Forums Help & support Password sent over SSL

This topic contains 3 replies, has 2 voices, and was last updated by  Svante 1 year, 3 months ago.

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • #5072 Reply

    Świętomierz

    I use AxCrypt 2 but I also have Kaspersky Internet Security installed.

    As part of the protection the anti-virus component has a root certificate installed in the Windows Certificate Manager which enables it to scan encrypted connections. This means that if I visit a webpage with malware on it I will be blocked from viewing it or the threat neutralised where possible.

    Because my AxCrypt encryption password is communicated over SSL is there anything I can do to further protect myself?

    I know I can uninstall the root certificate but this would unacceptably compromise my security. Of course I trust Kaspersky by having their software installed on my system but it’d be nice to know that there was some alternative to transmitting my encryption password.

    Is my only option to run the software permanently in offline mode?

    Would I just have to change the desktop shortcut to include “–offline”?

    #5074 Reply

    Svante
    Keymaster

    Hello Świętomierz,

    This is so sad – that Kapersky and similar will actually inspect SSL traffic and encourage you to trust their root certificate. I personally do not think that this should be done in that way. Anti-malware should only offer to intercept in the case of a non-trusted certificate being used for SSL to start with. The way it’s now is totally backwards, and just opens up for any number of scenarios. The thing is – if you connect to us for example, with a *trusted* certificate, that’s just the point. You trust us! Kapersky should not distrust your trust of us by way of an SSL certificate.

    It’s such an obvious attack vector for malware: “Hi, this is Kapersky – I noticed you have not trusted our updated root certificate. Please click here to update.” If I send you an email with this content, and you’re using Kapersky chances are you’ll be tricked.

    Thank you for reminding us and pointing this out. We do not do so currently, but for the apps we should really add another layer of encryption there. We can’t do it for web access, but that’s a different story.

    And, yes, if you want to avoid AxCrypt using Internet at all, disable it by way of the –offline switch or the menu option “Always Offline”. This has some other not-so-good side effects though. You won’t be notified of software updates, and if you change the password, it won’t get synchronized with other devices.

    #5077 Reply

    Świętomierz

    “It’s such an obvious attack vector for malware: “Hi, this is Kapersky – I noticed you have not trusted our updated root certificate. Please click here to update.” If I send you an email with this content, and you’re using Kapersky chances are you’ll be tricked.”

    This is my concern. If their root certificate is somehow compromised then potentially my encryption password will be leaked to malicious actors.

    I doubt I’d be tricked if I received such an email but I think some people would (although Kaspersky also scans emails for suspicious content). I believe that Kaspersky is designed so as to not allow fake certificates to be installed into the Certificate Manager. It also checks certificates in real-time against their continually updated cloud database to ensure that no revoked/suspicious certificates are being trusted by the system Your example would also require you to get a certificate from a trusted CA using their name.

    My main concern though is if hackers were to target their root certificate. I’m not sure what AxCrypt could do by way of a second layer in order to protect your users.

    #5079 Reply

    Svante
    Keymaster

    Hello Świętomierz,

    The root certificate is not the main issue for an attacker here. Although I do not use Kapersky, from your description it’s fairly clear that what it does is install itself as a proxy locally in your computer.

    When you connect to for example our server using SSL that proxy can’t see and inspect the encrypted content unless it actually decrypts the traffic. Since it’s configured as the system proxy, what actually happens when you connect to https://www.axcrypt.net/ is that you are connecting to your proxy. This is where the installed root certificate comes in (this is likely a unique certificate generated locally just for you). The proxy now generates a certificate for “https://www.axcrypt.net/” and signs it with that root certificate. Since you have previously installed the root certificate as “trusted” in your computer, your browser will now trust the connection.

    What the Kapersky software does is essentially a “man in the middle” attack in your own computer.

    The connection over the Internet then proceeds as usual, except that it’s Kapersky who will be validating the certificate presented by “https://www.axcrypt.net/” and establish the encrypted connection over the Internet. If the Kapersky software is implemented as I am guessing above, this means that the Internet connection is just as hard to listen in to as before. It does require quite a lot from Kapersky to do the connection negotiation properly, I would rather trust Microsoft or Apple etc for this (if I have to trust someone, which I do for this).

    Mounting an attack against an SSL connection over the Internet is no small thing, even if the server (i.e. http://www.axcrypt.net) certificate is somehow compromised. The attacker needs access to the data stream, and that requires some actions that are really hard to achieve unless you’re a provider or in national security. The provider would normally not be interested, unless its being forced to comply by national security – which is what has happened in a few known cases in the US.

Viewing 4 posts - 1 through 4 (of 4 total)
Reply To: Password sent over SSL
Your information: