Forums Help & support Password sent over SSL Reply To: Password sent over SSL

#5077 Reply

Świętomierz

“It’s such an obvious attack vector for malware: “Hi, this is Kapersky – I noticed you have not trusted our updated root certificate. Please click here to update.” If I send you an email with this content, and you’re using Kapersky chances are you’ll be tricked.”

This is my concern. If their root certificate is somehow compromised then potentially my encryption password will be leaked to malicious actors.

I doubt I’d be tricked if I received such an email but I think some people would (although Kaspersky also scans emails for suspicious content). I believe that Kaspersky is designed so as to not allow fake certificates to be installed into the Certificate Manager. It also checks certificates in real-time against their continually updated cloud database to ensure that no revoked/suspicious certificates are being trusted by the system Your example would also require you to get a certificate from a trusted CA using their name.

My main concern though is if hackers were to target their root certificate. I’m not sure what AxCrypt could do by way of a second layer in order to protect your users.