Some Bitdefender products break HTTPS certificate revocation

Some Bitdefender products break HTTPS certificate revocation

This allows man-in-the-middle attackers with access to revoked, but otherwise valid, certificates to manipulate encrypted traffic

Aggressive adware applications that break the trust between HTTPS (HTTP Secure) websites and users have been at the center of controversy lately. But over the past week, HTTPS interception flaws of varying severity were also found in security programs, with products from antivirus vendor Bitdefender being the latest example.

Carsten Eiram, the chief research officer of vulnerability intelligence firm Risk Based Security, found that the latest versions of several Bitdefender products, namely Bitdefender Antivirus Plus, Bitdefender Internet Security and Bitdefender Total Security, do not check the revocation status of SSL certificates before replacing them with new ones that are signed using a root certificate installed locally. The products use this technique in order to scan encrypted HTTPS traffic for potential threats.

While the certificate revocation oversight in Bitdefender products is not as serious as the HTTPS interception flaws found recently in other programs, like the Superfish adware preloaded on Lenovo laptops, its impact is not negligible, Eiram said.

If a website's certificate has been revoked by a certificate authority -- for example, because it was issued fraudulently or because its private key was compromised by hackers -- affected Bitdefender products will still accept it as valid. More importantly, as part of their HTTPS scanning feature, they will convert the revoked certificate into a certificate that local browsers will trust, despite the fact that under normal circumstances those browsers would reject the original certificate.

Eiram discovered the issue earlier this week while performing quick tests of the HTTPS scanning implementations in a few widely used security products, following an inquiry from the IDG News Service about possible Superfish-like flaws in other applications. IDG News Service helped report the issue to Bitdefender and the company developed a fix that will be included in a larger scheduled update next week.

The decision to report the flaw publicly ahead of a patch release was taken because the issue is very easy to find and because Bitdefender considers its impact to be low.

HTTPS scanning issues are something that a lot of people are focusing on, Eiram said. "Someone is bound to download and check certificate validation in various security products including Bitdefender. It's just a matter of downloading the product and then visiting a site with a revoked certificate to see the unsafe behavior."

One such site is It has been set up by Gibson Research so that users can test whether their browsers and other software fail to check the revocation status of SSL certificates. If the site is loaded without a browser warning then certificate revocation is not properly verified.

"As the attack vector is quite small and difficult for an attacker to target, we did not consider it as a high priority update," said Alexandru Catalin Cosoi, Bitdefender's chief security strategist and global communications director, in an emailed statement. "We will scan the [HTTPS] traffic anyway for malicious payloads, which still renders our customers safe."

Disabling the HTTPS scanning feature in Bitdefender products is "definitely not an option," Cosoi said. Aside from this functionality being needed to detect potential malware served from HTTPS websites, it's also used for parental control, identity protection and several other features, he said.

Eiram believes that while not critical, the issue is more serious than Bitdefender estimates. However, he praised the company for its fast response. A one to two week turnaround from a vendor is usually very quick and a solid response time, said the researcher, who's a member of the CVE Editorial Board.

The Bitdefender products generate separate self-signed root certificates for every system they're installed on, so they don't have the same flaw as Superfish or the other programs that were found to be using the poorly designed Komodia HTTPS interception library.

The company's products also check that certificates presented by websites are not expired, are for the correct domain and are issued by a trusted certificate authority, unlike PrivDog, a program that was recently found to intercept HTTPS traffic in an insecure manner.

In order to exploit the certificate revocation oversight in Bitdefender products attackers would need to have a legitimate certificate for a website that has been revoked, as well as its corresponding private key. They would also need to be in a position to intercept connections between affected users and that website.

This can be done through DNS hijacking, compromising routers, ARP spoofing, impersonating Wi-Fi access points -- known as evil twin attacks -- and other techniques. Depending on where the attack is executed it could affect a small number of users -- for example those on a local area network -- or a large population, if done higher up in the Internet infrastructure by someone like the NSA or a country's government.

It would be considerably harder than targeting users of PrivDog, Superfish or Komodia-based products, but far from impossible.

First of all, attackers injecting data into HTTPS traffic, like the malicious payloads mentioned by Bitdefender, is not the only threat, Eiram said. Extracting sensitive information from it, including authentication tokens that would allow attackers to take over accounts, would also be possible.

The compromise of certificate private keys is not uncommon. In 2011, the Electronic Frontier Foundation found 73,345 cases where certificates were revoked because their private keys had been compromised. In addition, the Heartbleed flaw discovered in OpenSSL last year allowed attackers to extract sensitive data from HTTPS servers, including SSL private keys.

Security blunders or compromises at certificate authorities can also result in fraudulent certificates being issued. In 2011, hackers issued nine fraudulent SSL certificates for domain names owned by Google, Yahoo, Skype, Mozilla and Microsoft after compromising a Comodo-affiliated certificate registration authority.

That same year a Dutch certificate authority called DigiNotar was hacked and the attacker walked away with over 500 fraudulent certificates for various domain names. One of those certificates was later used in a mass surveillance attack against Gmail users in Iran.

Other similar incidents have happened since then, and certificate revocation played an important role in protecting users every time. Without it attackers can abuse fraudulent certificates for years, until their expiration date.

Cosoi argued that security products have a legitimate need to inspect HTTPS traffic and that, unlike adware programs, they do this to provide protection, not to profit. The practice of using a locally installed self-signed root certificate is a workaround that security products should be allowed to use, he said.

Eiram agreed, saying that the inability to inspect HTTPS traffic would be a significant limitation for such a product.

"It would be too simple for attackers to get around the Web browsing protection features by just getting users to visit malicious sites using HTTPS," he said. "However, it's important that security products implement proper certificate checks to ensure presented certificates are valid."

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags PrivDogonline safetysecurityRisk Based SecurityencryptionLenovoExploits / vulnerabilitiesbitdefender



Kiwi channel comes together for another round of After Hours

Kiwi channel comes together for another round of After Hours

The channel came together for another round of After Hours, with a bumper crowd of distributors, vendors and partners descending on The Jefferson in Auckland. Photos by Maria Stefina.​

Kiwi channel comes together for another round of After Hours
Consegna comes to town with AWS cloud offerings launch in Auckland

Consegna comes to town with AWS cloud offerings launch in Auckland

Emerging start-up Consegna has officially launched its cloud offerings in the New Zealand market, through a kick-off event held at Seafarers Building in Auckland.​ Founded in June 2016, the Auckland-based business is backed by AWS and supported by a global team of cloud specialists, leveraging global managed services partnerships with Rackspace locally.

Consegna comes to town with AWS cloud offerings launch in Auckland
Veritas honours top performing trans-Tasman partners

Veritas honours top performing trans-Tasman partners

Veritas honoured its top performing partners across the channel in Australia and New Zealand, recognising innovation and excellence on both sides of the Tasman. Revealed under the Vivid lights in Sydney, Intalock claimed the coveted Partner of the Year 2017 (Pacific) award, with Data#3 acknowledged for 12 months of strong growth across the market. Meanwhile, Datacom took home the New Zealand honours, with Global Storage and Insentra winning service provider and consulting awards respectively. Dicker Data was recognised as the standout distributor of the year, while Hitachi Data Systems claimed the alliance partner award. Photos by Bob Seary.

Veritas honours top performing trans-Tasman partners
Show Comments