Once upon a time, the golden rule of Google was “Do no evil.” The simple idea was, if you can’t do anything good, make sure that whatever you do isn’t hurting anyone. This is a rule that the security industry needs to remember and apply. Bigly.
One of the positive steps that the IT industry has been taking is to press forward with HTTPS encryption. This enables you as a computer user to connect more securely and privately with the websites you are visiting. Great idea and it is (slowly) becoming reality.
Pushing encryption forward
One of the game changers has been the EFF (and others) starting “Let’s encrypt” which created a free, automated, and open certificate authority (CA) run for the public good. This effectively lowered the bar and the costs of HTTPS encryption.
This year, Google’s Chrome started putting a “Not secure” warning next to online websites that use the unencrypted HTTP connections if the page contains a password field – another good move in the privacy direction. With our Avira Scout browser, we’ve added the HTTPS Everywhere feature from the EFF.
But there is a problem. Even when there is a more secure HTTPS connection, there are lots of companies and devices intercepting and getting in the middle of these encrypted Transport Level Security (TLS) handshakes which causes side-effects.
Interception almost always equals vulnerabilities
After looking at 7.75 billion TLS handshakes, a study by researchers from Cloudflare, Google, Mozilla, and several top universities made two primary discoveries. First, they’ve estimated that 5% to 10% of all such handshakes are intercepted. That is huge.
Second, interception opened up a Pandora’s box of issues. While not all interceptions by companies or devices were bad, most were. Researchers found that 24 of the 26 products tested actually reduced connection security and two-thirds also introduced severe vulnerabilities. As the report stated, “Nearly all reduce connection security and that many introduce vulnerabilities (e.g., fail to validate certificates).”
From the Black Sox to the Internet: Why did you do it?
Of course, this interception of HTTPS by the “WebGuards” of the world is being done for “good” purposes. They are attempting to detect and block malicious content that uses the HTTPS protocol to avoid inspection. But this MITM (Man-In-The-Middle) interception and browser hooking is also the reason why some browser developers currently hate AV companies. They have their reasons.
Nothing to sneeze about
In their evaluation of 26 antivirus products that did a TLS interception, only two products scored an A grade of providing an optimal connection which was up to Chrome’s “Secure TLS” standards. The rest were rated a C or lower.
Grading TLS interception is like someone sneezing into their hand, wiping it off with a tissue, then reaching over to shake your hand. Sure, you are glad that they tried to clean the microbes off their hand before pressing the flesh. But, you’d really rather they would not have been sneezing into their hand in the first place.
Instead of crowing about getting an A grade or being very, very quiet about the others with an F, it would be better to recognize the developers that simply did not try to break up this handshake at all.
A ‘no-grade’ we are proud of
The WebGuard component in Avira AV is scanning the unencrypted HTTP traffic and not intercepting or breaking the HTTPS handshakes (avoiding the horrible side effects). We cover malware detection with other technologies like FileGuard and the AUC based URL protection in the ABS extension contributes to your protection. AV scanning may also be incorporated into our Scout Browser in the future if we see a security benefit there.
Given the recent test results (Avira just won AV-Comparatives Product of the Year award), the lack of interception has visibly not hurt Avira’s ability to provide top-level security. Please take a look at the report footnotes on page 4 for the names of other AV firms that are not doing interceptions.
Let’s not be evil
The report takes a deep dive into an analysis of handshakes and interceptions. But apart from these highly technical aspects of this report is a plea for firms to rethink if intercepting HTTPS is actually needed or responsible. The researchers also point to the worrying trend of security products actually worsening security rather than improving it.
Article written jointly by Thorsten Sick and Lyle Frink. 🙂