In the past week, we saw a lot of online media attention around the question whether antivirus software actually poses a threat to users’ safety because it intercepts and manipulates encrypted HTTPS online traffic. Since then, a number of customers contacted us concerned that Emsisoft uses the same practices to build its Surf Protection functionality in our Emsisoft Anti-Malware and Emsisoft Internet Security products.
To answer that question right away: Emsisoft does not intercept any HTTPS traffic.
Background: Why spy on HTTPS traffic?
As described in an elaborated study done by security researchers, a large number of antivirus products rely on looking into your web surfing traffic in order to find malicious scripts and phishing attempts. By design, HTTPS encrypted connections don’t allow anyone to know which exact website address and path you’re surfing at. So the only way to be able to block certain bad websites is by looking into all your traffic.
This is done by installing a traffic interception module between your browser and the target website server that proxies all traffic. As that would break the concept of HTTPS end-to-end encryption, antivirus software usually installs a new, so-called root certificate on your computer that basically helps to simulate the encrypted connection. Technically speaking, your browser only communicates with the local antivirus HTTPS proxy and its self-made certificate, and consequently all encrypted websites show up with the ‘safe’ lock symbol in the browser. The proxy then scans the decrypted traffic and connects to the actual web server encrypted again.
This concept generally works (otherwise those vendors wouldn’t have chosen it), but the main problem with that approach is that the traffic is no longer end-to-end encrypted. The local antivirus scan proxy has to simulate web servers perfectly down to the tiniest detail in order not to weaken the encryption chain. Here is where implementation mistakes are easily made and the security problems described in the earlier mentioned study arise.
Doing it differently: How Emsisoft’s Surf Protection works
Emsisoft chose a different method to make sure you can’t access malicious and fraudulent websites. Instead of filtering on URL level (example: https://badsite.com/folder/malwarefile.exe), it blocks known bad hostnames (example: badsite.com) on DNS level. Host names are resolved to the servers’ IP addresses by the operating system. Emsisoft’s Surf Protection intercepts that process of address resolution independent of browser and traffic by returning an invalid IP address for hostnames that are on the blacklist.
That method may not be as precise as URL filtering, but it comes with two significant advantages:
- It doesn’t rely on spying on any encrypted traffic, so it doesn’t provide as much surface for attackers as other concepts.
- It doesn’t require huge cloud-based databases to verify good and bad website addresses, which means it’s less intrusive on your privacy by design, as all matching is done locally on your computer.
Why you should still use antivirus/anti-malware software
In the media it was often quoted that people would be better off without antivirus software. If we would share that view, we probably wouldn’t have spent the last ~15 years developing malware protection software. We at Emsisoft believe that the main purpose of antivirus software is to prevent users from suffering from the consequences of occasional mistakes that are made by all of us. Once in a while, even the best security experts make unintended clicks on a bad file or on the wrong checkbox during a setup that installs a PUP when they are in a hurry- and regret it the second after. Antivirus software is your safety net for those (hopefully) rare situations.
But let’s be honest: Perfect software does not exist. Each of the many million lines of code may contain an undetected error that somebody could use to exploit and misuse a product. Emsisoft is no exception in that regard. Yet we always aim for highest code quality and try to react as quickly as possible to any leaks that may be found by valuable security experts.