Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Some Bitdefender products break HTTPS certificate revocation

Lucian Constantin | Feb. 27, 2015
This allows man-in-the-middle attackers with access to revoked, but otherwise valid, certificates to manipulate encrypted traffic.

That same year a Dutch certificate authority called DigiNotar was hacked and the attacker walked away with over 500 fraudulent certificates for various domain names. One of those certificates was later used in a mass surveillance attack against Gmail users in Iran.

Other similar incidents have happened since then, and certificate revocation played an important role in protecting users every time. Without it attackers can abuse fraudulent certificates for years, until their expiration date.

Cosoi argued that security products have a legitimate need to inspect HTTPS traffic and that, unlike adware programs, they do this to provide protection, not to profit. The practice of using a locally installed self-signed root certificate is a workaround that security products should be allowed to use, he said.

Eiram agreed, saying that the inability to inspect HTTPS traffic would be a significant limitation for such a product.

"It would be too simple for attackers to get around the Web browsing protection features by just getting users to visit malicious sites using HTTPS," he said. "However, it's important that security products implement proper certificate checks to ensure presented certificates are valid."


Previous Page  1  2  3 

Sign up for Computerworld eNewsletters.