Why do you recommend not using HTTPS/TLS filtering?

General discussion and chat (archived)
Cavehomme

Why do you recommend not using HTTPS/TLS filtering?

Unread post by Cavehomme » 2017-02-09, 14:23

Moderator note: split off, in response to FAQ entry, viewtopic.php?f=24&t=14122

Great article. Can you please point us in the direction of learning which current antivirus / internet security products do and don't use https/tls filtering? From my experience I know that Kasperky does, and it is very overt and caused problems with my banking site. I'd like to know about which others do it too. Thanks and keep up the great work on this superb browser - goodbye Mozilla and Firefox, hello Pale Moon...perhaps it will become Bright Sun one day!? :D

dark_moon

Re: Why do you recommend not using HTTPS/TLS filtering?

Unread post by dark_moon » 2017-02-09, 21:05

Here a overview:
Image
(Source: http://t3n.de/news/antivirus-https-verb ... -broken_2/)

I dont know if the table is correct but all AVs on the list manipulate your TLS.

Falna
Astronaut
Astronaut
Posts: 511
Joined: 2015-08-23, 17:56
Location: UK / France

Re: Why do you recommend not using HTTPS/TLS filtering?

Unread post by Falna » 2017-02-09, 21:56

dark_moon wrote:I dont know if the table is correct but all AVs on the list manipulate your TLS.
...I've no reason to doubt the table as an overview, but as a long-term user of ESET I can advise that their filtering is optional, and the default is no filtering. So maybe that applies to other products in the list too.
Last edited by Falna on 2017-02-09, 22:15, edited 1 time in total.

Forked extensions :
● Add-ons Inspector ● Auto Text Link ● Copy As Plain Text ● Copy Hyperlink Text ● FireFTP button replacement ● gSearch Bar ● Navigation Bar Enhancer ● New Tab Links ● Number Tabs ● Print Preview Button and Keyboard Shortcut 2 ● Scrollbar Search Marker ● Simple Marker ● Tabs To Portfolio ● Update Alert ● Web Developer's Toolbox ● Zap Anything

Hint: If you expect a reply to your PM, allow replies...

Falna
Astronaut
Astronaut
Posts: 511
Joined: 2015-08-23, 17:56
Location: UK / France

Re: Why do you recommend not using HTTPS/TLS filtering?

Unread post by Falna » 2017-02-09, 22:10

Here's the link to the full paper containing the table above: The Security Impact of HTTPS Interception, Zakir Durumeric et al And on a similar topic: Killed by Proxy: Analyzing Client-end TLS Interception Software, X. de Carné de Carnavalet and M. Mannan

Forked extensions :
● Add-ons Inspector ● Auto Text Link ● Copy As Plain Text ● Copy Hyperlink Text ● FireFTP button replacement ● gSearch Bar ● Navigation Bar Enhancer ● New Tab Links ● Number Tabs ● Print Preview Button and Keyboard Shortcut 2 ● Scrollbar Search Marker ● Simple Marker ● Tabs To Portfolio ● Update Alert ● Web Developer's Toolbox ● Zap Anything

Hint: If you expect a reply to your PM, allow replies...

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35474
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Why do you recommend not using HTTPS/TLS filtering?

Unread post by Moonchild » 2017-02-16, 21:35

The table gives a very good indication of what I stated in my FAQ. The connection between the interceptor (IS) and the target server (meaning between you computer and the server, over the Internet) is severely degraded and/or vulnerable. The browser does a much better job, security wise, than any of these products, and is completely shielded from noticing these bad connections. So it confirms, without a doubt, that you cannot and should not use HTTPS/TLS filtering in any of these products.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

hackerman1
Lunatic
Lunatic
Posts: 385
Joined: 2013-12-19, 15:12
Location: Sweden

Re: Why do you recommend not using HTTPS/TLS filtering?

Unread post by hackerman1 » 2017-02-17, 13:47

Falna wrote:Here's the link to the full paper containing the table above: The Security Impact of HTTPS Interception, Zakir Durumeric et al
Dead link.
I did a search but could not find the document anywhere, it seems to have disappeared from the web...
I finally managed to find it by using Internet Archive Wayback Machine:
https://web.archive.org/web/20170213173512/https://jhalderm.com/pub/papers/interception-ndss17.pdf
Administrator on Windows Server to Workstation
Moderator (and "undercover" Admin) on The Windows Club Forum

Security: EAM, Comodo Firewall and HIPS, WinPatrol+, HOSTS-file, UAC (max), Sandboxie, NoScript and ADBlock.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35474
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Why do you recommend not using HTTPS/TLS filtering?

