[solved in 18.23.0.1604] Ssl Security Issue With Bd Certificate Injection

bitter150

In normal cases browsers indicate proper ssl encrytion with valid certificate with switching the url line to another color, additionally a closed lock is shown. If clicking the lock, details of ssl certification and its status are shown.

But:

If 'Scan SSL' is activated in BD-IS 'Privacy control settings', ssl stream seems to be injected by Bitdefender, clicking the closed lock does not show the validation data of generic webpage certification.

So there seems to be NO direct validation of target server possible, in my opinion BD acts as a local 'Man-in-middle'. This opens serveral cogitable scenarios for spoofing/attacking the secure connection.

This feature of BD should be analysed in a wide spreaded discussion, it is security related for all ssl connections. Customers must trust to BD not abusing this feature, NSA/CIA and smilar are watching us...

(It seems to be a security issue for whole BD, not only for Privacy, so post is done in this General form. Thanks.)

bitter150

Really not discussion about this security related issue?

Nesivos

In normal cases browsers indicate proper ssl encrytion with valid certificate with switching the url line to another color, additionally a closed lock is shown. If clicking the lock, details of ssl certification and its status are shown.

But:

If 'Scan SSL' is activated in BD-IS 'Privacy control settings', ssl stream seems to be injected by Bitdefender, clicking the closed lock does not show the validation data of generic webpage certification.

So there seems to be NO direct validation of target server possible, in my opinion BD acts as a local 'Man-in-middle'. This opens serveral cogitable scenarios for spoofing/attacking the secure connection.

This feature of BD should be analysed in a wide spreaded discussion, it is security related for all ssl connections. Customers must trust to BD not abusing this feature, NSA/CIA and smilar are watching us...

(It seems to be a security issue for whole BD, not only for Privacy, so post is done in this General form. Thanks.)

No problem with BD W8 Security

bitter150

Is 'Scan SSL' activated in BD Win8 Security 'Privacy control settings'?

Thx...

agoldhammer

Is 'Scan SSL' activated in BD Win8 Security 'Privacy control settings'?

Thx...

I've also posted on this and the Bitdefender staff don't seem the least bit interested in addressing it. If the browser shows a valid certificate, Bitdefender should not be overruling that. As I noted on another thread, I had to turn off SSL on my wife's computer so she would not be in a panic every time she had to try opening a work-related website. The only response that we've seen so far is that this was fixed in the latest update but I can tell you for a fact that's not true.

Kopernikus

Same problem here!

Please resolve this problem or I'll switch to another AV package.

Btw: indeed last update doen not solve the problem

Nico

Georgia

Hello,

Thank you for contacting us in regards to your concern.

Be advised that the SSL scanning feature allows Bitdefender to scan within secure websites (https) and e-mails. Https technology itself makes it very difficult for attacks to happen, but on the rare occasion they do, SSL Scanning should prevent their success.

Remember that when you enable SSL scanning in Bitdefender, a set of fake certificates are installed in order to decrypt and encrypt ssl traffic (this is referred to as man in the middle or MITM).

Also refer to http://forum.bitdefender.com/index.php?sho...st&p=196771

Thank you, Happy Holidays!

bitter150

Dear Georgia, in my opinion it is a security issue because the injected BD certificate seems to be issued by Bitdefender itself:

"Bitdefender Personal CA.Net-Defender"

BD launches a certificate which hasn't been verified from an official CA, isn't it? So there seems to be NO direct validation of target server possible, in my opinion BD acts as a local 'Man-in-middle'. This opens serveral cogitable scenarios for spoofing/attacking the secure connection.

Why is BD certificate NOT verified by an official CA???

LanceAlbanese

I Agree!

Dear Georgia, in my opinion it is a security issue because the injected BD certificate seems to be issued by Bitdefender itself:

"Bitdefender Personal CA.Net-Defender"

BD launches a certificate which hasn't been verified from an official CA, isn't it? So there seems to be NO direct validation of target server possible, in my opinion BD acts as a local 'Man-in-middle'. This opens serveral cogitable scenarios for spoofing/attacking the secure connection.

