back to article BitDefender bit trip slaps 'valid' on revoked certs

Bitdefender is set to fix a security flaw in its products that meant revoked certificates for potentially malicious sites could be replaced with legitimate ones. The problem, which the security vendor considered a low-level threat, arose when revoked certificates were replaced with a BitDefender certificate for the purpose of …

  1. gollux

    Time for a security audit.

    One thing that Komodia has shined a light on. All MITM software that pretends to inspect SSL traffic for your security, privacy, intellectual traffic protection and malware protection has probably been doing it wrong.

    It's just a given in the slap-dash "OMG, SSL's gonna bypass our packet inspection and everything will be insecure again" way that this stuff has been thrown together, especially since the Google push for EVERYTHING HTTPS!

    Growing pains, gotta love them. For most programmers, as in all things, hindsight's 100%, after all. Schneier's law kind of thing, the people coming up with this need someone external to break their stuff as they've focused so well on the implementation, that they've forgotten that there are a million people out there willing to crack bad implementation and use their product against their "customers".

    Expect all security/safety MITM scan software to have severe flaws that allow them to rubber stamp invalid, revoked, specially crafted and self-signed certificates as fully non-trust breaking connections via their faked reassigned certificates unless proven otherwise.

  2. Anonymous Coward
    Anonymous Coward

    bit def is just a nice looking IU but not much under the hood...and those who buy it will end up with a renewal the year after even if there is a RENEW button in your account page that you never clicked on . Just stay away... windows defender is free and just as good.

    1. Anonymous Coward
      Anonymous Coward

      Not really, I looked at many AV packages for corporate use and BD regularly came out top in testing for in the wild, false positives etc. It also works pretty good as far as speed goes.

      As we are on an IT site I presume you are talking about business use, in which case Microsoft Security Essentials is not available but the corporate version never got very good ratings in testing. Microsoft defender is a lesser version of Microsoft Security Essentials unless you are using Windows 8.

      We had used Sophos before but due to their massive screw-up and terrible response which stopped most of the software on our network working we didn't renew again. I find Bit Defender much better anyway.

      BTW I have no affiliation with BD but I am a real-world corporate user.

      1. Anonymous Coward
        Anonymous Coward

        I just looked up Bitdefender on av-comparatives,org and the latest yearly summary test shows it was the product of the year for 2014 and was "top rated" in 2013. Virus Bulletin also places it pretty much top quadrant with the VB100 award every month for all the platforms.

        I was just curious as to why I had got a downvote and thought I'd make sure it was still independently rated highly since I last looked when I was deciding which product to use.

        1. x 7

          Interesting results - it would be interesting to compare other testers findings

          Subjectively, from what I've seen of it in the wild, I wouldn't trust it. Seen too many infected machines with it on. I wonder if theres a structural problem here - i.e. some products work OK in the lab, but fail in real life because of some external interference e.g. updates failing more readily??

  3. x 7

    does Bulldog still use the Bitdefender scanning engine? If so, it may also be affected by this

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020