Thursday February 09, 2017

Google, Mozilla to Anti-Virus and Security Firms: "Stop Trashing HTTPS"

Another strike against anti-virus? Sounds like it. We’ve got a study here that paints security software in a bad light, accusing them of "undermining HTTPS connections and exposing browser users to decryption attacks." If I’m understanding this right, anti-virus software is installing root certificates that allow them to read encrypted trafficآ—as you could imagine, this is sort of detrimental to the whole point of HTTPS.

News Image

The researchers urge antivirus vendors to stop intercepting HTTPS altogether, since the products already have access to the local filesystem, browser memory, and content loaded over HTTPS. Additionally, they charge all security companies with acting "negligently". "Many of the vulnerabilities we find in antivirus products and corporate middleboxes, such as failing to validate certificates and advertising broken ciphers, are negligent and another data point in a worrying trend of security products worsening security rather than improving it," they write. The study is likely to give ammunition to Chrome and Firefox developers who've criticized antivirus firms for undermining browser security features and introducing more security risks to users. Google's Project Zero, for example, recently found a bug in Kaspersky's TLS inspection that resulted in browsers not flagging an error if a user connected to the wrong site.

Discussion