SSL and Anti-Virus

Discussion in 'Computer Security' started by Art, Jun 10, 2007.

  1. Art

    Art Guest

    Is there an anti-virus program that can scan incoming mail that is
    encrypted?

    My provider recently required users to convert to SSL encrypted POP3
    and STMP ports. This disabled my anti-virus software (and also
    anti-spam) which can't read encrypted messages or attachments either
    incoming or outgoing.

    The provider has given me no clear answer on whether they perform
    anti-virus scans before I download email to my client. They do claim
    that encryption protects against viruses, but it seems to me even an
    encrypted emal or attachment can contain a virus.

    Art
     
    Art, Jun 10, 2007
    #1
    1. Advertising

  2. Art

    Sebastian G. Guest

    Art wrote:

    > Is there an anti-virus program that can scan incoming mail that is
    > encrypted?



    As a proxy? No. Even if they would actually do it, do you think they'd do it
    reliably?

    > My provider recently required users to convert to SSL encrypted POP3
    > and STMP ports. This disabled my anti-virus software (and also
    > anti-spam) which can't read encrypted messages or attachments either
    > incoming or outgoing.



    WTF? Spam filtering normally is and should be part of the mail client, for
    obvious reasons.

    > The provider has given me no clear answer on whether they perform
    > anti-virus scans before I download email to my client. They do claim
    > that encryption protects against viruses, but it seems to me even an
    > encrypted emal or attachment can contain a virus.



    Beside that your ISP is telling you nonsense, you should wonder why you're
    using a mail client that you think is potentially vulnerable to executing
    arbitrary attachments. Anyway, a normal spam filter does a much better job
    on this.
     
    Sebastian G., Jun 10, 2007
    #2
    1. Advertising

  3. Art

    Vanguard Guest

    "Art" <> wrote in message
    news:...
    > Is there an anti-virus program that can scan incoming mail that is
    > encrypted?
    >
    > My provider recently required users to convert to SSL encrypted POP3
    > and STMP ports. This disabled my anti-virus software (and also
    > anti-spam) which can't read encrypted messages or attachments either
    > incoming or outgoing.
    >
    > The provider has given me no clear answer on whether they perform
    > anti-virus scans before I download email to my client. They do claim
    > that encryption protects against viruses, but it seems to me even an
    > encrypted emal or attachment can contain a virus.
    >
    > Art



    E-mail scanning is redundant. You don't need it. It will often
    interfere with e-mail transfers (because of the injected delay in the
    mail traffic while the on-demand scanner interrogates that mail
    traffic). Besides, ALL e-mail gets sent as plain-text. If you look at
    the source of the e-mail, it is all text. Any graphics or other binary
    content or attachments are encoded into plain-text within a section in
    the body of the e-mail. Plain-text is harmless. You would have to
    actually DECODE that plain-text content when saving the attachment into
    a file - and the same on-demand scanner used to interrogate your mail
    traffic is the same on-demand scanner watching when you create a new
    file when saving that attachment.
     
    Vanguard, Jun 11, 2007
    #3
  4. Art

    kurt wismer Guest

    Art wrote:
    > Is there an anti-virus program that can scan incoming mail that is
    > encrypted?
    >
    > My provider recently required users to convert to SSL encrypted POP3
    > and STMP ports. This disabled my anti-virus software (and also
    > anti-spam) which can't read encrypted messages or attachments either
    > incoming or outgoing.


    i'm actually a little surprised that an anti-virus or anti-spam for that
    matter that handles normal pop3 and smtp wouldn't also be capable of
    handling the secure versions since they are neither new nor obscure...

    i could see the system needing to be reconfigured to use the different
    protocol, but not handling it at all seems odd...

    > The provider has given me no clear answer on whether they perform
    > anti-virus scans before I download email to my client. They do claim
    > that encryption protects against viruses, but it seems to me even an
    > encrypted emal or attachment can contain a virus.


    have you, by chance, contacted your anti-virus (and anti-spam) vendor
    for support? they might know of a solution that doesn't even require you
    to select different software...

