My company offers a product that utilizes a personal web certificate (pfx) as a secondary means to verify the user logging in (or more accurately, the computer). Most of the time, this works without problem. However, in the recent months there has been an uptick in the number of cases where an Antivirus, such as Kaspersky, uses a feature that scans encrypted connections, and this leads to the user not being allowed in.
Our servers show that these users are not presenting their certificate. If I walk them through outright disabling the HTTPS scanning, they will immediately be let in (server now "sees" the user's certificate). I understand that these Antivirus programs use their own certificate, and this tends to prevent the user from seeing the site's certificate. However, is this also the case to the server?
I guess my post/question here is twofold. Are antivirus programs preventing users from using their own certificates as authentication means to websites when this feature is enabled, and secondly, besides completely disabling the feature for every customer that calls in (note, these customers are small-to-large companies, under strict HIPAA and/or FCRA guidelines, I do not feel comfortable in encouraging disabling any security measures), is there another way, either in development of our product, or in the support of the customers, to get around this major roadblock?
I have a meeting on Monday where I discuss my findings, and would greatly appreciate any available feedback.
Courtesy note: I have done my best to offer up as much information as possible without breaching confidentiality. Please respect this, and do not attempt to guess the company I am working for. Thank you.
