4

Today I have got a call from end-user using Windows 10 when she is accessing our web server https site within Firefox browser's bookmark with the following error:

www.example.com uses an invalid security certificate
The certificate is not trusted because no issuer chain was provided.    
Error code: sec_error_unknown_issuer

I have struggled to find out ESET antivirus program interference with SSL/TLS communication. I have disabled SSL/TLS protocol filtering in ESET program following official instructions: http://support.eset.com/kb3126/ After disabling SSL/TLS filtering in antivirus Firefox browser can access https site without any problem (it is nothing wrong with certificate or certificate chain).

It looks like antivirus is trying to get inside encrypted SSL/TLS traffic to find out if there is some malicious program in it and if it is it tries to block it.

What I would like to know how does antivirus really intercepts SSL/TLS traffic from technical point of view?

a) Tries to executed MiTM attack on SSL/TLS?

b) Looks for Firefox browser process and looks into its memory?

Something else? Some technical explanation would be great.

By the way on this web server there is only 443 port with https protocol enabled, port 80 with http protocol is disabled. Thanks

folow
  • 43
  • 1
  • 4

1 Answers1

3

Tries to executed MiTM attack on SSL/TLS?

Yes, that is the case. Antivirus and Firewalls do SSL inspection by being a man in the middle on the SSL connection. Since this causes warnings in the browser about unknown issuers they usually also deploy their proxy CA as trusted into the OS and browsers.

For a deeper technical explanation see the many question about this topic on this site, like Does a TLS interception proxy present the user's browser with the end server's certificate? or Why is 'avast! Web/Mail Shield Root' listed as CA for google.com?

Community
  • 1
Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • What does the: "In some cases, the root certificate is not properly imported during the installation of ESET products." from official ESET web page means? Does ESET anti-virus installation program INJECTS its own SSL "Certificate Authority" certificate into certificate store, like Windows SSL store accessed by IE and Google Chrome and Firefox SSL store used by Firefox? How can I check if this is true? – folow Aug 18 '16 at 12:49
  • @folow: yes, it adds the proxy certificate to these stores. You can check if its there by checking your trust store or check the trust chain you get when visiting a site. – Steffen Ullrich Aug 18 '16 at 13:26