Jump to content

Recommended Posts

KIS 7.0.0.125

WinXP Pro SP2

Firefox 2.0.0.7

 

I have KIS set to check all encrypted connections. I'd prefer to keep it that way. But whenever Firefox checks for extension updates, I get a slew of errors like this in the KIS log:

 

10/17/2007 1:49:24 AM Server 63.245.209.31 returned invalid certificate. Certificate Name *.mozilla.org.

What's more, each extension that checks for its updates on mozilla.org shows an error, because the connection doesn't work. In other words, I can't check for extension updates as long as I have KIS set to scan encrypted connections.

 

If I disable web scanning for encrypted connections, these extension update checks work fine. So there isn't something terminally wrong with the mozilla.org server. And I find it hard to believe that their certificate would be screwed up somehow.

 

Whate can I do?

Share this post


Link to post
What can I do?

I don't use KIS, but there must be a way to put *.mozilla.org into a white list so it will no longer be checked. When you get the warning, is there an option to exclude the said link from checks? I hope someone can give an answer to that really soon...

 

Paul

Share this post


Link to post

As far as I know, there is no way to exclude web sites from web scanning. The Web Anti-Virus feature is common with KAV so if there was such a way, you'd know, I think.

Share this post


Link to post

I must be drunk...no, just very, very, very tired... Of course there is a way to exclude domains from the Web AV... I even have several domains there already! But I added *.mozilla.org, and the problem remains.

Share this post


Link to post
As far as I know, there is no way to exclude web sites from web scanning. The Web Anti-Virus feature is common with KAV so if there was such a way, you'd know, I think.

I only check security products for holes, but don't use any myself. I can't remember all the details in all security applications I've ever tested... ;) Somebody will be with you soon, I hope...

 

Paul

Share this post


Link to post
I must be drunk...no, just very, very, very tired... Of course there is a way to exclude domains from the Web AV... I even have several domains there already! But I added *.mozilla.org, and the problem remains.

Could you tell me what extensions you use in Firefox? I'll try to find the right domains to exclude. There are probably some redirections involved...

 

Paul

Edited by p2u

Share this post


Link to post
I use a ton of them. Some of the ones the problem happens with are:

 

Add Bookmark Here

Add to Search Bar

View Cookies

I'm a bit pessimistic actually; I'm not sure you can really get rid of this. Here's a page from the mozilla database:

http://www.mozilla.org/projects/security/p...ssl/sslerr.html

This kind of mistakes seems to happen regularly. You are lucky that none of those extensions you mentioned is security-related. Think really carefully about whether you want to keep them or not...

 

Paul

Share this post


Link to post

Give me a break, the extensions just check the secure mozilla.org site for updates. Actually, it's Firefox that does the checking.

 

I can't see how it's Firefox at fault. Firefox works fine without KIS in the way. It seems that KIS screws up the certificate substitution and dumps the connection. Or is Firefox being charitable and allowing a bogus certificate? I doubt it.

Share this post


Link to post
Give me a break, the extensions just check the secure mozilla.org site for updates. Actually, it's Firefox that does the checking.

 

I can't see how it's Firefox at fault. Firefox works fine without KIS in the way. It seems that KIS screws up the certificate substitution and dumps the connection. Or is Firefox being charitable and allowing a bogus certificate? I doubt it.

I'm a Firefox user myself, but I know what I'm talking about when we talk about its extensions; the fewer the better. I have limited my choice to NoScript and Adblock Plus...

P.S.: I don't use KIS or any other Kaspersky products, so there's no reason for me to defend them...

 

Paul

Edited by p2u

Share this post


Link to post

Well I hate NoScript (siding with Wladimir Palant in that regard) and I'm not going to get into a debate about the worthiness of extensions in general or any in particular. I like what I have and I'm keeping them. Obviously, KIS is contributing to some problem here, and I hope to find a solution or at least a workaround. "Uninstall the extensions" is not a good workaround for me.

Share this post


Link to post
Well I hate NoScript (siding with Wladimir Palant in that regard) and I'm not going to get into a debate about the worthiness of extensions in general or any in particular. I like what I have and I'm keeping them. Obviously, KIS is contributing to some problem here, and I hope to find a solution or at least a workaround. "Uninstall the extensions" is not a good workaround for me.

I did not mean to offend you, I hope you understand that; I speak from the security point of view only. For now, I see only the following workaround: setting extension updates to 'Manual' and temporarily disabling the KIS feature whenever you do a manual check...

 

Paul

Edited by p2u

Share this post


Link to post

No problem, sorry I'm touchy by nature and apparently even more nuts when extremely tired. Thanks for the advice.

 

Since I usually don't use MSIE, I didn't discover this other problem until now: Some sites just won't work with MSIE if KIS is set to scan encrypted connections. Firefox prompts for you to accept the unrecognized cert either temporarily or permanently (or deny it altogether). But MSIE behaves unpredictably--sometimes it lets you go to a page despite the "invalid" cert, other times it just fails.

 

What a pain in the ass. Is scanning 443 really worth all this hassle anyway?

Share this post


Link to post
Is scanning 443 really worth all this hassle anyway?

Actually - I don't think so...

