Trusted address settings ignored

[appie]

I think I have solved the Certificate issue myself.

The file-name of the saved certificate is kind of a big deal in KTS. 

I saved the certificate for www.amazon.com as "www.amazon.com" and it did NOT work in KTS as supposed.

I saved the same certificate for www.amazon.com as "DigiCert Global CA G2" and it DID work in KTS as supposed.

The 2 certificates are exact the same but only a different filename. On the left the filename www.amazon.com and on the right the filename "Digicert Global CA G2"

Seems like KTS is not looking at contents of the imported certificate but only at the filename?

 

[appie]

Hello Wesley.Zhang,

 

I don't know what you mean with 

6 minutes ago, Wesly.Zhang said:

You don't know what I said about add self certiticate into system root certificate store.

The root certificates of amazon are allready in the root certificate store of Windows so these don't have to be installed again right?

The self signed certificates were all installed in the windows system root certificate store. Windows was able to handle these....KTS ignores them. 

The solution I found for Amazon with the filenames is kind of strange. Windows is handling certificates by content not by filename. Why is KTS caring about filename?

[Wesly.Zhang]

Congratulations on your ability to solve this problem. @appie This case of yours is very rare. I think you can ask the technical support to answer your question about this phenomenon.

[appie]

I disagree the problem I solved is a very rare one case. Amazon.com is a very common website with valid certificates which should be accepted in any way they are imported in KTS and when they are imported and it would be "nice" when KTS is keeping it's promise that you will not be bothered again by KTS when you visit a site when its certificate is imported. 

Same for the not solved self-signed certificate problem: when Kaspersky is not scanning secure connections the self-signed certificate is valid in the browser. When KTS is scanning secure connections ths certificate is still mentioned valid in the browser but.....I get always the landing-page of KTS stating the site is Untrusty and I have to agree to go any further. And more annoying...when scanning secure connections...after some time I am thrown back to the warning-landing-page wher I have to agree again to go back to the site. Not very nice when you are adminstrating a device  and in the middle of a configuration...you don't have to log in again (also strange) but you can start over with the configuration.

After decenia of IT experience I am able to find solutions where I have the rights to adminstrate the products.

KTS is not working right not giving the possabilities to administrate it in a good behaviour.  Making it do were it should protecting me for: Denial of (many) Service(s) 

[Wesly.Zhang]

Hello, @appie

Self-signed certificates are not trusted unless they are manually added to the system's trusted root certificate store. Kaspersky is correct in suggesting a self-signed certificate problem. In addition, the use of self-signed certificates is very rare, so I say this case is very rare. 

As for what you said about manual trust again and again, this is a problem of product design and the optimization of workflow logic, which I agree with you.

[appie]

The problem with the certificates is even worse. The behaviour of KTS scanning secure connections is different for Edge/Chrome/Opera.

When I open the site of ripe.net in MSedge browser it does not have the KTS personal root certificate in it's cert-path.

When I parallel open ripe.net in chrome or opera KTS puts the Kaspersky personal root certificate in between. (all browser are reopened at the same time)

On the right is Chrome-browser opening ripe.net. Left is Edge Browser opening ripe.net. No modifications on the browsers. Same moment, same root-certificate store and there is no different setting in KTS for Edge or Chrome (or is there a setting I have not found yet?)

 

Why is the trusted certificate-list working in Edge for ripe.net and why is it not working in Opera or Chrome?

Untrusty behaviour.

Ripe.net is a worldwide organisation with valid certificates and used by internet people all over the world. This should be handled the same way every time.

 

[Schulte]

Hello @appie,

it is quite possible that Kaspersky treats browsers differently.
See example here:

Spoiler

Spoiler

 

[Wesly.Zhang]

I recommend you to see some articles  to know how to scan SSL encrypted network traffic. The scanning engine must decrypt encrypted network traffic to check its network content using SSL proxy mode (Intermediate Certificate).

If you do not need to scan encrypted network traffic, you can set it not to scan encrypted network traffic. Takes effect after closing the browser and restarting.

Regards.

[appie]

 

Hello Schulte.

Thank you for your reply.

The website ripe.net is not in the exception-list and was scanned in MSEdge before I imported the certificate. After I imported the certificate in KTS it was not scanned in MS-Edge but it was still scanned in Chrome and Opera. So maybe Ripe.net should be in the list? I can not configure this list and I can not add it to list with scan-errors.

When KTS is sometimes scanning and sometimes not and this is does not matter if it's in the exceptionlist or not how can I trust on KTS doing what it supposed to do.

If I can not trust on Kaspersky Total Security it is degraded to Kaspersky Sometimes Security...and that's not a good thing. 

It's all about trust.

 

 

 

 

[appie]

Hello Wesly.Zhang,

It is not good to assume people are not having knowledge about technology. I do understand the way how encrypted traffic has to be terminated by the scanner to see what is inside before forwarding it. But the problem in this case is not that traffic is not allowed to be terminated, it is the way it seems to be impossible to configure Kaspersky to make a difference between traffic which has to be scanned and traffic which is not allowed. KTS gives an impression it can be configurated but is NOT.

If you like I can explain to you how SSL inspection should work and how it should be possible to exclude traffic if needed. 

This has nothing to do with lack of knowledge of me (I was able to make a succesfull test showing the strange behaviour of KTS after) I can make a differentiation-diagnosis of the problem, I have a far above average deepgoing understanding of TCP-IP traffic including all protocols but I have absolute not a Clue anymore in how KTS is working today but it's behaviour makes me loose faith in it.

And I don't think this is due to lack of knowledge at my side but like you stated yourself:

"As for what you said about manual trust again and again, this is a problem of product design and the optimization of workflow logic, which I agree with you. "

KTS is not a good stable product anymore and the behaviour is different every time. 

And I agree: there is a problem of product design. And I don't need to read articles about the way KTS should be working. I want it to work like it should.

P.S. Yes, I can configure KTS to not scan encrypted traffic but like I mentioned before, the mainstream of traffic on internet today is encrypted so disabling it makes the webscanner of KTS obsolete.(And makes KTS obsolete)

 

 

 

 

Edited April 20, 2022 by appie