Your browser, antivirus and other network intercepting software
-
We continue our series on privacy and security by taking a closer look at software that relies on intercepting network connections such as antivirus, parental control and debugging software. Should you be using those?
Click here to see the full blog post
-
AV... golly, what's that? Maybe the article needs a disclaimer that it pertains to Windoze specifically?
-
Yo, @tarquin - intentional?
"Intercepting connections is just a bad approach and we do not recommend allowing software to intercept connections.
Intercepting connections is just a bad approach and we do not recommend allowing software to intercept connections."
-
@ayespy: it's really, really important!
Many thanks for the correction. It's been fixed. -
@steffie: Heh, it certainly sounds like something that would traditionally have been Windows only. (I don't recall running an AV on any of my Linux or Unix machines either. But I did have one on on one of my Macs.)
The reality of course is that AVs are available on all major OSes, even for Linux and Mac, since "There are no viruses on [OS]" is a great way to get caught out by one. And AVs are not the only source of this problem. Parental control software exists on most platforms too, sometimes even offered by ISPs in order to filter results. Some offer to do it on a remote machine, such as your router.
Some of the most infamous cases were third party software that was installed on a computer by default, with the purpose of "enhancing search results" (displaying ads on search results), rather than AV. Those particular ones were for Windows.
-
@steffie said in Your browser, antivirus and other network intercepting software:
AV... golly, what's that? Maybe the article needs a disclaimer that it pertains to Windoze specifically?
Uhhh...
There are AV products for Linux and Linux is not immune to attack, so forgive me if I say that you sound a little naive there...
In fact, the very AV I use (Immunet) has an offline module derived from a Linux AV (ClamAV).
On-topic - this is an interesting point that I hadn't considered before... but thankfully I've always fought against the ever more intrusive behaviour of AVs and would always turn off all those stupid extra proxy/firewall/child-protection options. In fact it was the very pushy (and suspicious) nature of the last few years of AVG that made me abandon it and look for a safer & lower-profile alternative in Immunet.
-
@mossman said in Your browser, antivirus and other network intercepting software:
ClamAV
Hahahahaha.
-
@steffie said in Your browser, antivirus and other network intercepting software:
@mossman said in Your browser, antivirus and other network intercepting software:
ClamAV
Hahahahaha.
Hey, it is a package which exists for Linux. Didn't say it was good!
(And they say it was quite good back in the day - just that Cisco haven't been maintaining it since taking over)
-
A good article.
I've used Malwarebytes for a while, and though it offers network protection, it doesn't look like that changes the certificates. (I suspect it's simply filtering against a hostname list).
Something I am happy to see is that many of the security features offered by Malwarebytes (hostname filtering, malware scanning, ransomware and exploit protection) are included in Windows by default (hosts have been working forever, but it took them long enough with the other features) so I'm probably not going to bother using it much longer when my subscription expires.
some points on the article:
- "it cannot check EV certificates" - It can't check DV certs either, mind you.
- "an extension which uses the [...] API" - big disclaimer: just because it goes through an extension API that doesn't make it safe. It's still foreign code running on your computer, just restricted to the browser and away from root certs (for some people the browser is the whole computer).
- "debugging software" - I'm not sure why it's mentioned as regular users won't ever have to use this, and the only out-of-browser debugging tool I know of (wireshark) seems to leave certificates intact. If you know of a specific example of this, I'd like to know!
-
Malwarebytes is a good anti-malware, but in the past I have had some conflicts with Vivaldi. The only thing I usually use from time to time is AdwCleaner. As AV I use Panda Free, with this there is no problem
-
@lonm said:
If you know of a specific example of this, I'd like to know!
Telerik Fiddler is the main one a lot of web developers use. Its main use is to give the browser something different than what was served by the website, eg. so debugging statements can be injected.
There are also some used by penetration testers to view and repeat HTTP requests with modifications (Burp Suite is the main one used there). These are used to send unexpected content to the server, rather than the client.
In both cases, they must use a custom root certificate. The trouble comes not when intentionally using them, but when accidentally leaving them installed (along with their root certificate), or running. A penetration tester or web developer may not realise the situation they leave themselves in, as a result of having done a test 3 years ago.
-
Oh, and I have used a few proxies in the past (examples you might have heard of are Proxomitron and Proximodo) to add debugging statements. Some of these also offered to block ads, and could intercept HTTPS connections to strip out the known advert code from the HTML. That has nothing to do with website debugging, but it was in there anyway.
-
It is always a question of how the interception is done.
True, the browser checks if the site has valid certs and often the browser reacts faster to cert revocations etc. Some if not all of the browsers have their own cloud-ish checks (if activated by the user) against malicious websites (which definitely don't and can't check everything) - but some AV vendors have done their homework and don't lower the security of the connection but act like a transparent proxy, such allowing the browser to do its own checks on the original certificates and on the handshakes.