    --
    "it's not the right time to be sober
    now the idiots have taken over
    spreading like a social cancer,
    is there an answer?"
     
    kurt wismer, Jun 11, 2007
    #4
  5. Art

    Sebastian G. Guest

    kurt wismer wrote:


    > i'm actually a little surprised that an anti-virus or anti-spam for that
    > matter that handles normal pop3 and smtp wouldn't also be capable of
    > handling the secure versions since they are neither new nor obscure...



    except to the uninitiated base of dump Joe Averages.

    And the technical reason is obvious: The proxy had to man-in-the-middle the
    encrypted connection, add an appropriate to the client, and verify the
    certificates of the server on himself.
     
    Sebastian G., Jun 12, 2007
    #5
  6. Art

    kurt wismer Guest

    Sebastian G. wrote:
    > kurt wismer wrote:
    >
    >
    >> i'm actually a little surprised that an anti-virus or anti-spam for that
    >> matter that handles normal pop3 and smtp wouldn't also be capable of
    >> handling the secure versions since they are neither new nor obscure...

    >
    >
    > except to the uninitiated base of dump Joe Averages.
    >
    > And the technical reason is obvious: The proxy had to man-in-the-middle the
    > encrypted connection, add an appropriate to the client, and verify the
    > certificates of the server on himself.


    and since there are content scanners that do that for web traffic
    there's no reason it shouldn't be possible for email traffic as well...

    --
    "it's not the right time to be sober
    now the idiots have taken over
    spreading like a social cancer,
    is there an answer?"
     
    kurt wismer, Jun 13, 2007
    #6
  7. "Vanguard" <> (07-06-10 23:04:20):

    > E-mail scanning is redundant. You don't need it. It will often
    > interfere with e-mail transfers (because of the injected delay in the
    > mail traffic while the on-demand scanner interrogates that mail
    > traffic).


    It is not. Some emails try to exploit certain vulnerabilities in email
    clients. Such exploits are often based on a vulnerable mail
    parser/decoder. Because parsing emails is such a complex matter, there
    is a lot of room for bugs.


    > Besides, ALL e-mail gets sent as plain-text. If you look at the
    > source of the e-mail, it is all text. Any graphics or other binary
    > content or attachments are encoded into plain-text within a section in
    > the body of the e-mail. Plain-text is harmless.


    Yes, as long as it lies on the server and is not parsed. Upon
    forwarding it to the client, it _becomes_ potentially harmful, because
    of the fact that the program has to parse and decode it.


    > You would have to actually DECODE that plain-text content when saving
    > the attachment into a file - and the same on-demand scanner used to
    > interrogate your mail traffic is the same on-demand scanner watching
    > when you create a new file when saving that attachment.


    Things like images, HTML, sometimes even PDF or certain script types,
    are decoded and run/displayed right away. Some clients take the detour
    through a temporary file, but others display right away.


    Regards,
    Ertugrul Söylemez.


    --
    Security is the one concept, which makes things in your life stay as
    they are. Otto is a man, who is afraid of changes in his life; so
    naturally he does not employ security.
     
    Ertugrul Soeylemez, Jun 13, 2007
    #7
  8. Art

    Sebastian G. Guest

    Ertugrul Soeylemez wrote:


    > It is not. Some emails try to exploit certain vulnerabilities in email
    > clients. Such exploits are often based on a vulnerable mail
    > parser/decoder. Because parsing emails is such a complex matter, there
    > is a lot of room for bugs.



    And which virus scanner detects such exploits? And wouldn't it rather be a
    good reason to switch your mail client if it has outstanding unpatched
    vulnerabilities for so long that even virus scanners already contain
    signatures for it?

    >> You would have to actually DECODE that plain-text content when saving
    >> the attachment into a file - and the same on-demand scanner used to
    >> interrogate your mail traffic is the same on-demand scanner watching
    >> when you create a new file when saving that attachment.