Unread post by Moonchild » 2017-02-17, 14:23

hackerman1 wrote:it seems to have disappeared from the web...
Hmm.. censored because the combined AV producers don't want it floating about?

For safekeeping, since archive.org can be asked to remove things from its archives as well: here is it, attached to this post.
Attachments
interception-ndss17.pdf
(321.69 KiB) Downloaded 88 times
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

hackerman1
Lunatic
Lunatic
Posts: 385
Joined: 2013-12-19, 15:12
Location: Sweden

Re: Why do you recommend not using HTTPS/TLS filtering?

Unread post by hackerman1 » 2017-02-17, 15:10

Moonchild wrote:
hackerman1 wrote:it seems to have disappeared from the web...
Hmm.. censored because the combined AV producers don't want it floating about?
Exactly what i was thinking... ;)
Sensitive subject...?
The document has disappeared from two (2) of the authors own homepages...
Although it can still be viewed, but not downloaded, on one of them: https://crypto.dance/projects/6356834

And the problem with SSL-filtering is nothing new, i read about it years ago.
Administrator on Windows Server to Workstation
Moderator (and "undercover" Admin) on The Windows Club Forum

Security: EAM, Comodo Firewall and HIPS, WinPatrol+, HOSTS-file, UAC (max), Sandboxie, NoScript and ADBlock.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35474
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Why do you recommend not using HTTPS/TLS filtering?

Unread post by Moonchild » 2017-02-17, 19:41

Well hate to bring the bad news but the information is out there. And will be out there, and remain out there.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

hackerman1
Lunatic
Lunatic
Posts: 385
Joined: 2013-12-19, 15:12
Location: Sweden

Re: Why do you recommend not using HTTPS/TLS filtering?

Unread post by hackerman1 » 2017-02-17, 21:15

Moonchild wrote:Well hate to bring the bad news but the information is out there. And will be out there, and remain out there.
:D :D :D :D :D
Administrator on Windows Server to Workstation
Moderator (and "undercover" Admin) on The Windows Club Forum

Security: EAM, Comodo Firewall and HIPS, WinPatrol+, HOSTS-file, UAC (max), Sandboxie, NoScript and ADBlock.


User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35474
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Why do you recommend not using HTTPS/TLS filtering?

Unread post by Moonchild » 2017-02-18, 09:39

back2themoon wrote:I think this is relevant: HTTPS interception: What Emsisoft customers need to know
It is. Because basically they are saying that they don't do this. Instead, they make sure bad host names don't resolve - with the end result that you can't visit those URLs either. So, let's hope the others follow in stopping these bad practices.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Fedor2

Re: Why do you recommend not using HTTPS/TLS filtering?

Unread post by Fedor2 » 2017-02-21, 15:00

How one can check for his https not being filtered? I mean not only pc itself, but other network hardware routers, isp etc. For example i can install https filter on the gateway, can it be detected by users for sure?

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35474
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Why do you recommend not using HTTPS/TLS filtering?

Unread post by Moonchild » 2017-02-21, 21:18

Fedor2 wrote:How one can check for his https not being filtered? I mean not only pc itself, but other network hardware routers, isp etc. For example i can install https filter on the gateway, can it be detected by users for sure?
Because HTTPS is end-to-end encryption, any intermediate intercepting this will immediately be known. By definition, this kind of filtering can only be done on the PC itself (with a certificate installed in the client allowing it) because otherwise (at least in Pale Moon's case) the connection will be flagged as untrusted (since it will be an MitM attack). You can't have "transparent" HTTPS filtering; that's one of the reasons the "S" means "Secure". An ISP, router, gateway, etc. trying to do this will not be trusted by the browser.

And you can check for HTTPS filtering by examining the certificate chain. Invariably, these kinds of filters will need to have a certificate that covers all domains (a super-wildcard certificate) so if you see a certificate like that identifying the website you are visiting (as opposed to a certificate specifically naming domains) then you know your connection is being filtered.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

joe04

Re: Why do you recommend not using HTTPS/TLS filtering?