Aside from that:
We will definitely see more and more JS based low level attacks in the future, things like spectre and meltdown, which were a threat to each and every OS, be it Linux (including Android), Mac, Windows by accessing the Cache of the CPU directly and executing arbitrary code, which is really "Bad Stuff(TM)". But this is only the tip of the iceberg - coin miners which burn up our cpu time and rise the energy bill are not nice too and there is several other nasty stuff out there, especially in combination with WebGL and its typed arrays and loaded shaders, that can pass through the browser and access the hardware (yes, I know there is a layer of abstraction in between, but nothing that can't be circumvented), simply because it is made for that.Some AVs do give at least a bit protection against that stuff - and IMHO this is important, simply because the browser often can't do it, because it does exactly what it is supposed to do: Executing all of that stuff the web is made of.
-
"Chromium is updated frequently, and the response to security issues is very fast, so users normally have a patch installed before an antivirus product has a chance to issue an update to detect an attack. Often, when a product claims to have detected such an attack, itβs an attack aimed at an outdated browser rather than Vivaldi, and the attack would not have succeeded anyway."
Yes, Chromium is updated frequently, but Vivaldi lags significantly on Chromium updates. For example, Chrome 65 was released on March 6th and has had several updates since. Vivaldi 1.14 is still on Chromium 64, meaning that it is nearly a month out-of-date and does not have the essential security fixes that were released as part of Chromium 65.
https://www.securityweek.com/chrome-65-patches-45-vulnerabilities
Chromium 65 patched 45 security vulnerabilities, which means that Vivaldi users don't have those patched. If someone out there is using these recently disclosed security issues to exploit outdated browsers, Vivaldi users will be vulnerable β Vivaldi is that outdated browser.
Even if Vivaldi 1.15 is released within the next few days and has the latest Chromium 65 build, Chromium 66 is scheduled to go stable on April 17th, which means that Vivaldi users will be right back where they are now.
-
There are certificate blacklisted that can help prevent private root certificate use for network intercepting but it requires it to be flagged and then backlisted and then the machine to get an updated backlist or the end user/IT admin to mark the certificate as not trusted.
I do remember a few years ago the use of the root certificates causing performance issues in browsers (adding seconds to minutes for page load times) and sometimes breaking sites.
-
@axk said in Your browser, antivirus and other network intercepting software:
What can you tell us about this: https://motherboard.vice.com/en_us/article/wj7x9w/google-chrome-scans-files-on-your-windows-computer-chrome-cleanup-tool
One more reason to use Vivaldi and not Chrome XD
-
@shrinra said in Your browser, antivirus and other network intercepting software:
Even if Vivaldi 1.15 is released within the next few days and has the latest Chromium 65 build, Chromium 66 is scheduled to go stable on April 17th, which means that Vivaldi users will be right back where they are now.
Not necessarily.
Security patches get backported from the higher Chromium versions to Vivaldi's Chromium version, so the pure Chromium version string is not really meaningful to find out if Vivaldi is vulnerable or not.The reason for that is, that it is sometimes easier to backport those patches to the previous Chromium version than to apply all of the the Vivaldi specific patches to the next Chromium version.
-
@quhno said in Your browser, antivirus and other network intercepting software:
@shrinra said in Your browser, antivirus and other network intercepting software:
Even if Vivaldi 1.15 is released within the next few days and has the latest Chromium 65 build, Chromium 66 is scheduled to go stable on April 17th, which means that Vivaldi users will be right back where they are now.
Not necessarily.
Security patches get backported from the higher Chromium versions to Vivaldi's Chromium version, so the pure Chromium version string is not really meaningful to find out if Vivaldi is vulnerable or not.The reason for that is, that it is sometimes easier to backport those patches to the previous Chromium version than to apply all of the the Vivaldi specific patches to the next Chromium version.
The only time that I can recall the Vivaldi team mentioning the backport of security patches was during the 1.13 timeframe. They skipped Chromium 63, so they backported the security patches from it to the latest build of 62.
However, I have not seen any mention of that in the release notes for any update to 1.14. In fact, the last update to 1.14 was February 28th, which was prior to the release of Chromium 65 on March 6th. Google says that they may keep security vulnerabilities and their associated fixes under wraps until a majority of their user base has been updated to that stable version, so I can't believe that the Vivaldi developers would have been able to backport fixes (or do a complete job of it) for things that may have not even been disclosed at that point. Of course, I do admit that I could be wrong on that.
At the very worst there is an issue with consistency, in that they only backport fixes some of the time, which is not acceptable (if they want to be taken as a serious browser). Or there is an issue with disclosure, which is also not very reassuring.
-
@shrinra No, you've not seen mentions of it. Security patches are backported as a routine matter, regardless. We testers have received notice of some backports from the devs just in the last few days.
-
@ayespy said in Your browser, antivirus and other network intercepting software:
@shrinra No, you've not seen mentions of it. Security patches are backported as a routine matter, regardless. We testers have received notice of some backports from the devs just in the last few days.
Okay, so why aren't these backports being routinely disclosed when they happen? That should be a pretty important part mentioned with any release. Someone clearly takes their time writing detailed, meticulous release notes that include bug tracker numbers for Vivaldi updates, and they can't just say: "Oh, by the way, we backported security fixes from Chromium X to make sure you are secure"?
Also, how does notices of backports in the last few days do anything to change the fact that the latest stable version does not have them (and hasn't received an update in a month)?