Or, if your Latin is a bit rusty, “who is guarding the guards themselves”? This was actually my first thought when I’ve read an article published by Heise Online. Apparently, popular security software from Kaspersky Lab, including at least their Internet Security and Antivirus, is still susceptible to the now-well-known POODLE exploit, which allows hackers to perform a man-in-the-middle attack on an SSL 3.0 connection by downgrading the level of encryption and effectively breaking its cryptographic security.
When this vulnerability was published in September, many security researchers called for immediate demise of SSL 3.0, which is a very outdated and in many aspects weak protocol, however quite a lot of older software still doesn’t support TLS, its modern replacement. At the end, many web services, as well as all major browser vendors have implemented some sort of protection against the exploit, either by disabling SSL 3.0 completely or by preventing downgrade attacks using TLS_FALLBACK_SCSV. For a couple of months, we felt safe again.
Well, turns out that getting rid of POODLE isn’t as easy as we thought – it’s not enough to harden both ends of the communication channel, you have to think about the legitimate “men-in-the-middle” as well, which can still be unpatched and vulnerable. This is exactly what happened to Kaspersky’s security products: as soon as the option “Scan encrypted connections” is enabled, they will intercept an outgoing secure connection, decrypt and analyze its content, and then reestablish a new secure connection to the appropriate website. Unfortunately, this new connection is still using SSL 3.0, ready to be exploited.
Think of it: even if you have the latest browser that explicitly disables SSL 3.0, your antivirus software would secretly make your security worse without letting you know (your browser will be connecting to the local proxy using new TLS protocol, which looks perfectly safe). Just like I was writing regarding the Heartbleed bug in April: “there is a fundamental difference between being hacked because of ignoring security best practices and being hacked because our security tools are flawed”. The latter not only adds insult to injury, it can severely undermine user’s trust in security software, which at the end is bad for everyone, even the particular vendor’s competitors.
The problem seems to be originally discovered by a user who posted his findings on Kaspersky’s support forum. I must admit I find the support engineer’s reply very misleading: the SSL vulnerability is by no means irrelevant, and one can imagine multiple scenarios where it could lead to sensitive data leaks.
Well, at least, according to Heise, the company is working on a patch already, which will be released sometime in January. Until then you should think twice before enabling this option: who is going to protect your antivirus after all?