[sent to testing] Scan Ssl Re-enabled Itself At Boot

mr_stealth

The Scan SSL feature in Web Protection is silently re-enabling itself at bootup on both my laptop (Vista 32b) and desktop (7 64b). According to BD's interface it is still disabled (unchecked), but the feature is most certainly active. To turn it off I have to re-check then un-check the option, at every boot/restart.

I have (or had) this disabled because BD's method of scanning HTTPS traffic prevents both Extended Validation and certificate revocation checking from working in both Chrome and Firefox. I consider having those two layers of security working more important than BD's ability to scan encrypted traffic for the low chance of malware that would not be detected by other BD modules. I would be ok with lacking EV, but the fact that BD's web scanning proxy isn't checking for revocation is concerning.

This bug also has me wondering if other settings are stealth-resetting themselves back to their default state. I am aware of one Profiles option that rechecks itself when the options dialogues are opened. It renders the ability to configure the product totally useless if it's quietly restoring its settings without our knowledge. It's also somewhat disturbing that software I'm supposed to be relying on for security/protection was released with bugs that are so quickly obvious to users.

error-id10t

It's a bug among many bugs 2015 has, there are plenty of settings that "revert" away from what you set them. The latest one I just saw was IDS which I always max out but was now set back to permissive.

metallich

The Scan SSL feature in Web Protection is silently re-enabling itself at bootup

Same issue.

ballboy

Same old same old.... same problem here too.... very annoying...

Georgia

Hello all,

Thank you for your inquiry.

We will run some tests on our end and post back to the results soon.

Shaman69

Hello all,

Thank you for your inquiry.

We will run some tests on our end and post back to the results soon.

Same problem here with all browsers....Opera...Chrome...FF....IE...Safari.. That`s why I use 2014 version for a while.

Let BD fix 2015 version bugs first.

kondor#

Same problem here with all browsers....Opera...Chrome...FF....IE...Safari.. That`s why I use 2014 version for a while.

Let BD fix 2015 version bugs first.

I have the same problem but the only way I have to check that "Check SSL" is enabled is verifying the certificate provided during an SSL connection because the flag inside Bitdefender is switched off while the functionality is silently on.

Very annoying bug

Zox

Same issue here Scan SSL disable by itself .

Also Intrusion detection do not keep aggressive setting.

orestis_g

I can verify the same behaviour. Firefox won't allow me to connect anywhereif scan ssl is enabled. I have the scan ssl option disabled, however after reboot it is silently re-enabled, while still appearing as disabled. I have to toggle enabled/disabled and then it gets disabled.

Nesivos

The Scan SSL feature in Web Protection is silently re-enabling itself at bootup on both my laptop (Vista 32b) and desktop (7 64b). According to BD's interface it is still disabled (unchecked), but the feature is most certainly active. To turn it off I have to re-check then un-check the option, at every boot/restart.

I have (or had) this disabled because BD's method of scanning HTTPS traffic prevents both Extended Validation and certificate revocation checking from working in both Chrome and Firefox. I consider having those two layers of security working more important than BD's ability to scan encrypted traffic for the low chance of malware that would not be detected by other BD modules. I would be ok with lacking EV, but the fact that BD's web scanning proxy isn't checking for revocation is concerning.

This bug also has me wondering if other settings are stealth-resetting themselves back to their default state. I am aware of one Profiles option that rechecks itself when the options dialogues are opened. It renders the ability to configure the product totally useless if it's quietly restoring its settings without our knowledge. It's also somewhat disturbing that software I'm supposed to be relying on for security/protection was released with bugs that are so quickly obvious to users.

Not sure why anyone would want to disable SSL scanning

From the BDIS 2015 User Guide

More sophisicated attacks might use secure web taffice to mislead their victims.

From the Trend Micro Security Intelligence Blog

Targeted Attack Campaign Hides Behind SSL Communication

Using encrypted communication like Secure Sockets Layers (SSL) along with the clever use of recent news item as a social engineering lure is the perfect combination to penetrate and remain in a targeted entity’s infrastructure.

Of course if people want to make their computers insecure by turning off SSL scanning that should be their right.

orestis_g

Not sure why anyone would want to disable SSL scanning

From the BDIS 2015 User Guide

From the Trend Micro Security Intelligence Blog

Of course if people want to make their computers insecure by turning off SSL scanning that should be their right.

It is not an issue of wanting to disable SSL scanning (I for one do not), but it is an issue of usability. When SSL scanning is enabled, firefox fails to connect to (for example) gmail and other sites, failing to verify the certificate

bitter150

Not sure why anyone would want to disable SSL scanning

Of course if people want to make their computers insecure by turning off SSL scanning that should be their right.

There seem to be issues with 'Web protection/Scan SSL':

http://forum.bitdefender.com/index.php?showtopic=56731

If 'Scan SSL' is enabled, Poodle attacks are possible, pls refer to testservers:

https://www.howsmyssl.com/

https://www.poodletest.com/

https://zmap.io/sslv3/

Additionally there is a newer version of Poodle-attack which compromises TLS (!):

https://en.wikipedia.org/wiki/POODLE#POODLE...ack_against_TLS

So I don't know if 'Scan SSL' makes system more or less secure...

BD Corp???

daman1

Hello all,

Thank you for your inquiry.

We will run some tests on our end and post back to the results soon.

???????????????????

bitter150

Another ticket opened: 2015021110100002

BD seems to be not really facing this security issue...

