Is Safepay Really Secure ?

flunssa
flunssa ✭✭
edited April 2014 in Safepay

Hi


Actually I'm testing BTS because I want a new protection (Pure have too much issues).


Here http://www.wilderssecurity.com/threads/bit...afe-pay.361281/ I read this : "SafePay browser is based an on old version of Chrome/Chromium, 25.0.1364.172, and as a consequence is full of vulnerabilities and does not support TLS 1.2(I looked at SafePay from Bitdefender TS 17.27.0.1146)."


You can understand that I'm not very reassured about the efficiency of Safepay.


Regards.

Comments

  • Hi


    Actually I'm testing BTS because I want a new protection (Pure have too much issues).


    Here http://www.wilderssecurity.com/threads/bit...afe-pay.361281/ I read this : "SafePay browser is based an on old version of Chrome/Chromium, 25.0.1364.172, and as a consequence is full of vulnerabilities and does not support TLS 1.2(I looked at SafePay from Bitdefender TS 17.27.0.1146)."


    You can understand that I'm not very reassured about the efficiency of Safepay.


    Regards.


    You are right to be worried.


    The browser is indeed an old version of Chromium Project , and is not to be relied on at present.


    Check it here https://www.howsmyssl.com/ and here https://browsercheck.qualys.com/


    I use a sandboxed browser in Incognito Mode via a free VPN client at the moment.


    Bitdefender need to address this urgently.

  • You are right to be worried.


    The browser is indeed an old version of Chromium Project , and is not to be relied on at present.


    Check it here https://www.howsmyssl.com/ and here https://browsercheck.qualys.com/


    I use a sandboxed browser in Incognito Mode via a free VPN client at the moment.


    Bitdefender need to address this urgently.


    I'd like to know what Bitdefender's policy is on updating the browser in Safepay. When I used Avast Safezone, it was the same issue, my bank always said that the browser is out of date, now the same with Safepay. It is clearly not acceptable to have a security product which is secures the the banking session from the rest of the PC whilst leaving holes on the internet-facing side by not immediately updating the browser when the developers make the updates available. It is a shocking attitude of complacency, the people responsible need their back-sides kicking and stirring them into action.

  • camarie
    camarie Principal Software Developer BD Staff
    I'd like to know what Bitdefender's policy is on updating the browser in Safepay. When I used Avast Safezone, it was the same issue, my bank always said that the browser is out of date, now the same with Safepay. It is clearly not acceptable to have a security product which is secures the the banking session from the rest of the PC whilst leaving holes on the internet-facing side by not immediately updating the browser when the developers make the updates available. It is a shocking attitude of complacency, the people responsible need their back-sides kicking and stirring them into action.


    You have a point here. But the discussion is not so simple.


    Of course one can upgrade to the newest version every time - not so easy, since we are not using Google Chrome, but Chromium/WebKit/Chromium Embedded, which is a different thing - but we have to ensure if these changes are not introducing new bugs, incompatibilities etc. The Chromium we are using in Safepay is also *heavily* modified for our functionality purposes (security mainly, bug fixing, URL and certificates scanning and many more). These fixes are often done against the Chromium codebase itself, and we need to use a version known to be stable.


    We are aware there are websites accepting just the last 2 versions of a browser (which is, if one think Mozilla and their "major" versions, almost ridiculous), which is, IMHO, a little bit exaggerated.


    There is no formal policy regarding version, but we are using what is known to be stable.


    For example, we will release in 2015 version a Safepay based on multiprocess Chromium, not the single process currently released (which caused us so many issues regarding Flash instability, for example).


    I think stability is more important than being on the par with Chromium version, IMHO.


    Anyways, bottom line is: tomorrow I will bring this to my product manager, and I will try to get a formal plan to try to be on par with current versions of Chrome.


    Regards,


    Cristian

  • Cavehomme
    edited April 2014
    You have a point here. But the discussion is not so simple.


    Of course one can upgrade to the newest version every time - not so easy, since we are not using Google Chrome, but Chromium/WebKit/Chromium Embedded, which is a different thing - but we have to ensure if these changes are not introducing new bugs, incompatibilities etc. The Chromium we are using in Safepay is also *heavily* modified for our functionality purposes (security mainly, bug fixing, URL and certificates scanning and many more). These fixes are often done against the Chromium codebase itself, and we need to use a version known to be stable.


    We are aware there are websites accepting just the last 2 versions of a browser (which is, if one think Mozilla and their "major" versions, almost ridiculous), which is, IMHO, a little bit exaggerated.


    There is no formal policy regarding version, but we are using what is known to be stable.


    For example, we will release in 2015 version a Safepay based on multiprocess Chromium, not the single process currently released (which caused us so many issues regarding Flash instability, for example).


    I think stability is more important than being on the par with Chromium version, IMHO.


    Anyways, bottom line is: tomorrow I will bring this to my product manager, and I will try to get a formal plan to try to be on par with current versions of Chrome.


    Regards,


    Cristian


    Thank you for your points Cristian. I do understand where you are coming from. With great respect, I fear that if a user who uses Safepay has his bank account hacked and their bank says, "hey, you were using an outdated version of the browser, so it is your own liability", then there will be a problem for the user. If you are adding security features to Safepay but the underlying browser is not updated therefore some holes could be present, then it is a risk. We already have many risks to use the internet even with the best procedures and great protection tools like Bitdefender, but it creates greater risks if the browser is not updated quickly. I agree that stability is very important, but I hope that you guys find a way to incorporate updates more quickly please, thank you.


