Kaspersky: SSL interception differentiates certificates with a 32bit hash (chromium.org)
89 points by ivank 1 hour ago | hide | past | web | 17 comments | favorite





Besides the obvious badness of the overall system described, things like

> The cache is a binary tree, and as new leaf certificates and keys are generated, they're inserted using the first 32 bits of MD5(serialNumber||issuer) as the key.

You know. That's not a mistake. That's what a consciously designed-in vulnerability to enable taking over the system looks like.

I've met plenty of programmers who are stupid enough to do this kind of thing. Don't attribute to malice what could easily be attributed to stupidity.

Almost certainly. Kaspersky are a global cybersecurity provider.

There is no room for Hanlon's razor here. This was malice, not stupidity.

Nobody who has done software security work for the security product industry agrees with you. For a variety of reasons, these products are typically several degrees worse than the median technology product.

A briefcase full of cash could easily get a "bug" like this introduced into a security package.

I'm not saying this is the case, but given the current climate, it's hard to say it isn't.

You can say that about any kind of product that everyone deploys. All software has bugs, most bugs are exploitable.

So, no, it's easy to say that it isn't.

AV = Trashfire. If there were actual repercussions for writing code irresponsibly, even their billions in revenue wouldn't keep them from bankruptcy.

Time and time again we see these ridiculous vulnerabilities but nothing changes. AV insists on massively increasing system attack surface under the guise of security.

It's security theatre for your computer. It's truly astonishing how little these programs do and how much they do wrong.

To be fair, Kaspersky has always been less bad than the others.

I don't understand how these antivirus vendors are still in business. Even when they do have marginally better detection rates than the built in solution, the licensing, annoying popups, system slowdown, and security-defeating 'features' make them a losing proposition.

Pre-bundled and even purchased AV is so dramatically deleterious to PC performance that MS should kill it as public service. It gives the entire ecosystem a bad reputation and nowadays is completely unnecessary.

Trying to understand this: Is it that Kasperkey thinks its certs are more secure? Which I suppose would be the whole point behind this WPF driver?

I'm not familiar with WFP (or Windows in general really), so i can't comment on the use of that particular technology, but the fundamental idea here is to man-in-the-middle the user's TLS connections so that the product can inspect or manipulate the data within. Presumably in this case it's for anti-virus purposes, but the same technology is used by schools and businesses to filter pornography, piracy, gaming, phishing, and other 'undesirable' Web sites, to shape bandwidth, and to log Web activity.

The firewall/software generates a root certificate so that it can sign and serve 'fake' leaf (site) certificates on the fly. Because the root certificate is self-signed, however, most browsers/whatever won't automatically trust it, which is why the user/admin has to add the root certificate to each affected machine's browser or OS certificate trust store.

No, my understanding was in order to inspect network traffic for malware, it's essentially doing a man-in-the-middle using its own certificates.

It wants to look at the contents of every connection in order to hunt for malware.

I wonder why nobody assumes Kaspersky might be working at the direction of Putin.

Not sure if this is sarcasm, but its not adding much to the discussion IMHO.

Kaspersky's connections with the Russian government are discussed all the time in the industry.