Why is BD certificate NOT verified by an official CA???

error-id10t

Something I haven't seen mentioned and am wondering if others see is that some sites - with this enabled - actually change the encryption level vs. when this is disabled. For example:

Enabled:

TLS 1.0, AES with 128 bit encryption (High); RSA with 2048 bit exchange

Disabled:

TLS 1.0, AES with 256 bit encryption (High); RSA with 2048 bit exchange

I don't understand why having this enabled would reduce it from 256 to 128bit? Obviously it's not client - server comms, as with it disabled it's clocking in @ 256bit.

error-id10t

Nobody? No one else sees this behaviour on any site?

csalgau

I noticed this while addressing spam, so I'm going to give it a (late) shot.

Please note that this should not be treated as an official statement. It is strictly a short technical analysis.

Due to the nature of TLS(current versions of SSL) and CAs, it would not be possible for the used certificate to be issued by a global CA.

All TLS traffic is decrypted locally, scanned and re-encrypted for the browser. This means that the Bitdefender CA needs to be able to issue certificates valid for any domain. This essentially results in an intermediary CA on a client computer, which is not allowed.

Security-wise, streams are still terminated on your computer as before, so your traffic is not less secure while in transit, as far as TLS is concerned. This comes with the inconvenience that you are unable to see the original encryption details in your browser, and Extended Validation certificates (green bar in browser) are no longer seen as such.

Your noticed drop in encryption strength strictly reflects what your browser exchanges with the Bitdefender MITM module. At this point it is no longer about transit security and all about maintaining protocol state for the browser, and while key strength could be maintained, it is useful for performance reasons not to do so.

Compromising the privacy of your data at this stage would require a local agent filtering your traffic. Said local agent would be better off attaching to your browser to bypass TLS altogether, but either way, this is what antivirus/IDS/AVC prevent.

Keeping in mind that TLS does not protect servers from exploits and certainly does not keep malicious owners from hosting bad things on they sites, I believe that most users are better suited by keeping it enabled. This is a trade-off between local and transit security and you can make your own choice.

I hope this at least lessens some of your concerns.

bduser22

I am also having this issue. Just spent $10.00 to have my site SSL cert re-issued because of an error in the chrome browser. After researching this I found the issue is Bitdefender and the Scan SSL feature.

What is happening with Scan SSL enabled, as a previous poster noted, is that the security settings are lowered. In my case what should be sha256 is shown as sha1.

This is a HUGE issue because sha1 is now deprecated and is being phased out. This from Google:

"That’s why Chrome will start the process of sunsetting SHA-1 (as used in certificate signatures for HTTPS) with Chrome 39 in November. HTTPS sites whose certificate chains use SHA-1 and are valid past 1 January 2017 will no longer appear to be fully trustworthy in Chrome’s user interface."

In my particular instance my cert on my business website expires in 2018, and since the cert inserted by scan ssl via the Bitdefender Personal CA.Net-Defender shows SHA1 as the hash algorithm, google chrome throws an error and tells the user: "This site is using outdated security settings that may prevent future versions of Chrome from being able to safely access it."

Turn off scan ssl and the error goes away because Chrome reads the correct ssl signature algorithm which is sha256 (the now required SHA-2).

This is a MAJOR problem in my opinion and something that needs to be corrected by Bitdefender ASAP.

Anyone using bitdefender will be getting an error that my business website is not to be trusted because its using "outdated security settings" when that is absolutely not the case.

What is at issue here is that bitdefender's injected man in the misddle cert used for security scanning ssl sites is using "outdated security settings" and punishing websites via the google chrome warning as a result. Bitdefender's ssl cert is using SHA-1 which is now being penealized by google.

Georgia

Hello Blarg,

Welcome to the Bitdefender forum.

We are working on a solution for this. Further details will be provided to you via ticket 2014120616480001

Thank you for reporting this.

Kryptonit3

Have we found a solution to this yet? Kind of annoying, probably cause potential client loss if they are using bitdefender thinking our sites are not secure.

The weird thing is if you go to https://www.google.com it doesn't have this issue but when viewing the cert info that bitdefender interjects it says SHA1.

What gives?

I am using BitDefender Total Security 2015

Kryptonit3

12 days later. Any fix for this.

Kryptonit3

22 days later...

bitter150

+1 fix needed!

RoamingPro

I just wasted an entire day - like 12+ hours dealing with this issue. It started when I purchased an SSL Certificate for my website, installed it on a hosted server, and I proceeded to check security.

First off in Chrome it was getting issues with warnings: "Your site is using outdated security settings .... " and "signature hash algorithm sha 1" (obsolete). After contacting the hosting company and the SSL certificate provider, I find that my site "is using modern cryptography" and my "signature hash algorithm is sha 2" (current).

