Your antivirus software might not be acting in your best interest. We, at Knudge, have encountered multiple instances of cybersecurity software interfering with our user’s connection to our service. When we dug into why, we found that many of these cybersecurity solutions were eroding security and monitoring user traffic, all without end users being aware of exactly what was happening.

“Cybersecurity”

Hi there! This is Logan with Knudge Engineering. I’m passionate about security best-practices, especially realistic ones — things that keep data safe without users having to bend over backwards. Things that can simultaneously make a system easier to use, while also improving its overall “security posture” (how secure a system is overall). This article is meant for a non-technical audience, but please do reach out to us if you’d like to know more, or if there’s anything that could use further clarification.

We’ve had about a dozen different instances of one “cybersecurity” solution or another preventing users from accessing the Knudge app. After I looked further into why, I was a bit shocked by what they were doing. I’ll get to that in a bit, but first, I want to start with some broader stuff on sold cybersecurity solutions and the industry at-large. What follows are my personal opinions, although I like to think they’re well-founded. I will be sassily putting “security” and “cybersecurity” in quotes when referring to this software, but I will not refer to any specific product by name.

Digital security or “cybersecurity” is a big ol’ industry. A quick search for “cybersecurity solution” or “antivirus software” will give you a good sense of the big players. It’s something that everyone wants: to keep our personal and professional digital lives secure. It spans fields network infrastructure, cryptography, data storage, personal computing, and most importantly human behavior. It affects every industry, not just technology-based ones. Every person and company is at risk of falling victim to some ransomware scheme—the most popular strategy for monetizing security breaches at the moment. Breaches erode trust and have tangible effects on lives, financial and otherwise. Nobody wants that.

The “cybersecurity” market

So, what are the options for someone looking to keep their digital lives secure? One option is to airgap your computer in a bunker and never use the internet again, never talk to anybody, and live off canned food forever. Or, don’t own any digital devices!

As much as I love canned peaches, that sounds unappealing to me. I like having a computer. My phone is useful. I like the internet. It can be a mixed bag sometimes, but on the whole it’s not something I want to give up. I also like my friends and family and having contact with the outside world. So what can I do?

Well, there are numerous “cybersecurity solutions” out there. So many. They are very good at advertising so you might be able to rattle off the names of a few without thinking. Each of these products has a similar pitch: “Install us, and we will make your computer completely secure and nothing bad will ever happen to it again”. Let’s hear some pitches:

Feel truly safe online with AI-driven protection against hackers and the latest viruses, ransomware and spyware.

Protecting all aspects of your digital life with cutting-edge expertise and advanced machine learning.

Choose to be safer online. Opt-in to Cyber Safety.

All these sound good, yeah? Of course! I want all of those things. Protect My Safety!

Theory vs. practice

These companies, well, they make software. That software is meant to protect other software (like everything that’s running whatever you’re reading this on) from various security breaches. Security breaches generally happen because of either:

  1. bugs in software
  2. user error

Let’s tackle point #1 first. There are certainly bugs in software; always have been, always will be. Software is written by humans who are sometimes tired and sometimes make mistakes — sometimes these mistakes slip through the many layers of human and automated review. The issue is… the “security solution” I just purchased is also software written by humans. This means, you guessed it, it also can have bugs! It can also have security vulnerabilities! It’s a textbook who-watches-the-watchmen situation. Nothing is watching the security solution you just bought to see if it, itself, gets breached. So, that’s not ideal, but what’s the alternative? I’ll get to that after #2.

Onto point #2. User error can account for a few things, but they mostly boil down to either misconfiguration or being misled. For an average computer user, being misled is far more common, and misconfiguration will almost never be caught by one of these solutions. They do work for being misled, though! Each of these solutions offer some way to alert you when !!! DANGER !!! you’ve gone to a scary website with known bad stuff! A big red page pops up in your browser and you are escorted back to safety. It’s working! You shan’t be tricked by any ne’er-do-wells! Well, yes, it is working. You avoided trickery in one specific instance. Would you have otherwise fallen prey without this software?

The problem with these 2 issues is that most of this is already built-in on every Operating System (OS). Any self-respecting browser notifies you when you navigate to a page with known danger. Your OS already scans downloads for viruses, and has some kind of built-in antivirus system. So, on one hand, they just aren’t necessary. You are better off making sure you always keep your OS up-to-date, and your browser is likely already keeping itself up-to-date (but it’s worth checking anyways). You can avoid having another piece of software with potential vulnerabilities. Less is more. Not to mention, this is a piece of software that you give absolute power to, sold by people trying to make money. Surely they wouldn’t do anything that actively erodes security on my computer…

Power of defaults

…well,  you’d hope. In practice, they almost all do, and it’s almost always on-by-default. Among the services offered by every cybersecurity solution is some form of “network traffic monitoring”. When this feature is turned on, their software reads all your network traffic wherever it’s installed. There is one legitimate reason for doing this: if you already have some nasty piece of software on your computer, they can potentially detect it “phoning home” (reaching out to some computer/server owned by its creator) and use that to root it out. So, this benefit only applies if you already have something that has made its way onto your computer (i.e. the “security” software has already failed), and the cost is that it reads every bit of data that your computer sends and receives. That’s a lot of access (all your internet traffic) for a very specific potential benefit (allegedly making it easier to catch a virus).

