Encrypted connection scanning feature in Huorong Internet Security can reduce users' security and make it easier for eavesdroppers to decrypt network traffic
Orca, Aug. 27, 2024
Affected software(s)
Version 6.x of Huorong Internet Security, customer version
Note: 1. Since I don't expect persons without a level of knowledge in information security to read this blog post, I'd skip some very obvious parts of background information in computer networking and infosec. 2. In many cases below I did literal translation to Chinese texts which may not match the official English translations used by Huorong
1. Background information
HTTPS inspection (also called “HTTPS interception”, which the “encrypted connection scanning feature” in Huorong belongs) is a technique that runs MiTM attacks on local computer or organizational Internet gateways to inspect for possible malicious programs and malicious traffics, or to prevent access to some specific network resources. Usually HTTPS inspection techniques are deployed by network administrators, so it by itself is not a kind of network intrusion. Cloudflare – What is HTTPS inspection?
Some customer level security software also offers HTTPS inspection functions, like Kaspersky and Avast. Kaspersky Avast
Huorong Internet Security is a Internet security suite developed by Huorong Network Technology Company (hereinafter referred to as “Huorong Company”). It includes functions like antivirus, intrusion detection and lateral movement prevention. In major version 6 released in 2024, it added a function named “encrypted connection scanning”, which is enabled by default. Huorong Security 6.0 insider preview released (Chinese) Archive
2. The security vulnerability
If done right, HTTPS inspection can possibly increase users' security [Citation needed]. Unfortunately, many such HTTPS inspection functions are wrote broken, riddled with security vulnerability, putting its users in dangerous situations.
In 2015, German journalist and researcher Hanno Böck discovered that: HTTPS inspection functions in Kaspersky allows a middle adversary to force the client (Kaspersky's traffic interception program) to use weak export-grade encryption algorithm (56-bit encryption) to communicate with server (FREAK), and it supports data compression used with TLS (CRIME/BREACH). HTTPS inspection functions in ESET does not support TLS 1.2 so users are forced to use weaker encryption algorithms over the Internet. HTTPS inspection functions in Avast and Kaspersky allows nonsensical parameters for Diffie Hellman key exchanges with a size of 8 bit. All three of them have not implemented OCSP, making it possible to use a leaked certificate private key to conduct MiTM attack.
In 2017, researchers of University of Michigan, University of Illinois Urbana-Champaign, Mozilla, Cloudflare, Google, University of California Berkele and International Computer Science Institute (discovered that)(https://www.ndss-symposium.org/ndss2017/ndss-2017-programme/security-impact-https-interception/) (PDF) some HTTPS inspection function with design flaws can make it impossible for endpoint users to recognize problematic TLS servers, including servers that uses self-signed certificates, expired certificates or certificates issued by unknown Issuer. This severely affected the security guarantee provided by TLS. US CERT issued a warning afterwards, noticing network administrators that, if risk assesment deemed it necessary to install such products, network administrators needs to assess whether this products can validate TLS certificates correctly, because those that cannot, can negatively impact the security guarantee provided by HTTPS.
By conducting experiments, we have found that, the “encrypted connection scanning feature” presented on customer version of Huorong v6.x also has the same problem. By accessing badssl.com on a computer with Huorong installed, we find that Huorong's HTTPS inspection function did not check whether a certificate is expired, self-signed or issued by unknown issuers. This can make Huorong users with this function enabled more suspectable to MiTM attack, sensitive data transferred in HTTPS leaked to adversaries without them noticing.
Screenshot of Firefox accessing BadSSL, showing connection to sites with certificate error are established, revealing problems with browser or HTTPS interception product. This image is for demonstration only, Firefox is not affected by the problem in Huorong actually.
(Mind you, this function is enabled by default.)
3. Another problem
There's another problem:
Even if you disable this function in settings (Settings – Virus protection – Web scanning – Encrypted connection scanning) and removed the root certificate it installed in certmgr.msc, Huorong will regenerate a new root certificate and install it into your system's certificate store.
4. Remediation measures for Huorong users
If possible, uninstall Huorong Internet Security suite. If you need an antivirus, use Microsoft Defender Antivirus (formerly Windows Defender).
After this category of problem came to light for 7 years, Huorong company still released its HTTPS inspection functions without verifying if it has this kind of problems. This means Huorong company has neither considered whether this function will negatively affect its users before releasing, nor learned anything from trailblazers. Huorong company's gross negligence and irresponsible attitude towards its users put them under the threat of adversaries.
If for some reason you can't uninstall Huorong, at least disable this function: Main interface – Settings (gear icon on the left side) – Virus protection – Web scanning – Encrypted connection scanning
5. Remediation measures for Huorong company
FIX YOUR SHIT AND TAKE RESPONSIBILITIES FOR YOUR NEGLIGENCE!!!
It has been 7 years since HTTPS inspection functions' vulnerabilities been exposed and you've learned NOTHING and going to Fuck around and Find out all by yourself??? Or do you think you're so capable that you would never make any mistake? So this is how you show you're CAPABLE???
6. Why no “responsible disclosure”?
Because we believe “responsible disclosure” is a lie to gaslight security researcher. It's not us who wrote this stupid function or this stupid bug, what is there for us to “be responsible” for???
Responsible disclosure is wrong Archive
7. Donate 💖
Please consider donating any amount of money you see fit to some mutual aid posts under
https://cyberpunk.lol/tags/MutualAid
or donate to Organization for Transformative Works
https://donate.transformativeworks.org/otwgive
if you feel like you want to throw some money at me. Thanks.💖
8
This article is written as a part of 24+i Imaginary TimeZone Collective.