You can see how easy this is to do in a C# function I wrote here. This does not require the user to accept it, nor does it even alert the user that this has happened. You can simply compile the open source Mozilla NSS package and, included in it is a utility called CertUtil that can transparently inject certificates, even root CAs, into FireFox's trusted cert store. What's cute about this is that it's not actually adding any security whatsoever. Instead, FireFox is distributed with a complete list of all CAs that Mozilla trusts. It refuses to trust your OS's cert store, precisely because its so easy to simply install a fake CA into it and start MITM'ing peoples connections. If that authority is not there, boom, you get this error.įireFox is the only mainstream web browser that is paranoid. The reason why it needs to install it into the OS certificate store is because this is where most software looks to validate that the Certificate Authority who has issued the certificate it has received is a valid, trusted Authority. Kaspersky also has to install this CA into your operating system's Trusted Certificate store. In order for this to be done correctly, Kaspersky has to generate its own root CA certificate, and generate spoofed certificates on the fly, feeding them to your browser. It does this in order to be able to scan payloads in HTTP transactions, be it in the request or the response. If you’re worried about such a case, you can always contact our security team for help.Kaspersky, like most AV products these days, is performing a local MITM against your secure HTTP traffic. The warning message you get from your browser should detail the cause. The other reason why you would get this message is if our SSL certificate is compromised (although this has never happened and is unlikely since it requires the Swiss government to actively participate in such an attack). You can read more about this warning message in this technical article. The solutionįor now there’s not much you can do to avoid these warnings aside from not loading any images at all. The following code is an example of such an email: Hello there,īecause ProtonMail is secure with HTTPS and the image is loaded using HTTP the browser warns you that not 100% of the page is secure. ProtonMail uses SSL/HTTPS to secure your data, but some emails can load images using plain HTTP. This can happen for a variety of reasons but the most common one is due to loading an email with insecure images. Sometimes your browser may show you a warning (the exact message depends on the browser you use) that says something along the lines of “Connection is Not Secure”. ProtonMail is secure and your data is safe.
0 kommentar(er)