If this were only unencrypted traffic, for one it would be even more useless, but also my eyebrows would have remained un-elevated and I would never have written this post. Unencrypted traffic can be read by anyone who owns the network you’re on, and hopefully nothing you rely on is sending or receiving data over an unencrypted channel. Instead, my face is now permanently stuck like this   😲   and you are (against all odds) still reading.

How to read encrypted traffic (and get away with it)

Each one of these solutions runs a local network “proxy” on your computer. All network traffic on your computer runs through this proxy. This is like a dystopian mail forwarding service, where every letter is opened, read, re-sealed, and sent to its intended recipient — just without the blacked-out text. When this is done by something you didn’t choose to install, it is called a Person in the Middle attack.

Let’s look at an example, in the context of the paper-mail-forwarding example. Say you’re using Chrome and connecting to the Knudge app. There are 3 parties at play: the browser (Chrome) loading and running the Knudge app, the Knudge backend (running at app.knudge.com), and a proxy run by your installed “cybersecurity” solution.

  1. You type in https://app.knudge.com in the address bar and hit enter.
  2. Chrome sends a letter addressed to the Knudge backend, which arrives at the proxy.
  3. The proxy opens the letter and reads it, looking for any “suspicious” traffic.
  4. The proxy reseals it in a new envelope, and sends it to app.knudge.com.
  5. Knudge responds with a reply letter, which hits the proxy
  6. The proxy opens the letter from Knudge and reads it, looknig for any “suspicious” incoming data.
  7. The proxy reseals the letter and sends it to Chrome.
  8. Chrome opens the letter and reads it, allowing it to run and display the Knudge app.

This process repeats for each network request the Knudge app makes within Chrome.

But wait! This shouldn’t be possible!

“Aren’t there SSL certificates and TLS that protect against this? The browser is hitting https://app.knudge.com, so it’s secure!”

In normal circumstances, yes, but not here. Security on the internet is built on layers of trust. One of these layers is in the form of cryptographic certificates that are used to sign and encrypt all traffic between your computer and an https website. These certificates identify the website as valid and help ensure you are indeed connecting to Knudge and not somebody impersonating Knudge.

There are a number of intermediate Certificate Authorities who issue these certificates, which roll up to about half a dozen top-level CAs. Every computer has the certificates of these top-level CAs preinstalled, and each top-level CA signs the certificates of the layer of CAs below them, which eventually get to some CA that is actually signing the certificates for individual websites. That’s why every https website works out of the box on a new device. Your OS is very protective of this set of CAs because, well, they establish trust. If one could install a new CA locally, one could, I dunno, impersonate any website for any program running on that computer. Wait a second!

Each of these security solutions does exactly that. When Chrome hits the proxy, it thinks the proxy is Knudge. The proxy said it was Knudge, and it said so with a certificate signed by a trusted CA, so it must be Knudge!

Why can this break the connection to Knudge?

Back to the paper-mail analogy. The proxy can’t just forward the original letter as-is, because the letter is actually addressed to the proxy, not to Knudge. The proxy has to make a new envelope for the letter that is actually addressed to Knudge, then send that letter out. It has to replicate the original envelope as closely as possible. The stamp has to be right, the shape has to match the content — after all, a birthday card won’t fit in a standard business envelope. Everything has to be exactly the same. Computer networking is a pretty complicated thing, and even the slightest difference could mean that the proxy fails entirely, corrupting the traffic it is trying to replicate.

That’s what happens to Knudge. The antivirus’ proxy fails to faithfully reproduce the network data that Knudge (or Chrome) expects, and the connection fails.

But, for many of our users, this is only a problem on Knudge and not other websites. Why? Well, we use (and require) some of the latest TLS standards, we use HTTP/2 across the board, and use a custom HTTP method. While all of these are sensible practices for safety and correctness, they trip up some software that tries to imitate the connection. Many websites won’t fail, even if they can use our same standards, because they will fall back on older standards if necessary. This isn’t how we’re set up — for both speed and security reasons. In addition, Chrome recently started using HTTP/2 out of the gate, without fallback, if it was advertised as being available. When these proxies choke on traffic, it’s usually on newer protocols, against which the proxy hasn’t been tested. All of this means that Knudge has been more likely than most websites to encounter issues with these proxies.

Sounds like a Knudge problem

Well, it is partly our problem, but it’s also everyone’s problem. Having users that can’t reach our app is not the best thing. However, our solution so far has not been “let this happen” because we cannot, in good faith, let traffic knowingly be proxied and read. That compromises the security of that user’s usage of our entire app. In addition, getting back to the “is this cybersecurity software necessary?” question: a virus on your computer would love to take over this proxy and instead use it to e.g. ransom all of your unencrypted internet traffic. It opens a potential vulnerability (and a pretty bad one) that wouldn’t otherwise exist. With it installed, it’s hard to trust any https website when the internet’s foundational layers of trust are being subverted by a program on your computer.

If you are interested in disabling this, for the sake of not calling out anyone specific, you can search for “[cybersecurity software name] disable network traffic monitoring”. Alternatively, look into what security features are already built into your OS (Windows, macOS, etc) and see if you need the 3rd party software at all. I know it’s not that easy for everyone — many work environments mandate some sort of antivirus — but it’s worth asking.