"freak" Vulnerability Flagged By Freakattack.com If "scan Ssl" Turned On.
AntiVirus Plus "Scan SSL" uses specially-generated BitDefender root security certificates so that BitDefender can do what amounts to a MITM (man-in-the-middle) attack to monitor the PC's SSL-encrypted traffic for malware.
Unfortunately, this may expose a PC to the FREAK attack vulnerability widely reported since its disclosure on 3 March 2015 (see https://grahamcluley.com/2015/03/freak-atta...u-need-to-know). If you navigate to the FREAK test site at https://freakattack.com/ or https://freakattack.com/clienttest.html, you will probably receive a warning that your browser is flagged as vulnerable if you have "Scan SSL" turned on and are therefore using BitDefender substitute security certificates.
I have not found any announcements from BitDefender on this issue yet, but until BitDefender can reassure its customers that "Scan SSL" does not expose users to FREAK attacks, I shall be keeping it turned off.
Comments
-
AntiVirus Plus "Scan SSL" uses specially-generated BitDefender root security certificates so that BitDefender can do what amounts to a MITM (man-in-the-middle) attack to monitor the PC's SSL-encrypted traffic for malware.
Unfortunately, this may expose a PC to the FREAK attack vulnerability widely reported since its disclosure on 3 March 2015 (see https://grahamcluley.com/2015/03/freak-atta...u-need-to-know). If you navigate to the FREAK test site at https://freakattack.com/ or https://freakattack.com/clienttest.html, you will probably receive a warning that your browser is flagged as vulnerable if you have "Scan SSL" turned on and are therefore using BitDefender substitute security certificates.
I have not found any announcements from BitDefender on this issue yet, but until BitDefender can reassure its customers that "Scan SSL" does not expose users to FREAK attacks, I shall be keeping it turned off.
Yes, I also noticed the same yesterday, so "Scan SSL" is off meanwhile.0 -
For more details about the weak and insecure encryptions with Bitdefenders root certificates look at https://www.ssllabs.com/ssltest/viewMyClient.html
(include Bitdefenders Safepay-Browser)0 -
Correction issue will be available in the next planned release of Tuesday, March 10.
https://technet.microsoft.com/en-us/library/security/30460150 -
The Microsoft patches today does not effect Bitdefenders man-in-the-middle-SSL-scanning! The testresults with SSL scanning on, are the same as before the patches.
0 -
The Microsoft patches today does not effect Bitdefenders man-in-the-middle-SSL-scanning! The testresults with SSL scanning on, are the same as before the patches.
Confirmed.
More information from Bitdefender on this is vital to know how this will affect the web protection feature.0 -
Source: http://forum.bitdefender.com/index.php?sho...st&p=228991If you use BitDefender Internet Security, under the default settings, BitDefender intercepts all your SSL calls. This means that OS/browser patches don't matter. Chrome is already patched against both Poodle and Freak, but since BitDefender is MITMing the connections, BitDefender reintroduces the vulnerabilities.
Given the age of Poodle, and that BitDefender is ostensibly a security product, this is kind of ridiculous.
That's right!
Also interesting: http://securityaffairs.co/wordpress/27165/...us-engines.html0 -
Now
bdpredir_ssl.dll
bdpredir_ssl_pc.dll
are patched in 2015er versions. This works for Firefox, Opera and Chrome, but not for Internet Explorer (40 and 56 bit insecure encryptions are still shown at https://www.ssllabs.com/ssltest/viewMyClient.html)
Please patch it again.
For 2014er versions is no update available. Please patch it also.
Thank you!0 -
Has Bitdefender concerned about this problem until now? I'm not sure about how to check this for my computer ...
The browser check has reported that Internet Explorer has fixed the security gap already.0
