by Moonchild » 2017-02-21, 21:18

Fedor2 wrote:How one can check for his https not being filtered? I mean not only pc itself, but other network hardware routers, isp etc. For example i can install https filter on the gateway, can it be detected by users for sure?
Because HTTPS is end-to-end encryption, any intermediate intercepting this will immediately be known. By definition, this kind of filtering can only be done on the PC itself (with a certificate installed in the client allowing it) because otherwise (at least in Pale Moon's case) the connection will be flagged as untrusted (since it will be an MitM attack). You can't have "transparent" HTTPS filtering; that's one of the reasons the "S" means "Secure". An ISP, router, gateway, etc. trying to do this will not be trusted by the browser.

And you can check for HTTPS filtering by examining the certificate chain. Invariably, these kinds of filters will need to have a certificate that covers all domains (a super-wildcard certificate) so if you see a certificate like that identifying the website you are visiting (as opposed to a certificate specifically naming domains) then you know your connection is being filtered.
"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
Image

joe04
Lunatic
Lunatic
Posts: 259
Joined: 2015-09-28, 16:38
Location: US
Contact:

Re: Why do you recommend not using HTTPS/TLS filtering?

Post by joe04 » 2017-02-25, 02:27

Moonchild wrote:Because HTTPS is end-to-end encryption, any intermediate intercepting this will immediately be known. By definition, this kind of filtering can only be done on the PC itself (with a certificate installed in the client allowing it) because otherwise (at least in Pale Moon's case) the connection will be flagged as untrusted (since it will be an MitM attack).
Thanks for uploading the PDF of this substantive paper. Regarding Pale Moon detection of MITM, are you referring to the use of NSS, as described on page 3 of the paper?
Firefox was the most consistent of the four
browsers, and by default, each version produces a nearly
identical Client Hello message regardless of operating system
and platform. ...Mozilla maintains its own TLS implementation,
Mozilla Network Security Services (NSS) [42]. NSS specifies
extensions in a different order than the other TLS libraries
we tested, which allows it to be easily distinguished from
other implementations. The library is unlikely to be directly
integrated into proxies because it is seldom used in server-side
applications.
And as an FYI, this blog from one of the long-time Mozilla stalwarts, Robert O'Callahan, advises only using Windows Defender for real-time AV. (He was in the trenches of Firefox development for many years, so his opinion carries a lot of weight in this regard. And coincidentally, I see that Moonchild ported one of his patches today.)

User avatar
back2themoon
Board Warrior
Board Warrior
Posts: 1510
Joined: 2012-08-19, 20:32

Re: Why do you recommend not using HTTPS/TLS filtering?

Post by back2themoon » 2017-02-25, 08:59

joe04 wrote:And as an FYI, this blog from one of the long-time Mozilla stalwarts, Robert O'Callahan, advises only using Windows Defender for real-time AV. (He was in the trenches of Firefox development for many years, so his opinion carries a lot of weight in this regard.
Must be one of the worst pieces of advice I've heard in quite a while.
Safe Mode / clean profile info: Help/Restart in Safe Mode
Information to include when asking for support - How to apply user agent overrides
How to download videos

Windows 10 Pro • Pale Moon x64 • Interlink x86 • Emsisoft Anti-Malware

dark_moon

Re: Why do you recommend not using HTTPS/TLS filtering?

Post by dark_moon » 2017-02-25, 10:06

back2themoon wrote:
joe04 wrote:And as an FYI, this blog from one of the long-time Mozilla stalwarts, Robert O'Callahan, advises only using Windows Defender for real-time AV. (He was in the trenches of Firefox development for many years, so his opinion carries a lot of weight in this regard.
Must be one of the worst pieces of advice I've heard in quite a while.
In fact this is the best advice. Only Microsoft know how Windows realy works, so they can make the best extra protection (in this case the AV).
Microsoft AV doesnt breake your SSL/ TLS security nor include ads, nor does other creepy stuff.
For Win8 and higher the internal Windows Defender is the best recommendation. For Win7 it is Microsoft Security Essentials.
(In Win8 and higher Security Essentials is part of Windows Defender)

User avatar
back2themoon
Board Warrior
Board Warrior
Posts: 1510
Joined: 2012-08-19, 20:32

Re: Why do you recommend not using HTTPS/TLS filtering?

Post by back2themoon » 2017-02-25, 10:33

dark_moon wrote: In fact this is the best advice. Only Microsoft know how Windows realy works, so they can make the best extra protection (in this case the AV).
In that case, we should also use Notepad instead of any other text editor, Windows Media player, IE/Edge (why Pale Moon? Microsoft knows how Windows works best), Paint and the list goes on.

The main (only?) argumentation here is that some A/V's interfere with Firefox's auto-updates. Turning that minor issue into "ALL A/V's are problematic and MS knows best" is ridiculous and as far as security is concerned (the truly important part) Defender is a sub-standard solution. It has been proven and everybody knows it. Adequate for some, sure. Improved over the years? Sure. Better that everything else? Delusional and suspiciously misleading.

Oh, and Defender has caused me (and many others) more trouble with 3rd-party programs (Pale Moon too, at some point) than any other A/V software.
Safe Mode / clean profile info: Help/Restart in Safe Mode
Information to include when asking for support - How to apply user agent overrides
How to download videos

Windows 10 Pro • Pale Moon x64 • Interlink x86 • Emsisoft Anti-Malware

User avatar
back2themoon
Board Warrior
Board Warrior
Posts: 1510
Joined: 2012-08-19, 20:32

Re: Why do you recommend not using HTTPS/TLS filtering?

Post by back2themoon » 2017-02-25, 11:28

About Microsoft's "expertise" on the matter, let's not forget that they acquired another company to do this, so Defender was/is actually based on a 3rd-party product (GIANT AntiSpyware).
Safe Mode / clean profile info: Help/Restart in Safe Mode
Information to include when asking for support - How to apply user agent overrides
How to download videos

Windows 10 Pro • Pale Moon x64 • Interlink x86 • Emsisoft Anti-Malware

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 25041
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: Why do you recommend not using HTTPS/TLS filtering?

Post by Moonchild » 2017-02-25, 14:03

back2themoon wrote:About Microsoft's "expertise" on the matter, let's not forget that they acquired another company to do this, so Defender was/is actually based on a 3rd-party product (GIANT AntiSpyware).
If that's your argument, then I really hope you're not using any product from Symantec, Norton, PCTools, or AVG who don't do anything but "acquire and exploit" of 3rd party software, often without having any means to even maintain it let alone bugfix it.
"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
Image

Locked