Forums Help & support Password sent over SSL Reply To: Password sent over SSL

#5074 Reply

Svante
Keymaster

Hello Świętomierz,

This is so sad – that Kapersky and similar will actually inspect SSL traffic and encourage you to trust their root certificate. I personally do not think that this should be done in that way. Anti-malware should only offer to intercept in the case of a non-trusted certificate being used for SSL to start with. The way it’s now is totally backwards, and just opens up for any number of scenarios. The thing is – if you connect to us for example, with a *trusted* certificate, that’s just the point. You trust us! Kapersky should not distrust your trust of us by way of an SSL certificate.

It’s such an obvious attack vector for malware: “Hi, this is Kapersky – I noticed you have not trusted our updated root certificate. Please click here to update.” If I send you an email with this content, and you’re using Kapersky chances are you’ll be tricked.

Thank you for reminding us and pointing this out. We do not do so currently, but for the apps we should really add another layer of encryption there. We can’t do it for web access, but that’s a different story.

And, yes, if you want to avoid AxCrypt using Internet at all, disable it by way of the –offline switch or the menu option “Always Offline”. This has some other not-so-good side effects though. You won’t be notified of software updates, and if you change the password, it won’t get synchronized with other devices.