Hi,
The new incoming version of “ESET NOD32 Antivirus” will add support for scanning of encrypted HTTPs/POP3s protocols.
avast! will also support them in the future?
Regards
Avast! currently supports scanning of encrypted pop3/smtp email protocols such as gmail through the use of the free third party program Stunnel. If you search, you will find the setup described in several threads. Also rumored to be in the future V5. Don’t know about HTTPS, since these only occur for websites with valid SSL certificates from someone like Verisign, and are not merely transports for uncontrolled traffic as the encrypted POP3 servers are. Don’t know why NOD32 would scan HTTPS either. ???
sded,
I know that we can use avast! with stunnel for that, and I also replied on that topics, but I want to know if avast! will support these protocols without using other programs like stunnel…
I find Stunnel much more straightforward to set up and maintain than the one built in I have tried (AVG) but maybe NOD32 will do it better, and Avast! will do it even better. I suppose it depends on marketplace demands. Any idea why NOD32 would scan https traffic other than for marketing? This traffic is between you and websites vetted and certified by trusted third parties like Verisign, so are they looking for covert rogue banks/financial sites or ???. BTW, I wouldn’t recommend spending money doing this internally by Avast!. Two factors:1) Stunnel is easy to implement, easier to implement than the internal stuff I have seen. I think Avast! should provide good instructions formally instead, like gmail does for their pop3 setup for various email programs. And maybe a downloadable initial stunnel.conf or a wizard. Both Stunnel and OpenSSL are freely licensed for commercial purposes. 2) The encrypted sites, like gmail in particular, are moving to doing their own enterprise level virus scanning of all traffic, so avast! (and the others) are becoming just another redundant capability anyway. BTW, Gmail is also getting a lot of custom mail outsourcing business from the smaller ISPs. But I don’t know anything about market demands in the future, so ??? Maybe Vlk will enlighten us a bit. 
Version 5 is supposed to have the ability to scan SSL/TLS (secure encrypted) emails without the need for STunnel.
I’m not sure either about the scanning of HTTPS traffic, if it is ethical/moral to snoop because that is what is being done on say your banking or purchasing, etc. So I too can’t see the purpose of them ding this. Not to mention once this technology is let loose what is to stop malware doing the same.
So then we are looking at having to change the secure communication protocols for banking/financial/confidential sites/data. Just because you may have found a way to do it doesn’t mean it is right to do so.
I would also imagine that there would be a performance hit whilst on HTTPS sites if you were decrypting & scanning this content.
Seems much more technically difficult to do it with HTTPs also. POP3/SMTP is fairly straightforward, since it is one TCP connection, one brief session, always done for your email client, and you control things like the ports used. HTTP generates a whole bunch of separate TCP connections, all of which need to be encrypted if you use HTTPs, and an ongoing dialog between the client and server, as well as using ports selected by the site (80,8080,443,…). You either need a way to stop a browser from generating an https session request even when it is called for by a DNS lookup or other, so that the scanner can first scan it and use an externally generated session, or to find a way to let it generate the SSL session to a proxy, decrypt in the proxy and scan and then reencrypt with a separate session between the proxy and the server so that there are actually two SSL sessions going on (trusted man in the middle?), or do something even more clever. And with all the security precautions of SSL commerce and the various browsers don’t see off hand something simple that would work (authentication issues, for example). So interested in the “how” for NOD32 also.
Well, a very very expected feature for avast.
I think there may be some misunderstanding of what will happen here.
avast (and anyone else - except, most likely, your national security organizations) cannot scan any of these encrypted SSL/TLS and HTTPs connections (which is just HTTP using SSL after all).
THEY ARE NOT, AND WILL NOT BE, DOING SO.
avast (if it fulfills the expectation) will simply be implementing the equivalent function of STunnel within avast.
What this means is that a user will have to agree to allow avast to manage the secure connections and terminate the (totally unscanned secure) connection and then pass the unencrypted stream entirely within your own system through avast scanning to the awaiting user application endpoint.
I have no information about the possibility of avast offering the ability to manage the scanning of https streams - I would have expected them to offer the management of scanning secure email connections as a first step and “see how it goes”.
The scanning by avast of any of these streams (if you analyze it on your system) is really a nit (unless you are running a really ancient processor) compared with the slowness of even the fastest network connections. Where the decryption is done is irrelevant - it is going to be done (once and once only) at the connection endpoint. The “extra hit” would be scanning the currently unscanned https data - a drop in the ocean in the surfing performed by most users.
I’m waiting exactly this…
I think David was referring to this also…
Thanks for the info… 