EFF (and others) starting “Let’s encrypt” which created a free, automated, and open certificate authority (CA) run for the public good. This effectively lowered the bar and the costs of HTTPS encryption.
This year, Google’s Chrome started putting a “Not secure” warning next to online websites that use the unencrypted HTTP connections if the page contains a password field – another good move in the privacy direction. With our Avira Scout browser, we’ve added the HTTPS Everywhere feature from the EFF.
But there is a problem. Even when there is a more secure HTTPS connection, there are lots of companies and devices intercepting and getting in the middle of these encrypted Transport Level Security (TLS) handshakes which causes side-effects.
After looking at 7.75 billion TLS handshakes, a study by researchers from Cloudflare, Google, Mozilla, and several top universities made two primary discoveries. First, they’ve estimated that 5% to 10% of all such handshakes are intercepted. That is huge.
Second, interception opened up a Pandora’s box of issues. While not all interceptions by companies or devices were bad, most were. Researchers found that 24 of the 26 products tested actually reduced connection security and two-thirds also introduced severe vulnerabilities. As the report stated, “Nearly all reduce connection security and that many introduce vulnerabilities (e.g., fail to validate certificates).”
Of course, this interception of HTTPS by the “WebGuards” of the world is being done for “good” purposes. They are attempting to detect and block malicious content that uses the HTTPS protocol to avoid inspection. But this MITM (Man-In-The-Middle) interception and browser hooking is also the reason why some browser developers currently hate AV companies. They have their reasons.
In their evaluation of 26 antivirus products that did a TLS interception, only two products scored an A grade of providing an optimal connection which was up to Chrome’s “Secure TLS” standards. The rest were rated a C or lower.
Grading TLS interception is like someone sneezing into their hand, wiping it off with a tissue, then reaching over to shake your hand. Sure, you are glad that they tried to clean the microbes off their hand before pressing the flesh. But, you’d really rather they would not have been sneezing into their hand in the first place.
Instead of crowing about getting an A grade or being very, very quiet about the others with an F, it would be better to recognize the developers that simply did not try to break up this handshake at all.
The WebGuard component in Avira AV is scanning the unencrypted HTTP traffic and not intercepting or breaking the HTTPS handshakes (avoiding the horrible side effects). We cover malware detection with other technologies like FileGuard and the AUC based URL protection in the ABS extension contributes to your protection. AV scanning may also be incorporated into our Scout Browser in the future if we see a security benefit there.
Given the recent test results (Avira just won AV-Comparatives Product of the Year award), the lack of interception has visibly not hurt Avira’s ability to provide top-level security. Please take a look at the report footnotes on page 4 for the names of other AV firms that are not doing interceptions.
The report takes a deep dive into an analysis of handshakes and interceptions. But apart from these highly technical aspects of this report is a plea for firms to rethink if intercepting HTTPS is actually needed or responsible. The researchers also point to the worrying trend of security products actually worsening security rather than improving it.
Article written jointly by Thorsten Sick and Lyle Frink. 🙂