    Perhaps one method would be to ensure a VPN connection on the free tool, but then it would not be free....?!


    By the way, I already have an AV Plus license and additionally recently purchased a Sphere license for future use, however, on my main laptop I prefer to use the free AV and free Safepay tool because they have less resource impact and fewer problems than the paid products, in my experience. Do you know if there is a mechanism for my Pro license (or Sphere) be associated with the free Safepay that I have so that I can enable the VPN option in Safepay without having to pay extra for the VPN, since VPN is automatically included in the Safepay within the AV Pro installation? Can customer support sort this out if I send them the details via a ticket, or is this not feasible to do? Thank you for any guidance.

  • camarie
    camarie Principal Software Developer BD Staff
    edited April 2014
    Thank you for your points Cristian. I do understand where you are coming from. With great respect, I fear that if a user who uses Safepay has his bank account hacked and their bank says, "hey, you were using an outdated version of the browser, so it is your own liability", then there will be a problem for the user. If you are adding security features to Safepay but the underlying browser is not updated therefore some holes could be present, then it is a risk. We already have many risks to use the internet even with the best procedures and great protection tools like Bitdefender, but it creates greater risks if the browser is not updated quickly. I agree that stability is very important, but I hope that you guys find a way to incorporate updates more quickly please, thank you.


    Perhaps one method would be to ensure a VPN connection on the free tool, but then it would not be free....?!


    By the way, I already have an AV Plus license and additionally recently purchased a Sphere license for future use, however, on my main laptop I prefer to use the free AV and free Safepay tool because they have less resource impact and fewer problems than the paid products, in my experience. Do you know if there is a mechanism for my Pro license (or Sphere) be associated with the free Safepay that I have so that I can enable the VPN option in Safepay without having to pay extra for the VPN, since VPN is automatically included in the Safepay within the AV Pro installation? Can customer support sort this out if I send them the details via a ticket, or is this not feasible to do? Thank you for any guidance.


    I just send an email to the management, telling them that being "up to date" regarding Chromium version, although an ugly affair, is necessary in both of stability *and* customer trust for Safepay feature. Most likely will talk to them in the next days, and be sure I'll push for being near the latest version (we won't be able to keep it up on "realtime" with their version, but at least in the close proximity...)


    About Sphere and Safepay, I'm not sure if the licensing of these are linked. As far as I know, there are separate products using separate keys, but I am not 100% sure.


    The best bet would be to ask directly support (I will ask some colleagues to take a look as well and perhaps they can come up with an accurate reply).


    Cristian

  • camarie
    camarie Principal Software Developer BD Staff
    I just send an email to the management, telling them that being "up to date" regarding Chromium version, although an ugly affair, is necessary in both of stability *and* customer trust for Safepay feature. Most likely will talk to them in the next days, and be sure I'll push for being near the latest version (we won't be able to keep it up on "realtime" with their version, but at least in the close proximity...)


    About Sphere and Safepay, I'm not sure if the licensing of these are linked. As far as I know, there are separate products using separate keys, but I am not 100% sure.


    The best bet would be to ask directly support (I will ask some colleagues to take a look as well and perhaps they can come up with an accurate reply).


    Cristian


    Update: Safepay and Sphere are separated products with separate keys.


    It is not possible to activate a Safepay feature using anything else than a Safepay license.


    Cristian

  • Update: Safepay and Sphere are separated products with separate keys.


    It is not possible to activate a Safepay feature using anything else than a Safepay license.


    Cristian


    That seems strange because when I installed AV Plus it also installs Safepay. When I use this version of Safepay there is no option to upgrade to a premium / hotspot version, therefore I assume that this functionality is already provided within the product and covered by the existing AVP license which installed automatically Safepay, no extra license / upgrade was necessary beyond the AVP license.


    Therefore I assume that AVP licenses and Sphere licenses can each cover Safepay hotspot licenses....but I guess I was wrong and that even Safepay in AVP and Sphere both need an extra license for the hotspot, correct?


    If correct, it also means that the connection for banking in Safepay which is installed via AVP is therefore not secured with a VPN?

  • camarie
    camarie Principal Software Developer BD Staff
    That seems strange because when I installed AV Plus it also installs Safepay. When I use this version of Safepay there is no option to upgrade to a premium / hotspot version, therefore I assume that this functionality is already provided within the product and covered by the existing AVP license which installed automatically Safepay, no extra license / upgrade was necessary beyond the AVP license.


    Therefore I assume that AVP licenses and Sphere licenses can each cover Safepay hotspot licenses....but I guess I was wrong and that even Safepay in AVP and Sphere both need an extra license for the hotspot, correct?


    If correct, it also means that the connection for banking in Safepay which is installed via AVP is therefore not secured with a VPN?


    For Safepay standalone, VPN is available only for premium version.


    For the suite product, the VPN availability is determined by product license. I think it is available in all 3 (AV, IS, TS).


    I am not working on Sphere and I really don't know if Sphere licenses are compatible with these products, but I don't think so.


    You should be fine with AVP license, but I am not a license spe######t (so to say) and there might be details that escapes me.


    I suggest you to post on licensing thread, or contact support directly so they can escalate to the appropriate team.


    Regards,


    Cristian