
Kaspersky: SSL interception differentiates certificates with a 32bit hash - ivank
https://bugs.chromium.org/p/project-zero/issues/detail?id=978
======
nxc18
I don't understand how these antivirus vendors are still in business. Even
when they do have marginally better detection rates than the built in
solution, the licensing, annoying popups, system slowdown, and security-
defeating 'features' make them a losing proposition.

Pre-bundled and even purchased AV is so dramatically deleterious to PC
performance that MS should kill it as public service. It gives the entire
ecosystem a bad reputation and nowadays is completely unnecessary.

~~~
halestock
They've done a wonderful job convincing the majority of people that anti-virus
is something that you absolutely need, full stop. Once you have that ingrained
in someone, they'll put up with all the annoyances.

~~~
jonknee
> They've done a wonderful job convincing the majority of people that anti-
> virus is something that you absolutely need, full stop.

I think Microsoft did that for them by being so terrible at security for so
long. Windows Defender came out 5 years after XP shipped and several years
after average XP systems were riddled with malware.

~~~
WorldMaker
Microsoft had a statute of limitations against shipping anti-virus with the
operating system because it was "anti-competitive" according to the EU/DOJ
anti-monopoly decisions. Anti-virus wasn't seen as a core security need for an
operating system at the time, because the third party AV vendors fought hard
for that and used the "Browser Wars" as justification to do that.

~~~
jonknee
Then they should have made a much more secure operating system. You only need
an AV if your OS has already failed.

~~~
tw04
So literally every OS of any notable use in the world has failed then? Because
I'm not aware of any widely deployed OS that hasn't had a successful
exploitation written for it.

~~~
sqeaky
Most OS have some level of penetration, but it is so clearly not the same with
windows. Even with the latest exploits free spreading viruses on android are
rare but hook a windows machine up to the Internet without a router or
firewall and get a virus in seconds.

Android easily outnumbers windows, by some counts 5 to 1, yet it has a smaller
percentage and absolute level of malware installation.

The old truism of computer security arms race is bullshit. Computers that are
secure from general mass spreading infections it not even all that hard
(securing from governments is much harder). Simply ignore all incoming
connections and don't execute downloaded data (or give to untrusted
executables. The only hard part about this is making sure that network card
drivers can be trusted, this isn't hard on most operating systems, but most
windows users are totally at the mercy of some low budget buggy vendor.

Windows is well positioned to fail at computer security and they have done a
great job at leveraging their position.

~~~
rrdharan
> Even with the latest exploits free spreading viruses on android are rare but
> hook a windows machine up to the Internet without a router or firewall and
> get a virus in seconds.

I don't buy this at all. Unless you are comparing Android with Windows XP?

First of all, you'd have to go out of your way to disable the firewall on a
modern Windows install.

Secondly, there have been tons of Android infections:
[http://arstechnica.com/security/2016/07/virulent-auto-
rootin...](http://arstechnica.com/security/2016/07/virulent-auto-rooting-
malware-takes-control-of-10-million-android-devices/)

I'm sure the percentage is lower than "all infected Windows machines" but I
very much doubt it's lower than "all Windows 10 installations" or even "all
Windows XP SP2 + Windows 7 + Windows 10 installations with updates enabled".

Nonetheless, it's definitely the case that an app sandboxing model provides
some defence in depth, at the cost of reduced flexibility w.r.t. e.g. a real
generic filesystem, ability to distribute/install without an app store, etc.

The Windows Security Development Lifecycle material is worth reading:
[https://en.wikipedia.org/wiki/Microsoft_Security_Development...](https://en.wikipedia.org/wiki/Microsoft_Security_Development_Lifecycle)
[https://www.microsoft.com/en-us/sdl/](https://www.microsoft.com/en-us/sdl/)

Ultimately, if you were to allow Android devices to by default, open and run
arbitrary native code that users download from the internet, you'd see the
same host of problems (probably much worse for the average Android device
given the fragmented OS patching nightmare).

~~~
sqeaky
>First of all, you'd have to go out of your way to disable the firewall on a
modern Windows install.

There is a screen that pops up everytime you plug in a network cable or
connect to a wifi network for the first time. It asks what kind of network you
are on, personal, work, public. Depending on what you answer here it does
stuff to the firewall.

Then there are the multitude of AV products that disable the firewall with
their own suboptimal garbage. These wouldn't have been made if they weren't
once necessary. Windows should have had a firewall when it got its own
networking stack, but it went a couple of decades without one, so people got
used to needing to add one.

Even if that article is correct it is Android off of windows by an order of
magnitude.

> Ultimately, if you were to allow Android devices to by default, open and run
> arbitrary native code that users download from the internet

But they aren't setup that way. That is part of why they are more secure.

------
dom0
Besides the obvious badness of the overall system described, things like

> The cache is a binary tree, and as new leaf certificates and keys are
> generated, they're inserted using the first 32 bits of
> MD5(serialNumber||issuer) as the key.

You know. That's not a mistake. That's what a consciously designed-in
vulnerability to enable taking over the system looks like.

~~~
tiglionabbit
I've met plenty of programmers who are stupid enough to do this kind of thing.
Don't attribute to malice what could easily be attributed to stupidity.

