back to article Kaspersky fixing serious certificate slip

Kaspersky is moving to fix a bug that disabled certificate validation for 400 million users. Discovered by Google's dogged bug-sleuth Tavis Ormandy, the flaw stems from how the company's antivirus inspects encrypted traffic. Since it has to decrypt traffic before inspection, Kaspersky presents its certificates as a trusted …

  1. redpawn

    Good enough

    32 bits keep honest hackers honest.

    1. Anonymous Coward
      Anonymous Coward

      Re: Good enough

      32 bits keep honest hackers honest.

      .. and intercept alive ..

  2. WatAWorld

    Which is in error, the first or the last line of the story?

    The story came out on the 4th and says Kaspersky is going to fix the problem.

    But the last line of the story says Kaspersky fixed the problem on December 28th.

    Which is it? They can't both be correct.

    1. Brian Miller

      Re: Which is in error, the first or the last line of the story?

      The original forum post was on Nov 1st, and the fix was on Dec 28th.

      Hello, El Reg, timely articles are good! It doesn't make sense to post an article about news that's two months old, about a problem that's been fixed.

      (Personally, I disabled the Kaspersky certificate replacement "feature," because replacing the certificate means that the browser can't check if the original certificate changes.)

  3. RIBrsiq


    You had one job, Kaspersky! One job...

  4. Anonymous Coward
    Anonymous Coward


    It's time to renew my AV, who do I choose instead of Kaspersky?

    1. Bronek Kozicki

      Re: OK

      From personal experience, F-Secure seems fine.

      1. tr1ck5t3r

        Re: OK

        They all seem fine until they are not. Has anyone actually tested the other offerings? The whole internet security industry is just a herd of mindless cattle following each other when one of the crowd gets spooked.

      2. Anonymous Coward
        Anonymous Coward

        Re: OK

        I'll just leave this here:

        "The F-Secure Policy Manager server app could do with a good comprehensive thrashing by an experienced vuln dev / software security auditor. "

        * strolls away whistling innocently

    2. Anonymous Coward
      Anonymous Coward

      Re: OK

      the question to ask is "How do I pick the AV vendor who isn't about to have the next highly-public problem?"

    3. Anonymous Coward
      Anonymous Coward

      Re: OK

      Buy a mac.

    4. Mahhn

      Re: OK

      I've managed nearly a dozen AV tools over the last 19 years. they all change nearly completely every 5 to 10. Some that were great at one time became system hogs, others just missed to many things and then the worse were false positives that brought a company to a stop for a day or so.

      So pick your poison. Today I'll stick with Kaspersky, in 5 years who knows.

      Try the free version of some, or just move to a live CD as an OS and reboot before you make a purchases. but that's a PITA.

      Wish for the old days of simple viruses, when Panda and AVG were the top performers.

    5. oneeye

      Re: OK

      You should take a serious look Malwarebytes 3.0 as they have some really great new things they have added to the latest version.

      1. The First Dave

        Re: OK

        I _really_ don't want any 'great new things' in an AV tool, just stick to the basics and try to keep it lean.

      2. Anonymous Coward
        Anonymous Coward

        Re: OK

        "Malwarebytes 3.0"

        You are joking aren't you? This version is full of horrendous bugs and detection rate from the independent MRG Effitas shows a jaw dropping 70. It's massively worse than just free Windows Defender on its own, nevermind the better paid-for software.

  5. petef

    Browsers vs Antivirus

    Avast had a security problem with their SafeZone browser last year too. Comodo’s Chromodo also had a security issue. I personally trust the dedicated makers of browsers over the products supplied by AV vendors. I use Avast on the PCs I look after but use a custom install to exclude SafeZone.

    1. Stuart 22

      Re: Browsers vs Antivirus

      "I personally trust the dedicated makers of browsers over the products supplied by AV vendors"

      Yes but they still screw up. I had an issue with Vivaldi which was bouncing a perfectly good certificate which was fine by every other browser I could lay my hands on. The suddenly within a day it started accepting it again.

      What really annoys me is when browsers block rather than warn about certificates, If I wish to take a risk of browsing my own website with my own certificate - that is my business. Especially if it is a place Let's Encrypt can't go.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon