Anti virus Plus 2017


I downloaded trial edition of Bit defender Anti virus plus (2017) and have noticed that it installed a root certificate called Bit defender on my Windows PC. I also noticed that when I goto various websites which use HTTPS, the certificates show as being verified by Bit defender. For example visit www.amazon.co.uk, click green padlock in firefox, shows verified by bitdefender. However, if I go into the Bit Defender settings, there's an option called "SSL scan" under web protection. I disabled it. Then went back to www.amazon.co.uk and SSL/TLS certificate now shows as being verified by the correct CA which is Symantec.


 


Please could you explain the benefits of Bit Defender scanning certificates? and also is it still encrypted end to end when using "SSL scan" option enabled ?


I have read a few technical articles about companies installing their certificate in order to setup proxies, route traffic through their servers and as a result implement a MITM attack where they can actually eavesdrop on conversations. I am rather concerned by this given the recent outing of Anti virus company Lavasoft.


 


thanks

Tagged:

Comments


  • Hello,


     


    That is a lot of tinfoil theory, however the simplest reason the product installs the certificate is to ensure the websites are what they pretend to be and prevent any attacks.


    If you are worried you can always disable that feature.


     



  • On 23/02/2017 at 9:25 AM, Sorin G. said:



    Hello,


     


    That is a lot of tinfoil theory, however the simplest reason the product installs the certificate is to ensure the websites are what they pretend to be and prevent any attacks.


    If you are worried you can always disable that feature.


     



    You sure about it being "tinfoil theory"?


    https://www.howtogeek.com/210265/download.com-and-others-bundle-superfish-style-https-breaking-adware/


    Also, you did not emphatically answer my question


    is it still encrypted end to end when using "SSL scan" option enabled


     


    thanks


     

  • KarateKid
    KarateKid
    edited February 2017


    I also ran an experiment.


    I disabled SSL scanning in Bit defender AV 2017, then went to https://protonmail.com


    It provided me with SHA-1 certificate fingerprint 0C:13:D9:0D:85:8A:B7:8D:14:5E:9C:59:5B:FE:2D:2E:3D:67:86:51. The CA is Que Vadis.


    I then went to Steve Gibson's fingerprint website https://www.grc.com/fingerprints.htm and ran the protonmail URLthrough it and received a match on the above.


    I closed my browser, enabled SSL Scanning in Bit Defender. Went back to https://protonmail.com.  Certificate now says verified by "Bit Defender" (apparently BD is the CA now!). The SHA-1 is now mismatched as it displays 92:A9:18:73:C9:3A:62:89:9C:C9:43:10:42:6D:90:F4:15:87:26:AF


    Different to the original and correct 0C:13:D9:0D:85:8A:B7:8D:14:5E:9C:59:5B:FE:2D:2E:3D:67:86:51


    The serial numbers of the certificates also dont match which is to be expected as BD are replacing the actual certificate with their own. Does this mean you could be listening in on my conversations in the supposed "encrypted" connection?


    I am concerned by this behaviour and can see it has been discussed in another recent topic. I read the Bit Defender website and looked through the BD AD Plus manual but it doesn;t explain how SSL scanning works or what it does, other than stating it should be kept enabled.


    If I am going to put my trust in your products you're going to have to elaborate.Thanks


     


  • For BD to scan the SSL traffic, it needs to MITM the traffic (that's what i think it does atleast)


    Browser <---> Bitdefender <---> website


    So the the browser is connecting to bitdefender with ssl, thats why the browser says it's BD.


    But it's good, because bitdefender is probably faster at detecting compromised ssl certificates 


     



  • 3 hours ago, tuklug32 said:



    For BD to scan the SSL traffic, it needs to MITM the traffic (that's what i think it does atleast)


    Browser <---> Bitdefender <---> website


    So the the browser is connecting to bitdefender with ssl, thats why the browser says it's BD.


    But it's good, because bitdefender is probably faster at detecting compromised ssl certificates 


     



    Not quite the answer I was looking for as I already know BD is intercepting the traffic as per my explanation earlier. The jury is out on whether it is "faster" and whether it is good at detecting compromised certificates. Your PC has a Bit defender cert stored locally and then all HTTPS connections go through Bit defender because it sets up an encrypted connected between BD and you. So when you login to google or access your bank account, your private confidential information is actually being sent to BD. My understanding is that BD then decrypt it and re-encrypt it before sending it on the destination server (your bank, email etc)


    What I have not heard from BD is a guarantee that they are not snooping on traffic? are they actually decrypting and then encrypting it again before sending the data on? Given my post is now 7 days old and I have not heard anything constructive, i'm starting to suspect this SSL/HTTPS scanning (a.k.a HTTPS interception) is verymuch the "elephant in the room"


     


  • Would you believe them if they tell you no? would that be good enough for you?


    I highly doubt it there is a room of techs sitting there checking in on ALL of BD subscribers traffic.



  • 23 hours ago, daman1 said:



    Would you believe them if they tell you no? would that be good enough for you?


    I highly doubt it there is a room of techs sitting there checking in on ALL of BD subscribers traffic.



    You're absolutely right! which is corroborated by the fact BD staff hardly post on here and the numerous posts without replies. Which begs the question? why have a forum at all


    Chocolate teapot anyone?!


    :-)



  • 39 minutes ago, KarateKid said:



    You're absolutely right! which is corroborated by the fact BD staff hardly post on here and the numerous posts without replies. Which begs the question? why have a forum at all


    Chocolate teapot anyone?!


    :-)



    And I agree, the support here is VERY lacking compared to others.



  • On 2/28/2017 at 1:43 PM, KarateKid said:



    Not quite the answer I was looking for as I already know BD is intercepting the traffic as per my explanation earlier. The jury is out on whether it is "faster" and whether it is good at detecting compromised certificates. Your PC has a Bit defender cert stored locally and then all HTTPS connections go through Bit defender because it sets up an encrypted connected between BD and you. So when you login to google or access your bank account, your private confidential information is actually being sent to BD. My understanding is that BD then decrypt it and re-encrypt it before sending it on the destination server (your bank, email etc)


    What I have not heard from BD is a guarantee that they are not snooping on traffic? are they actually decrypting and then encrypting it again before sending the data on? Given my post is now 7 days old and I have not heard anything constructive, i'm starting to suspect this SSL/HTTPS scanning (a.k.a HTTPS interception) is verymuch the "elephant in the room"


     



    There's no incentive for them to do that; if that information got leaked by a staff member, they would loose all their customers. By installing antivirus you are trusting them 100%, they could keylog, listen to your mics, your webcam, right? But they don't do that because they dont have to, they earn allot of money on their product and the antivirus market is hard (many solutions?). There is litterally zero incentive for them to do that. (unless a government secretly ordered them to do that). But it's nothing to worry about unless you are highly criminal