0

I have installed antivirus and noticed that all https sites I am visiting use the certificate of antivirus's manufacturer. It looks like man-in-the-middle attack and I understand why the antivirus's manufacturer do it: it is only way to check https traffic and find threats.

But my knowledge is not enough to answer to next two questions:

  • What is the new certificate? It is the certificate which was generated in my computer when I was installing the antivirus ? Or it is the one certificate for all users of this antivirus ?

  • What are the new attack vectors with this substituted certificate ?

ceth
  • 725
  • 1
  • 7
  • 17
  • As you can see there are many questions about the topic of AV intercepting TLS and most if not all of your question should be already answered. If not everything is answered please reduce your question to the parts not answered yet. – Steffen Ullrich Aug 08 '17 at 04:16

1 Answers1

1

What is the new certificate?

This depends on your AV manufacturer. It should be a wholly new generated certificate that is signed (or self-signed) upon installation, which is then put in your trusted root store. This way, the certificate is decoupled from the security vendor, and the private key is... well... private and unique to your computer. However, that may or may not happen. The AV vendor could use a single certificate that they generated and included with the installer. In the latter case, if the the security vendor loses control of the cert or the signing keys, it leaves the consumers vulnerable.

What are the new attack vectors

Attack vectors include:

  • Bad actors replacing the certificate with their own, and sniffing traffic.
  • Security vendor doing something stupid with the certificate like including the private key so that attackers can mint their own certificates from that key and spy on your traffic.
  • Alter, change, and inject content on pages you visit.
  • Security vendor using weak security on the certificates, which is easy for bad actors to break and thus mint their own to take advantage of the cert installed on your machine.

There numerous other examples of failures resulting from bad implementations, which highlight the intricacies and complexities of trying to do this correctly. In my opinion, there is no need for a security vendor to do this. Vendors claim it will protect you from the dangers of the web, but this supposed increase in security (modest at best) opens you up to the weakest link in the vendor's entire chain. (More humans, more problems.)

DrDamnit
  • 854
  • 4
  • 12