Aggressive adware applications that break the trust between HTTPS (HTTP Secure) websites and users have been at the center of controversy lately. But over the past week, HTTPS interception flaws of varying severity were also found in security programs, with products from antivirus vendor Bitdefender being the latest example.
Carsten Eiram, the chief research officer of vulnerability intelligence firm Risk Based Security, found that the latest versions of several Bitdefender products, namely Bitdefender Antivirus Plus, Bitdefender Internet Security and Bitdefender Total Security, do not check the revocation status of SSL certificates before replacing them with new ones that are signed using a root certificate installed locally. The products use this technique in order to scan encrypted HTTPS traffic for potential threats.
While the certificate revocation oversight in Bitdefender products is not as serious as the HTTPS interception flaws found recently in other programs, like the Superfish adware preloaded on Lenovo laptops, its impact is not negligible, Eiram said.
If a website's certificate has been revoked by a certificate authority -- for example, because it was issued fraudulently or because its private key was compromised by hackers -- affected Bitdefender products will still accept it as valid. More importantly, as part of their HTTPS scanning feature, they will convert the revoked certificate into a certificate that local browsers will trust, despite the fact that under normal circumstances those browsers would reject the original certificate.
Eiram discovered the issue earlier this week while performing quick tests of the HTTPS scanning implementations in a few widely used security products, following an inquiry from the IDG News Service about possible Superfish-like flaws in other applications. IDG News Service helped report the issue to Bitdefender and the company developed a fix that will be included in a larger scheduled update next week.
The decision to report the flaw publicly ahead of a patch release was taken because the issue is very easy to find and because Bitdefender considers its impact to be low.
HTTPS scanning issues are something that a lot of people are focusing on, Eiram said. "Someone is bound to download and check certificate validation in various security products including Bitdefender. It's just a matter of downloading the product and then visiting a site with a revoked certificate to see the unsafe behavior."
One such site is https://revoked.grc.com. It has been set up by Gibson Research so that users can test whether their browsers and other software fail to check the revocation status of SSL certificates. If the site is loaded without a browser warning then certificate revocation is not properly verified.
"As the attack vector is quite small and difficult for an attacker to target, we did not consider it as a high priority update," said Alexandru Catalin Cosoi, Bitdefender's chief security strategist and global communications director, in an emailed statement. "We will scan the [HTTPS] traffic anyway for malicious payloads, which still renders our customers safe."
Sign up for Computerworld eNewsletters.