 

Paul

Share this post


Link to post

Yeah, I now agree quite a bit. I just found out that this problem prevents Firefox from looking for updates to itself, and not just extensions. The error I get when I have the Check all encrypted connections option enabled is:

 

post-9902-1192768487_thumb.png

 

If I select Do not check encrypted connections and restart Firefox, then force an update check (Help > Check for Updates...), the update check works fine. I've toggled these two settings back and forth several times, and it's definitive--the Check all encrypted connections setting breaks Firefox update checks.

 

There actually was an update available, Firefox 2.0.0.8. I think the security fixes in that Firefox update probably outweigh the benefit of scanning TCP port 443. Good thing I disabled this KIS security feature so that I could...enhance my security.

 

And I still think it's a bug. But I don't know how to report bugs to KL. I'm not reporting it to support. I have two support incidents open right now that have been completely ignored for the past week/two weeks.

Share this post


Link to post
I think the security fixes in that Firefox update probably outweigh the benefit of scanning TCP port 443.

That's correct. Here's one page that should be in the bookmarks of every Firefox user. I recommend you to go through both the new and the old tests:

http://bcheck.scanit.be/bcheck/

P.S.: You will have to allow a session cookie from them because your browser may crash in the process. If you have a cookie, they will be able to continue the test from the point where your browser crashed and give you correct security results...

 

Paul

Share this post


Link to post
I have two support incidents open right now that have been completely ignored for the past week/two weeks.

Sad to hear that. I suggest you contact Igor Kurzin through PM to speed up things a little bit.

 

Paul

Share this post


Link to post

Well, you get this certificate error since (a) KAV/KIS substitutes its own certificate to implement virus checking over https connections -- it is by design and (B) firefox appears to verify the certificate it receives from mozilla.org.

I suggest your desired usage pattern would be smth like "please automatically (without prompting) check all encrypted connections to port 443 except the listed ones, namely, *.mozilla.org", isn't it?

In theory, you should have been able to set the product up this way (at least, there are corresponding settings present in the UI ;-). In practice, however, it does not work (or, at least, I was unable to make it work) with KAV7 at all, while with WKS6 it does more-or-less work (just gets crazy in a couple of weeks and requires "reapply settings").

I've set up a support request for the case, waiting for a reasonable answer so far...

Edited by aehrlich

Share this post


Link to post
Well, you get this certificate error since (a) KAV/KIS substitutes its own certificate to implement virus checking over https connections -- it is by design and (B) firefox appears to verify the certificate it receives from mozilla.org.

Well, it's kind of obvious now that I think about it, but for some reason that didn't occur to me. Thanks!

 

I suggest your desired usage pattern would be smth like "please automatically (without prompting) check all encrypted connections to port 443 except the listed ones, namely, *.mozilla.org", isn't it? In theory, you should have been able to set the product up this way (at least, there are corresponding settings present in the UI ;-). In practice, however, it does not work

Yes, that should work, but it does not. The traffic I don't want scanned, and have tried to exclude, gets scanned anyway (or at least, the SSL certificate gets replaced). Maybe the traffic is not being scanned, but the cert is still being replaced, which is the real root of the problem.

 

I hope you have better luck than me with support. I lost count of how many weeks it has been with no response at all. It's infuriating when I think about it. I just spent over $100 on this product.

Share this post


Link to post
Yes, that should work, but it does not. The traffic I don't want scanned, and have tried to exclude, gets scanned anyway (or at least, the SSL certificate gets replaced). Maybe the traffic is not being scanned, but the cert is still being replaced, which is the real root of the problem.

Well, we've got to some kind of workaround together with our local support :-). The point is that to exclude a site from checking over https you have to create a rule in the trusted zone that any traffic to the given host should be excluded (presumably, to port 443, only) in the Web Antivirus.

For my case (an internet banking site) it provides the results I want, however, for a "domain name with wildcards" (*.mozilla.org) it would be pretty troublesome to find all the IP-s that could be relevant ;-/, as only IP addresses can be written there. And although it is not my business actually, are you sure that skipping virus check of mozilla addons does sound reasonable?

However, I've started running into "invalid certificate" messages of Thunderbird lately (after upgrading to WKS 6.0.3) for some mystical issues; this issue is something different and I am investigating it...

Share this post


Link to post

Skipping virus checking of Firefox add-ons seems reasonable to me. It's a secure connection with mozilla.org, and I'm not too worried about it. I mean, I'm running Windows, and should that be on the top of my list of concerns? I trust the Mozilla team wayyyyy before I trust Microsoft. Anyway...

 

I've tried every combination I can think of to exclude the 443 traffic in question. I even fired up a packet capture utility and found the actual IP address and host being contacted. Then I tried every variation of masks on the IP address/host name I could think of... https://dyna-addons.nslb.sj.mozilla.com/*, *dyna-addons.nslb.sj.mozilla.com*, *63.245.209.31*, 63.245.209.31/*, and so on and on and on. It will not work! No matter what, Firefox chokes when it checks for updates on affected extensions.

 

In my screwing around, I found that visiting https://dyna-addons.nslb.sj.mozilla.com made a security warning appear (thanks to an extension I have that provides this functionality...and no, I do not invite commentary on this functionality):

 

post-9902-1193353470_thumb.png

 

I hoped that telling Firefox to ignore this warning would help... It didn't... The extension update checks still failed.

 

I even tried a couple OSCP settings... No good.

 

Yes, I restarted Firefox each time I changed settings.

 

Frustrating!

Share this post


Link to post

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.