~~~
greglindahl
I'm not a fan of conspiracy theories, but this vuln was not patched in 90
days. Kaspersky frequently patches things faster than that, and this sure
sounds like it's a pretty trivial fix.

~~~
jonas21
Sounds like it was patched:

> This issue was fixed on the 28th, there was some delay unrestricting this
> bug due to the holidays.

And it's been less than 90 days since the issue was reported, so they wouldn't
have disclosed yet if it wasn't.

~~~
greglindahl
Ah, sorry, Nov 1 -> Dec 28 is 58 days.

------
staticassertion
AV = Trashfire. If there were actual repercussions for writing code
irresponsibly, even their billions in revenue wouldn't keep them from
bankruptcy.

Time and time again we see these ridiculous vulnerabilities but nothing
changes. AV insists on massively increasing system attack surface under the
guise of security.

~~~
astrodust
It's security theatre for your computer. It's truly astonishing how little
these programs do and how much they do _wrong_.

~~~
pgrote
So what should a non-technical Windows user use on a daily basis to protect
their PCs?

~~~
dEnigma
Whenever I set up a Windows PC for a family member or non-technical friend, I
just make sure Windows Defender is running, set everything that is installed
to auto-update and install an adblocker. Also, I check every once in a while
if the auto-updates are working correctly because in my experience they will
inevitably and inexplicably stop working at some point :)

~~~
therein
> I check every once in a while if the auto-updates are working correctly
> because in my experience they will inevitably and inexplicably stop working
> at some point

I think Windows 10 tries REALLY hard to make sure that doesn't happen.

------
mixedbit
This puts in perspective the Eugene Kaspersky's recent rant about Microsoft
making AV vendors life harder: [https://eugene.kaspersky.com/2016/11/10/thats-
it-ive-had-eno...](https://eugene.kaspersky.com/2016/11/10/thats-it-ive-had-
enough/) Maybe Microsoft is actually improving the Windows users experience.

Discussion on HN:
[https://news.ycombinator.com/item?id=12929230](https://news.ycombinator.com/item?id=12929230)

~~~
Analemma_
There's no "maybe" about it: there are a lot of security professionals,
including ones with no great love for Microsoft and their past anticompetitive
practices, who are longing for the day when MS announces that third-party AV
software is malware and takes action accordingly. I for one would be spitting
on their grave if and when it happens.

------
tptacek
An even dumber TLS bug in the same software:

[https://bugs.chromium.org/p/project-
zero/issues/detail?id=98...](https://bugs.chromium.org/p/project-
zero/issues/detail?id=989)

------
grandalf
I wonder why nobody assumes Kaspersky might be working at the direction of
Putin.

~~~
tptacek
Kaspersky's connections with the Russian government are discussed all the time
in the industry.

~~~
grandalf
There would seem to be significant benefits to maintaining a white hat
presence while gaining access to thousands of machines and maintaining a body
knowledge about the latest threats/techniques.

Do you have any thoughts on the validity of the speculation?

~~~
gertef
No idea if Kapersky is a black hat in white haberdashery, but the behavior you
describe is 100% Kremlin modus operandi. That's how they do propaganda too --
a bunch of real news with some fake news mixed in. It's a good idea for _any_
propaganda outfit.

------
itissid
Trying to understand this: Is it that Kasperkey thinks its certs are more
secure? Which I suppose would be the whole point behind this WPF driver?

~~~
idlewords
It wants to look at the contents of every connection in order to hunt for
malware.

~~~
gertef
sort of like following ones own footprints.

------
winteriscoming
Just yesterday I had posted a similar thread where an AV was MITMing traffic
between the browser
[https://news.ycombinator.com/item?id=13307096](https://news.ycombinator.com/item?id=13307096).
I'm still curious why this practice is allowed and these CAs are still trusted
by browsers and such.

~~~
fencepost
Because the AV is doing it to check for malicious content being downloaded via
a secure connection - content that may be exploiting security holes that have
not been patched yet, or which have been patched but the user hasn't updated.
It's not at all uncommon for me to be asked to look at a PC and find it has an
old version of Firefox and the only user is running as a non-admin, or even
more commonly to find all those nice little buttons in the system tray
advising about updates to Adobe Reader, Java, and maybe a few drivers.

Many things that would take advantage of those would need to be written to
disk and the AV could presumably catch them then, but how about JavaScript
exploits? And how does the browser respond to writing things to disk
(presumably having exclusive write access) then losing access to them?

There's a juggling act going on there, and I suspect it's a lot easier for an
AV vendor to capture and review the network traffic as a single point of
contact rather than trying to work with multiple browser and other software
vendors to make sure that their software interoperates correctly with the AV.

------
currysausage
Is there a convenient way to check whether your Windows 10 and Firefox
certificate stores contain anything that Microsoft and Mozilla didn't suppose
to be there?

~~~
Crosseye_Jack
RCC from
[https://www.trustprobe.com/fs1/apps.html](https://www.trustprobe.com/fs1/apps.html)
does iirc. It's been a while since I've used the tool and I'm not on my PC to
check.

~~~
currysausage
That's exactly what I had been looking for. Thank you so much!

------
alarak
Something similar is done by my organisation with the
firewall(Fortinet/Fortiguard). We are forced to install a certificate as a
trusted authority in the system store. So as the link says if we check the
issuer it shows issued by FortiGate CA. This is very annoying and needs to
stop.

