Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Certs and usability, e.g. Understanding Risk of trusting an Anti-Virus Root CA/Certification Authority

  • 3 replies
  • 1 has this problem
  • 29 views
  • Last reply by ElveySync

more options

At a basic level, I understand that trusting a cert like this* involves trusting one's antivirus vendor, in this case Kaspersky.

I'm hoping to offer some basic info and receive/collect some more advanced info and/or pointers thereto. More advanced info to help guide users deciding whether to enable this or not.

To what extent does trusting this cert place more trust than installing Kaspersky in the first place does? My understanding: When it's installed and in use, web traffic still goes directly between my machine and the normal web server at its normal IP over HTTPS. But it goes thru part of the Kaspersky software on my machine, where it is unencrypted. It's decrypted and re-encrypted between Firefox and my computer's network interface, and there's relatively little preventing that software from doing nefarious things. I wonder what difference using an OS configured-by-default or managed to only allow applications to run with limited permissions makes. My first guess is that the core Kaspersky software installs with root access/ties into the kernel anyway, although if it was exfiltrating data, someone using an external tool like Pi-Hole would probably see something fishy, and be yelling about it and the media would cover it. So trusting this cert has a fairly small marginal downside. And of course it enables some security functionality, so there's an upside. But exfiltration could be set to trigger only in very limited circumstances...

I'm also wondering if Firefox should display a different UI for Antivirus company certs. I also suspect it makes sense to ship Firefox with these certificates by default, BUT untrusted, instead of not at all. (The same may go for Let's Encrypt certs too!?)

I note: jscher2000's advice (copied from [https://support.mozilla.org/en-US/que.../1295569] here) is spot on:

Kaspersky software includes a feature to intercept and filter all of your web browsing. As a "man in the middle" the software needs to generate fake site certificates but Firefox is not fooled.

If you want to keep this feature enabled, you can set Firefox up to trust Kaspersky's fake certificates. There are two methods described in this article: https://support.kaspersky.com/14620

If you do not want the software filtering your browsing, you could try this: https://support.mozilla.org/ru/kb/kak-ustranit-oshibku-s-kodom-sec_error_unknown_iss#w_kaspersky


Any advanced / user advanced info and/or pointers? resources?

  • [about:certificate?cert=MIID5DCCAsygAwIBAgIJQgAAALBfgNUAMA0GCSqGSIb3DQEBCwUAMFYxGTAXBgNVBAoMEEFPIEthc3BlcnNreSBMYWIxOTA3BgNVBAMMMEthc3BlcnNreSBXZWIgQW50aS1WaXJ1cyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0yMDA0MTAyMTI0MTZaFw0yMTA0MDkyMTI0MTZaMIGNMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEcMBoGA1UEChMTTW96aWxsYSBDb3Jwb3JhdGlvbjEXMBUGA1UECxMOQ2xvdWQgU2VydmljZXMxGjAYBgNVBAMMESouY2RuLm1vemlsbGEubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAru1xFmyme1vMGlRasfqcgNSm7u8aLSGaC9HXOb4Jg9nh%2BpZtWC1RTth9S3E5wkLDxJ%2BM0wdBaWMdqh35vTn3TGTDf6J%2Fv%2Bb1JM4Pj4PGcB%2FtfTHoRXoQWsQNO8nndRJu07zv3d62d0fwqTU3NUrZId3CzuugAxEOjXRAweqPEIqSYHdA8MHSUY4DkrzYKtSRkjhUQPoN5CMMcX94Z1AjpOvhBrdHOtvv0IxjZDke5HOjt0bkOwRSltkH8%2BXAJ5eTMwUwfB6kakpXLwZaCQcaSlF18dQ6uQVkSCDcBWLIMsVgFITvUTfw33AHbe%2Fq1YVNYQsQu0tKaI9G0ZPcKR8%2FFQIDAQABo30wezATBgNVHSUEDDAKBggrBgEFBQcDATALBgNVHQ8EBAMCBaAwVwYDVR0RBFAwTocEQQjzXIIiZG93bmxvYWQtaW5zdGFsbGVyLmNkbi5tb3ppbGxhLm5ldIIRKi5jZG4ubW96aWxsYS5uZXSCD2Nkbi5tb3ppbGxhLm5ldDANBgkqhkiG9w0BAQsFAAOCAQEAaV9baN1EhIwcgjebTrDAx38E3yI7XSXh%2F2PsVdnjHL%2Fw2yaTIWXN1GibyYrISBQwHjUJMDn3ZVmCj8e0GaJj%2BWMQ5PhL0wFUzRtfW8DOEHrzKVf3ZtI00Ym8PSHtimUt7jLRndHjaz%2FXFGCVYausnMEVetNfeKw%2BQYnmqYtLl5fJAyw5GulGrQVhqCX8BveKVmdl9zkIVwNDdywmfOVUYJORyareHXwbiKhn3QovUxe3%2ButUNHTemtKTVh8mcksd0x1xo6P2boHp4dnFN82vFil97SMcWpc3QYWffAijsBwLopx3tyVHUDRcHNzcPNopxqc8qaUTyVuYPZEh%2BRNDPA%3D%3D&cert=MIIDmzCCAoOgAwIBAgIJQQAAAAFbqSn5MA0GCSqGSIb3DQEBCwUAMFYxGTAXBgNVBAoMEEFPIEthc3BlcnNreSBMYWIxOTA3BgNVBAMMMEthc3BlcnNreSBXZWIgQW50aS1WaXJ1cyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wODA5MjYxODE2MjVaFw0yODA5MjExODE2MjVaMFYxGTAXBgNVBAoMEEFPIEthc3BlcnNreSBMYWIxOTA3BgNVBAMMMEthc3BlcnNreSBXZWIgQW50aS1WaXJ1cyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK7tcRZspntbzBpUWrH6nIDUpu7vGi0hmgvR1zm%2BCYPZ4fqWbVgtUU7YfUtxOcJCw8SfjNMHQWljHaod%2Bb0590xkw3%2Bif7%2Fm9STOD4%2BDxnAf7X0x6EV6EFrEDTvJ53USbtO8793etndH8Kk1NzVK2SHdws7roAMRDo10QMHqjxCKkmB3QPDB0lGOA5K82CrUkZI4VED6DeQjDHF%2FeGdQI6Tr4Qa3Rzrb79CMY2Q5HuRzo7dG5DsEUpbZB%2FPlwCeXkzMFMHwepGpKVy8GWgkHGkpRdfHUOrkFZEgg3AViyDLFYBSE71E38N9wB23v6tWFTWELELtLSmiPRtGT3CkfPxUCAwEAAaNsMGowDwYDVR0TAQH%2FBAUwAwEB%2FzA1BglghkgBhvhCAQ0EKBYmezQxOEU5RTAzLUQxMDMtNDNDMC04RDlBLTI1NTBCOEVDOTQ0RX0wCwYDVR0PBAQDAgIEMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQAyTGpDY8PUcwibBb0m%2BEJ%2BidMXwv%2Fxifa6me6UZ6gQzH9z8uwxR3YcCES2QRgIZR9PgZTe%2F0aDBP1hkIAqQWu%2BFB2pRmyEGRjkJ7keVgB2MzzCaBeIPffA5%2BE1fHvFOzbqtvWgKh4vFPcQupB4K0b1YK2sWri6%2FmvDQVRV%2FSATm9qsVfzmin5QTj%2BtqeZ4Wuhlme6novKeqL4B7kNrHrYFDeQxZ29dFP2lVLkKgc2FuRjjT%2FfChRX%2FuZW%2B3vyzza0PI%2FuVKaiMtxHinL765dFOF29WWCp8BeQEOknjhSIDy8NYMqeqD%2BAvuMkXxD8wbFahYN61NfqV9VwMhNvWv7z3 this]
Attached screenshots

