"freak" Vulnerability Flagged By Freakattack.com If "scan Ssl" Turned On.

jmward
edited March 2015 in Web protection

AntiVirus Plus "Scan SSL" uses specially-generated BitDefender root security certificates so that BitDefender can do what amounts to a MITM (man-in-the-middle) attack to monitor the PC's SSL-encrypted traffic for malware.


Unfortunately, this may expose a PC to the FREAK attack vulnerability widely reported since its disclosure on 3 March 2015 (see https://grahamcluley.com/2015/03/freak-atta...u-need-to-know). If you navigate to the FREAK test site at https://freakattack.com/ or https://freakattack.com/clienttest.html, you will probably receive a warning that your browser is flagged as vulnerable if you have "Scan SSL" turned on and are therefore using BitDefender substitute security certificates.


I have not found any announcements from BitDefender on this issue yet, but until BitDefender can reassure its customers that "Scan SSL" does not expose users to FREAK attacks, I shall be keeping it turned off.

Comments

  • AntiVirus Plus "Scan SSL" uses specially-generated BitDefender root security certificates so that BitDefender can do what amounts to a MITM (man-in-the-middle) attack to monitor the PC's SSL-encrypted traffic for malware.


    Unfortunately, this may expose a PC to the FREAK attack vulnerability widely reported since its disclosure on 3 March 2015 (see https://grahamcluley.com/2015/03/freak-atta...u-need-to-know). If you navigate to the FREAK test site at https://freakattack.com/ or https://freakattack.com/clienttest.html, you will probably receive a warning that your browser is flagged as vulnerable if you have "Scan SSL" turned on and are therefore using BitDefender substitute security certificates.


    I have not found any announcements from BitDefender on this issue yet, but until BitDefender can reassure its customers that "Scan SSL" does not expose users to FREAK attacks, I shall be keeping it turned off.


    Yes, I also noticed the same yesterday, so "Scan SSL" is off meanwhile.

  • 100
    100
    edited March 2015


    For more details about the weak and insecure encryptions with Bitdefenders root certificates look at https://www.ssllabs.com/ssltest/viewMyClient.html


    (include Bitdefenders Safepay-Browser)

  • Correction issue will be available in the next planned release of Tuesday, March 10.


    https://technet.microsoft.com/en-us/library/security/3046015

  • 100
    100
    edited March 2015

    The Microsoft patches today does not effect Bitdefenders man-in-the-middle-SSL-scanning! The testresults with SSL scanning on, are the same as before the patches.

  • The Microsoft patches today does not effect Bitdefenders man-in-the-middle-SSL-scanning! The testresults with SSL scanning on, are the same as before the patches.


    Confirmed.


    More information from Bitdefender on this is vital to know how this will affect the web protection feature.

  • If you use BitDefender Internet Security, under the default settings, BitDefender intercepts all your SSL calls. This means that OS/browser patches don't matter. Chrome is already patched against both Poodle and Freak, but since BitDefender is MITMing the connections, BitDefender reintroduces the vulnerabilities.


    Given the age of Poodle, and that BitDefender is ostensibly a security product, this is kind of ridiculous.

    Source: http://forum.bitdefender.com/index.php?sho...st&p=228991


    That's right!


    Also interesting: http://securityaffairs.co/wordpress/27165/...us-engines.html

  • 100
    100
    edited March 2015

    Now


    bdpredir_ssl.dll


    bdpredir_ssl_pc.dll


    are patched in 2015er versions. This works for Firefox, Opera and Chrome, but not for Internet Explorer (40 and 56 bit insecure encryptions are still shown at https://www.ssllabs.com/ssltest/viewMyClient.html)


    Please patch it again.


    For 2014er versions is no update available. Please patch it also.


    Thank you!

  • Has Bitdefender concerned about this problem until now? I'm not sure about how to check this for my computer ...


    The browser check has reported that Internet Explorer has fixed the security gap already.