After finding out everyone sees my site differently than I do, I started trying to find out why my (up-to-date) browser is lying to me. I started by checking other SSL reports for places like gmail.com, twitter.com, etc - and every secure site reports the sample issues with obsolete settings and faulty signatures.

This is enough to make me uninstall Bitdefender right now and get an AV solution that actually saves me time instead of costing me productivity.

I hope this post helps someone else diagnose their problem (that's really not a problem) before they waste as much time as I have wasted with this.

gunadi

I just wasted an entire day - like 12+ hours dealing with this issue. It started when I purchased an SSL Certificate for my website, installed it on a hosted server, and I proceeded to check security.

First off in Chrome it was getting issues with warnings: "Your site is using outdated security settings .... " and "signature hash algorithm sha 1" (obsolete). After contacting the hosting company and the SSL certificate provider, I find that my site "is using modern cryptography" and my "signature hash algorithm is sha 2" (current).

After finding out everyone sees my site differently than I do, I started trying to find out why my (up-to-date) browser is lying to me. I started by checking other SSL reports for places like gmail.com, twitter.com, etc - and every secure site reports the sample issues with obsolete settings and faulty signatures.

This is enough to make me uninstall Bitdefender right now and get an AV solution that actually saves me time instead of costing me productivity.

I hope this post helps someone else diagnose their problem (that's really not a problem) before they waste as much time as I have wasted with this.

I have the exactly same situation with you, this message really got me annoying because I need to check my webhosting, server configuration, cert issuer and they thought that I'm 'crazy' because I told them the certificate is invalid, the root cause is when I installed new cert with sha256 and bitdefender keep tell me that my website using sha1. and then, of course, I think that I receive a fake cert (but it's not) and started to make a long debate with the cert issuer, but actually the root of problem caused by BD? it's just not acceptable. " />

to BD team, please be consider to some website that they might change their old certificate. If this problem still persist, I agree with mt2flco to uninstall bitdefender.

Georgia

Hello,

We are working on a solution for that.

@gun , @mt2flco: please tell us the URL of your websites

In the meantime, as a workaround please turn OFF the 'Scan SSL' button from Bitdefender under Settings > Privacy Control > Antiphishing tab.

Note: in Bitdefender 2015 you will find Scan SSL under Protection panel > Web Protection module.

Thank you for your understanding.

JimatBitdefender

I just got Bitdefender Total Security 2015 yesterday and installed it on my computer today. I'm running Windows XP Pro and Outlook 2002. After installation I tried to get my email. Every single email account didn't work. Outlook couldn't find the email servers. I had no problem at all with Trend Micro which I replaced with Bitdefender. After much searching on the internet I came across this forum.

On the advice of some of the posts I disabled SSL checking. That seemed to work, I can now get emails again, a function I needed to be able to set up an account here to make this post. Since this seems to be the only way I can get my emails, What am I losing by disabling the SSL checking?

I got the 3 PCs license so I need to do 2 more installs. I suspect that I'd have to disable the SSL checking on those computers as well.

Am I losing anything vital in internet security in emails and browsers by having the SSL checking disabled?

Thanks.

Jim

Lionet

I just got Bitdefender Total Security 2015 yesterday and installed it on my computer today. I'm running Windows XP Pro and Outlook 2002. After installation I tried to get my email. Every single email account didn't work. Outlook couldn't find the email servers. I had no problem at all with Trend Micro which I replaced with Bitdefender. After much searching on the internet I came across this forum.

On the advice of some of the posts I disabled SSL checking. That seemed to work, I can now get emails again, a function I needed to be able to set up an account here to make this post. Since this seems to be the only way I can get my emails, What am I losing by disabling the SSL checking?

I got the 3 PCs license so I need to do 2 more installs. I suspect that I'd have to disable the SSL checking on those computers as well.

Am I losing anything vital in internet security in emails and browsers by having the SSL checking disabled?

Thanks.

Jim

Hi Jim,

Welcome on the forum,

As far as I know, the SSL activation allows to check crypted SSL pages in the browser. It looks for malware codes there. (in https )

It is not vital nor compulsory, at least for a brief period. I had several bugs in the last few months with the latest BD update and needed to deactivate the SSL function to get access to my mail for several days... too bad.

Maybe you could "up" the message in a few days if it does not work better.