All Replies (3)

more options

ElveySync said

To what extent does trusting this cert place more trust than installing Kaspersky in the first place does? My understanding: When it's installed and in use, web traffic still goes directly between my machine and the normal web server at its normal IP over HTTPS. But it goes thru part of the Kaspersky software on my machine, where it is unencrypted. It's decrypted and re-encrypted between Firefox and my computer's network interface, and there's relatively little preventing that software from doing nefarious things.

Normally, requests and responses are encrypted between Firefox and the website, and other software on your PC cannot read that traffic. Of course, locally installed software still could read/record the screen, and snoop through Firefox saves to disk, so there is not complete privacy even in the direct connection scenario. But there is still a real difference.

I'm also wondering if Firefox should display a different UI for Antivirus company certs. I also suspect it makes sense to ship Firefox with these certificates by default, BUT untrusted, instead of not at all. (The same may go for Let's Encrypt certs too!?)

At some point, Firefox started treating "known" MITM certificates a bit differently, but I don't know what that looks like currently, whether there is a slightly different error page or something else.

Let's Encrypt is a server-based technology that generates certificates for sites hosted on that server. This is a bit different from third party DV certificates which issue the certificate after the site owner takes some action to prove control of the site (such as placing a specific file at a specific URL and/or responding to a message sent to the admin email address). However, in both cases, the certificate should only be issued to someone operating the "real" server, so in that respect, a local proxy is quite a different beast.

Helpful?

more options

Thanks.

Oops: I meant CAcert but typed Let's Encrypt! (And if I'm not mistaken, the root certs that Let's Encrypt relies on come installed on all major browsers. CAcert's root certs don't come with even open source browsers, despite it's open source-aligned philosophy, because it hasn't passed a rigorous audit.) Three quite different beasts indeed. And OpenDNS/Cisco Umbrella's "Cisco Umbrella Root CA" is in another category. (It's used to serve a warning message when one tries to visit, say, https://internetbadguys.com from a system using OpenDNS.)

I've added a screenshot of the main UI that is shown when Antivirus company certs are encountered. Intend to compare...

If an AV (Anti-Virus) vendor wanted to install their cert into Firefox without specifically notifying the user, while installing the other AV components, would anything make that difficult? I don't think so. Also, I don't know of anything that makes it difficult for locally installed computer AV software to record a users' every keystroke. I don't think there is.

Helpful?

more options

Thanks.

Oops: I meant CAcert but typed Let's Encrypt! (And if I'm not mistaken, the root certs that Let's Encrypt relies on come installed on all major browsers. CAcert's root certs don't come with even open source browsers, despite it's open source-aligned philosophy, because it hasn't passed a rigorous audit.) Three quite different beasts indeed. And OpenDNS/Cisco Umbrella's "Cisco Umbrella Root CA" is in another category. (It's used to serve a warning message when one tries to visit, say, https://internetbadguysDOTcom from a system using OpenDNS.)

I've added a screenshot of the main UI that is shown when Antivirus company certs are encountered. Intend to compare...

If an AV (Anti-Virus) vendor wanted to install their cert into Firefox without specifically notifying the user, while installing the other AV components, would anything make that difficult? I don't think so. Also, I don't know of anything that makes it difficult for locally installed computer AV software to record a users' every keystroke. I don't think there is. (repost w/o URLs cuz it seems I'm hitting a NON-warning post moderator.)

Helpful?

Ask a question

You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.