Turning off 'Scan SSL' feature affects mail-/ web- transport and isn't an option because nowadays several kinds of attacks are done by ssl encrypted sites/traffic, pls refer to common security related lecture.

It is a fact:

BD MitM ssl proxy, activated by 'Scan SSL', connects to secure web servers by unsecure cipher suites, it breaks secure browser configuration! You can test it by yourself with:

https://www.howsmyssl.com/

https://www.poodletest.com/

https://zmap.io/sslv3/

These unsecure cipher suites must be removed from BD MitM ssl proxy!

German c't magazine did find it for Kaspersky too; they did fix it in bugfix versions, above test sites for example are working now with KAS...

Eric2234

There seem to be issues with 'Web protection/Scan SSL':

http://forum.bitdefender.com/index.php?showtopic=56731

If 'Scan SSL' is enabled, Poodle attacks are possible, pls refer to testservers:

https://www.howsmyssl.com/

https://www.poodletest.com/

https://zmap.io/sslv3/

Additionally there is a newer version of Poodle-attack which compromises TLS (!):

https://en.wikipedia.org/wiki/POODLE#POODLE...ack_against_TLS

So I don't know if 'Scan SSL' makes system more or less secure...

BD Corp???

Do not pay attention to what that www.poodletest.com website tells you. I just went there with a Firefox browser which blocks sslv3 and the website still said vulnerable.

Just read where they allow Firefox to connect...if they allow it yet Firefox is not subject to attack then wtf?

bitter150

Not only Firefox is affected but IE too.

It seems to be a security issue and it must be fixed by BD ASAP!

COMMonkey

Not only Firefox is affected but IE too.

It seems to be a security issue and it must be fixed by BD ASAP!

It's not like it needs to be fixed - the implementation needs to be changed altogether - not only it increases the surface for attacks but it's also a HUGE privacy risk.

Technically, they're using the same implementation as the Lenovo preinstalled adware (even though I don't know if they're using the same cert on all installations, but it's very likely). For more details, see here:

http://www.pcworld.com/article/2886357/len...on-new-pcs.html

I've also posted here on what I think are their implementation practices:

http://forum.bitdefender.com/index.php?showtopic=55975

This needs to be rethinked entirely, ASAP. It's making a security program becoming a huge security liability.

BTW, the Lenovo certificate was just cracked, leaving who knows how many machines vulnerable to information/credetial stealing attacks.

bitter150

Support ticket has been sent to BD on 11.02.2015 - no answer so far...

eD1s0n

Would really appreciate if Bitdefender can fix the disabling of "Scan SSL" properly. Having to toggle it on and off again everytime after a computer reboot is getting really annoying

bitter150

Support ticket has been sent to BD on 11.02.2015 - no answer so far...

I did get an (late) answer from BD support, announcing:

"BDIS v18.22 will fix this issue."

BUT:

I am really sorry, but version 18.22 did NOT solve existing security leak with Scan-SSL feature in Webprotection!

Weak cipher algos are still included, pls refer to attached screenshot and:

https://www.ssllabs.com/ssltest/viewMyClient.html

TLS_RSA_WITH_RC4_128_MD5

TLS_RSA_WITH_RC4_128_SHA

You can check unsecure results with Scan-SSL activated also at:

https://www.poodletest.com/

https://zmap.io/sslv3/

There are threads going on in BD forum too:

http://forum.bitdefender.com/index.php?showtopic=56731

and some more...

Activating Scan-SSL feature breaks secure browser encryption by replacing it with unsecure cipher algos by BD web protection!

mhuser

Same issue with me, I don't seem to be able to turn off SSL scanning at all. I agree with comments above, this seems to a fundamentally badly designed solution, that causes more issues than it solves.

sierratango

This bug is still present and creates a major hassle for using certain https sites such as Google Play Music.

This issue has existed for nearly a year now and nothing has been done about it, so can you at minimum offer us an explanation as to why it is still not fixed?

My Bitdefender license is about to expire soon and your lack of customer support and commitment to solving software bugs has me contemplating on another competing internet security solution.

Georgia

If you are using Windows 7, Windows 8, Windows 8.1 or Windows 10 please upgrade to Bitdefender 2015 v.19 as explained in this article and let us know if the issue is resolved:

http://www.bitdefender.com/install

If there are still users reading this topic with Windows XP or Windows Vista please let us know as the above upgrade does not apply to you.

Thank you.

sierratango

If you are using Windows 7, Windows 8, Windows 8.1 or Windows 10 please upgrade to Bitdefender 2015 v.19 as explained in this article and let us know if the issue is resolved:

http://www.bitdefender.com/install

If there are still users reading this topic with Windows XP or Windows Vista please let us know as the above upgrade does not apply to you.

Thank you.

Thanks Georgia, the problem is now fixed on Bitdefender 2015.

chris.good

Upgrading from BitDefender AntiVirus Plus 2015 18.12.0.958 to AntiVirus Plus 2016 20.0.24.1290 has fixed

error ERR_SSL_VERSION_OR_CIPHER_MISMATCH when using Google Contacts or Reminders in Windows 7 Chrome 47.

In addition, it is no longer necessary to turn off Bitdefender 'Scan SSL' option.

GranoblasticMan

I STILL get NET::ERR_CERT_AUTHORITY_INVALID, showing a cert issued by "Untrusted Bitdefender CA" even with "Scan SSL" disabled. THIS IS UNACCEPTABLE!