The study finds there is "more than an order of magnitude" of HTTPS interception happening than previously thought, and that vendors are poorly handling inspection after a so-called "TLS handshake", where antivirus or network appliances "terminate and decrypt the client-initiated TLS session, analyze the inner HTTP plaintext, and then initiate a new TLS connection to the destination website".
"Our results indicate that HTTPS interception has become startlingly widespread, and that interception products as a class have a dramatically negative impact on connection security. We hope that shedding light on this state of affairs will motivate improvements to existing products, advance work on recent proposals for safely intercepting HTTPS and prompt discussion on long-term solutions," they write.
They also find that the default settings on 11 of 12 network appliances tested introduce severe flaws, such as incorrectly validating certificates, while 24 of 26 antivirus products introduce one or more security flaws.
Google and Mozilla's message to AV and security firms: Stop trashing HTTPS
詳細的報告在以上原文網站裡
若是連接去銀行帳號之類有高度敏感資料的網站
並被這些防毒軟體所攔截的話
這樣還會安全嗎?