Unread post by joe04 » 2017-02-25, 02:27

Moonchild wrote:Because HTTPS is end-to-end encryption, any intermediate intercepting this will immediately be known. By definition, this kind of filtering can only be done on the PC itself (with a certificate installed in the client allowing it) because otherwise (at least in Pale Moon's case) the connection will be flagged as untrusted (since it will be an MitM attack).
Thanks for uploading the PDF of this substantive paper. Regarding Pale Moon detection of MITM, are you referring to the use of NSS, as described on page 3 of the paper?
Firefox was the most consistent of the four
browsers, and by default, each version produces a nearly
identical Client Hello message regardless of operating system
and platform. ...Mozilla maintains its own TLS implementation,
Mozilla Network Security Services (NSS) [42]. NSS specifies
extensions in a different order than the other TLS libraries
we tested, which allows it to be easily distinguished from
other implementations. The library is unlikely to be directly
integrated into proxies because it is seldom used in server-side
applications.
And as an FYI, this blog from one of the long-time Mozilla stalwarts, Robert O'Callahan, advises only using Windows Defender for real-time AV. (He was in the trenches of Firefox development for many years, so his opinion carries a lot of weight in this regard. And coincidentally, I see that Moonchild ported one of his patches today.)

User avatar
back2themoon
Moon Magic practitioner
Moon Magic practitioner
Posts: 2370
Joined: 2012-08-19, 20:32

Re: Why do you recommend not using HTTPS/TLS filtering?

Unread post by back2themoon » 2017-02-25, 08:59

joe04 wrote:And as an FYI, this blog from one of the long-time Mozilla stalwarts, Robert O'Callahan, advises only using Windows Defender for real-time AV. (He was in the trenches of Firefox development for many years, so his opinion carries a lot of weight in this regard.
Must be one of the worst pieces of advice I've heard in quite a while.

dark_moon

Re: Why do you recommend not using HTTPS/TLS filtering?

Unread post by dark_moon » 2017-02-25, 10:06

back2themoon wrote:
joe04 wrote:And as an FYI, this blog from one of the long-time Mozilla stalwarts, Robert O'Callahan, advises only using Windows Defender for real-time AV. (He was in the trenches of Firefox development for many years, so his opinion carries a lot of weight in this regard.
Must be one of the worst pieces of advice I've heard in quite a while.
In fact this is the best advice. Only Microsoft know how Windows realy works, so they can make the best extra protection (in this case the AV).
Microsoft AV doesnt breake your SSL/ TLS security nor include ads, nor does other creepy stuff.
For Win8 and higher the internal Windows Defender is the best recommendation. For Win7 it is Microsoft Security Essentials.
(In Win8 and higher Security Essentials is part of Windows Defender)

User avatar
back2themoon
Moon Magic practitioner
Moon Magic practitioner
Posts: 2370
Joined: 2012-08-19, 20:32

Re: Why do you recommend not using HTTPS/TLS filtering?

Unread post by back2themoon » 2017-02-25, 10:33

dark_moon wrote: In fact this is the best advice. Only Microsoft know how Windows realy works, so they can make the best extra protection (in this case the AV).
In that case, we should also use Notepad instead of any other text editor, Windows Media player, IE/Edge (why Pale Moon? Microsoft knows how Windows works best), Paint and the list goes on.

The main (only?) argumentation here is that some A/V's interfere with Firefox's auto-updates. Turning that minor issue into "ALL A/V's are problematic and MS knows best" is ridiculous and as far as security is concerned (the truly important part) Defender is a sub-standard solution. It has been proven and everybody knows it. Adequate for some, sure. Improved over the years? Sure. Better that everything else? Delusional and suspiciously misleading.

Oh, and Defender has caused me (and many others) more trouble with 3rd-party programs (Pale Moon too, at some point) than any other A/V software.

User avatar
back2themoon
Moon Magic practitioner
Moon Magic practitioner
Posts: 2370
Joined: 2012-08-19, 20:32

Re: Why do you recommend not using HTTPS/TLS filtering?

Unread post by back2themoon » 2017-02-25, 11:28

About Microsoft's "expertise" on the matter, let's not forget that they acquired another company to do this, so Defender was/is actually based on a 3rd-party product (GIANT AntiSpyware).

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35474
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Why do you recommend not using HTTPS/TLS filtering?

Unread post by Moonchild » 2017-02-25, 14:03

back2themoon wrote:About Microsoft's "expertise" on the matter, let's not forget that they acquired another company to do this, so Defender was/is actually based on a 3rd-party product (GIANT AntiSpyware).
If that's your argument, then I really hope you're not using any product from Symantec, Norton, PCTools, or AVG who don't do anything but "acquire and exploit" of 3rd party software, often without having any means to even maintain it let alone bugfix it.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Locked