[solved in 220.127.116.114] Ssl Security Issue With Bd Certificate Injection
In normal cases browsers indicate proper ssl encrytion with valid certificate with switching the url line to another color, additionally a closed lock is shown. If clicking the lock, details of ssl certification and its status are shown.
If 'Scan SSL' is activated in BD-IS 'Privacy control settings', ssl stream seems to be injected by Bitdefender, clicking the closed lock does not show the validation data of generic webpage certification.
So there seems to be NO direct validation of target server possible, in my opinion BD acts as a local 'Man-in-middle'. This opens serveral cogitable scenarios for spoofing/attacking the secure connection.
This feature of BD should be analysed in a wide spreaded discussion, it is security related for all ssl connections. Customers must trust to BD not abusing this feature, NSA/CIA and smilar are watching us...
(It seems to be a security issue for whole BD, not only for Privacy, so post is done in this General form. Thanks.)