2

I dont know a lot about this subject but - I am trying out ESET Smart Security version 9 which includes the nod32 product (antimalware/virus) and I received an error regarding the addition of a new ESET root certificate in all of my browsers. I am running Windows 10. Upon some basic research it seems that in order to monitor and protect the user from malicious SSL TLS connections, a root certificate is added for ESET. I believe this allows ESET to act as a "middle man" between the connections allowing the software to inspect the web traffic for further action. I'm guessing that this is related to the "internet security" aspects of the software bundle and probably is not included in the base "Nod32" option.

My questions and thoughts are around -

  1. Is this common for modern day antivirus to inject its own root cert to preform MiTM?
  2. ESET forums seem to indicate that I can disable this feature and remove the root cert as long as I accept the loss of protection. Would this be wise?
  3. Is it accurate to say that since this root certificate exists, they (ESET) can see all of my web traffic in an UNencrypted format?
  4. In order to obtain a state of security, does this now require that one abdicates some of their privacy?
  5. Should I disable the feature or look for another product?

** related thread by another user: Kaspersky Antivirus "secure connection scan" as broken as Superfish?

** Since posting this question, I've contacted ESET and "complained" about the root certificate and asked for some clarification. Their only suggestions was to disable the feature in the settings and to remove the root certificate. For what it's worth, this seems to remove the majority of the functionality for the "network security" function of their products.

Community
  • 1
Oscalation
  • 322
  • 2
  • 10
  • Yes, owning a root cert means they can (and certainly do, so their product can work) see all your traffic unencrypted - your browser actually talks to their product, which pretends to be whatever site, then forwards the traffic to the real site, pretending to be your browser. I'd be leary of it - these are all the keys to all your online kingdoms it would have access to. Mind you, it is likely running as fully privileged, so could do lots of nasty things anyways - key logging, you name it. With that in mind, only do this if you really, really trust the product and company – crovers Sep 21 '16 at 16:58

2 Answers2

2

probably is not included in the base "Nod32" option.

AFAIK it is included too as also NOD32 scans the connections. FYI in previous versions of NOD32 and ESET Smart Security this feature was disabled by default.

Is this common for modern day antivirus to inject its own root cert to preform MiTM?

Well... At least there are some well-known AVs, which do this. And it is a very controversial topic. Especially with the recent Superfish issue and similar ad software doing the same, it may be considered a bad thing. Of course antivirus software has a different aim than ad software, but it deploys the same technology.

It is a very easy way for an AV to inspect all the (usually encrypted and therefore not analysable) ssl/tls traffic.

ESET forums seem to indicate that I can disable this feature and remove the root cert as long as I accept the loss of protection. Would this be wise?

If you do not like that your encrypted connections are broken by ESET, yes. Usually all AVs also scan files when they are saved on disk, so you are not without malware protection in this case.

Is it accurate to say that since this root certificate exists, they (ESET) can see all of my web traffic in an UNencrypted format?

Yes. At least if "they" is "the ESET software using this technique". What they do with this information is another thing.

In order to obtain a state of security, does this now require that one abdicates some of their privacy?

Again, this depends on what the software MITM your connection do.

For what it's worth, this seems to remove the majority of the functionality for the "network security" function of their products.

It only affects encrypted (TLS/SSL/HTTPS/...) connections. You can still scan and block all non-HTTPS traffic.

As for the general issue

The general issue is that you give all trust implied with HTTPS/SSL/TLS from your browser to the software MITMing you. This matters for privacy reasons of course and also for security reasons as the implementation of such a complex protocol such as HTTPS/SSL/TLS is difficult and there may be flaws, which seriously weaken your security. Examples were e.g. Kaspersky. Examples of vulnerabilities are:

  • the private key for the certificate is reused (as it was the case with Superfish e.g.), this allows anyone to MITM the connection just as the software using the root certificate can
  • old, deprecated protocol versions (e.g. SSLv2 or SSLv3) are still supported although it is known they are insecure
  • they support old ciphers (RC4, ciphers with MD5, ...)
  • ...

As also outlined in the article I linked above - which I recommend you to read - such security software quite certainly also decreases the security of your HTTPS connection as they might not support some bleeding-edge (or even not so bleeding-edge) technology, which improves the security of HTTPS. Examples are HSTS, HPKP, HSTS Preloading, HPKP Preloading, Certificate Transparency and so on... It all depends on the implementation. Browser vendors had years implementing these features correctly and are constantly improving it and implementing new features, so it is very hard for AV vendors to keep up and - which is import - implement it correctly.

rugk
  • 1,237
  • 1
  • 13
  • 25
  • Great answer but I must ask you - what is your personal opinion? Should I continue to use ESET network security and allow the root cert? Should I continue using ESET and disable that feature and remove the cert? Or should I look to another AV vendor? I know the answer is subjective and contingent upon the personal individuals needs. What would you do? – Oscalation Oct 07 '16 at 12:16
  • As for Stackoverflow answers should be neutral and I do not want to say what you should or should not do. As I explained you have to outweigh two risks. Malware coming over HTTPS vs better HTTPS technology. I've mentioned some strong arguments and facts in my post, so you might get what I would choose. In any way I'd say choosing another AV vendor does not help. Most of them now do that, unfortunately. If you still can't decide, look at the articles I linked. BTW: 1. You can also upvote answers if you like them. 2. AFAIK when you disable the feature the root cert is removed automatically. – rugk Oct 07 '16 at 14:46
  • Also a good read: [Kaspersky Antivirus “secure connection scan” as broken as Superfish?](https://security.stackexchange.com/questions/82359/kaspersky-antivirus-secure-connection-scan-as-broken-as-superfish?rq=1) – rugk Oct 07 '16 at 14:54
  • An as an addition, @Oscalation, [here](http://users.encs.concordia.ca/%7Emmannan/publications/ssl-interception-ndss2016.pdf) is an up-to-date scientific paper on the issue showing what can go wrong and how different AVs do. – rugk Oct 25 '16 at 12:59
0

Answers to questions 1,2,3,4 - Yes. 5 - If you do not trust anyone but Microsoft you should not install third-party antivirus or other programs for any purposes at all. Applications installed on Windows can do anything, including replacing the root certificate without your knowledge. Windows 10 has built-in antivirus in Windows Defender, albeit the efficiency of it is subjective.

Manly Electronics
  • 1
  • 3