Kaspersky is moving to fix a bug that disabled certificate validation for 400 million users. Discovered by Google’s dogged bug-sleuth Tavis Ormandy, the flaw stems from how the company’s antivirus inspects encrypted traffic. Since it has to decrypt traffic before inspection, Kaspersky presents its certificates as a trusted authority. If a user opens Google in their browser, for example, the certificate will appear to come from Kaspersky Anti-Virus Personal Root. The problem Ormandy identified is that those internal certificates are laughably weak.
View full story
ORIGINAL SOURCE: The Register