By the way, do you use the SP3 version of Windows XP Pro? It is necessary to have at least the latest version of this very good system and not the SP1.

(Ooops... I did not notice you already have the answer in the beginning of the thread )

Regards,

L.

gunadi

Hello,

We are working on a solution for that.

@gun , @mt2flco: please tell us the URL of your websites

In the meantime, as a workaround please turn OFF the 'Scan SSL' button from Bitdefender under Settings > Privacy Control > Antiphishing tab.

Note: in Bitdefender 2015 you will find Scan SSL under Protection panel > Web Protection module.

Thank you for your understanding.

url: gwijaya.com

you can compare it when bitdefender ssl scan is activated and not.

I think bitdefender still keep my old certificate, because it's true that my old cert is generated with sha1 algorithm

d1git4lx

i got the same issue it says the website of my provider https://www.ziggo.nl uses outdated certificates..

mhuser

My view is that this causes more issues than the values it adds. It breaks key features of browsers that users depend on (Secure padlock, green URL bar), to follow best practices for secure behaviour. This especially applies to users, not so technically literate. The biggest issue for me is this is all done without clearly informing the user, and it's on by default.

Possibly the wrong place to report it here as the this is page for the 2014 version, but I don't seem to be able to turn off SSL scanning. I have BitDefender Internet Security 2015. I have turned off all the features for "Web Protection" including "Scan SSL" but Bitdefender is still appearing as the root certificate at a number of websites. I did restart my PC to make sure these change take affect, but that doesn't seem to make any difference.

I would appreciate some advice to fix this, otherwise I may have no choice but to uninstall this product and demand some compensation.

gunadi

yes this is maybe the 'wrong place', but still not even fixed after years.

It's like this forum is built for us to discuss with each other as bd users and solve the problem ourself.

from my perspective as website owner, I feel useless to buy ssl certificate if bitdefender inject it with obsolete cert and my web got warned from browser. you know that bd user is not only few users & maybe some of them still have no idea why this is happen. and for addition, scan ssl also make the browser to load website a bit slower.

I would like also if I get some compensation because bd make my website become untrusted by the browser and affect many user

but let's forget it, the problem not even fixed until now. I just waiting my bd license become expired and then uninstall it.

abyzl

Please provide a solid working solution to disable this feature. I still see BD terminating SSL locally even with all scan features disabled. Unacceptable.

ultramoo

Using BitDefender 2015 - I too was the unfortunate one to spend the last 3 hours figuring out why my website's security dropped via Chrome only to realize it was BitDefender's wonderful MIM attack using outdated SSL configuration. Funny thing is, even BitDefender's dashboard is reported as an issue by chrome.

I've disabled this feature for now. It appears this has been a known issue for the past 8 months with no resolve?

My faith in BitDefender is dropping - why aren't these posted in reviews?

Either have it disabled by default, or fix it please.

Georgia

Hello,

The situation reported in this topic was recently solved by product update in Bitdefender 2015 classic line - build version: 18.23.0.1604

Update Bitdefender, then restart the computer to apply the fix.

Please accept our sincere apologies for the delay in fixing this bug.

krilbe

The situation reported in this topic was recently solved by product update in Bitdefender 2015 classic line - build version: 18.23.0.1604

Update Bitdefender, then restart the computer to apply the fix.

I have Total Security Multi Device 2015 and have disabled the Scan SSL feature, but my browsers still report BitDefender as issuer for all certs and fail to display the green bar for EV certs.

How can i successfully disable BitDefender's "man in the middle" module?

I tried updating BitDefender manually (and it also updates automatically every two hours as far as I can tell), but it didn't help. I also tried to enable "Scan SSL", reboot, disable "Scan SSL", reboot, but the problem persists.

arrowrock

Compromising the privacy of your data at this stage would require a local agent filtering your traffic. Said local agent would be better off attaching to your browser to bypass TLS altogether, but either way, this is what antivirus/IDS/AVC prevent.

Why can't Bitdefender do the same - filter traffic by attaching to the browser - thus eliminating the need for the confusing and potentially dangerous MITM approach?

csalgau

Would have been appreciated if you started another topic regarding this.

Some reasons I would assume

- it's not fine with browser developers. you either need to hook processes or make extensions that break sandboxes

- it would be limited to browsers, not filtering the large majority of malware

- it wouldn't make any difference for users

- it would largely require that each browser be targeted individually and re-assessed at every release