    >
    > Things like images, HTML, sometimes even PDF or certain script types,
    > are decoded and run/displayed right away.



    Very strange. The only thing that should be automatically processed is
    S/MIME and OpenPGP. Anything else is plaintext and attachments.
     
    Sebastian G., Jun 13, 2007
    #8
  9. Art

    Sebastian G. Guest

    kurt wismer wrote:


    > and since there are content scanners that do that for web traffic
    > there's no reason it shouldn't be possible for email traffic as well...


    Just show me one implementation that does it right, especially verifying the
    original certificate. And then a virus scanner vendor which even gets the
    idea of applying it to various mail protocols as well. And then tell him,
    why he should spend effort on implementing it when the number of clients who
    cares asymptotically approaches zero. Heck, even most of the virus scanners
    that are scanning web traffic (which is superfluos as well) don't care for
    SSL traffic.
     
    Sebastian G., Jun 13, 2007
    #9
  10. "Sebastian G." <> (07-06-13 14:31:12):

    > > It is not. Some emails try to exploit certain vulnerabilities in
    > > email clients. Such exploits are often based on a vulnerable mail
    > > parser/decoder. Because parsing emails is such a complex matter,
    > > there is a lot of room for bugs.

    >
    > And which virus scanner detects such exploits? And wouldn't it rather
    > be a good reason to switch your mail client if it has outstanding
    > unpatched vulnerabilities for so long that even virus scanners already
    > contain signatures for it?


    Of course it's a good reason. Unfortunately, the majority of users
    still don't care. This is why most A/V suites today even contain some
    kind of desktop firewall, to protect against worms such as Blaster.


    > > > You would have to actually DECODE that plain-text content when
    > > > saving the attachment into a file - and the same on-demand scanner
    > > > used to interrogate your mail traffic is the same on-demand
    > > > scanner watching when you create a new file when saving that
    > > > attachment.

    > >
    > > Things like images, HTML, sometimes even PDF or certain script
    > > types, are decoded and run/displayed right away.

    >
    > Very strange. The only thing that should be automatically processed is
    > S/MIME and OpenPGP. Anything else is plaintext and attachments.


    Principally yes, but there is no standard as to which parts of a
    multi-part document are to be taken as inline vs. attached content.
    That is even true for single-part documents. If the content type says
    it's an image, then it's an image and some mail programs will display
    them right away.


    Regards,
    Ertugrul Söylemez.


    --
    Security is the one concept, which makes things in your life stay as
    they are. Otto is a man, who is afraid of changes in his life; so
    naturally he does not employ security.
     
    Ertugrul Soeylemez, Jun 15, 2007
    #10
  11. Art

    Sebastian G. Guest

    Ertugrul Soeylemez wrote:


    >> Very strange. The only thing that should be automatically processed is
    >> S/MIME and OpenPGP. Anything else is plaintext and attachments.

    >
    > Principally yes, but there is no standard as to which parts of a
    > multi-part document are to be taken as inline vs. attached content.



    There is, and I named it. The standard is to unwrap S/MIME or OpenPGP, then
    default to text/plain as the only inline type, and if none such exists, the
    MIME plain text part should be displayed (or nothing at all). Everything
    else is attached content.

    > That is even true for single-part documents. If the content type says
    > it's an image, then it's an image and some mail programs will display
    > them right away.



    WTF? Which mail program is that broken?
     
    Sebastian G., Jun 15, 2007
    #11
  12. "Sebastian G." <> (07-06-15 15:37:54):

    > > > Very strange. The only thing that should be automatically
    > > > processed is S/MIME and OpenPGP. Anything else is plaintext and
    > > > attachments.

    > >
    > > Principally yes, but there is no standard as to which parts of a
    > > multi-part document are to be taken as inline vs. attached content.

    >
    > There is, and I named it. The standard is to unwrap S/MIME or OpenPGP,
    > then default to text/plain as the only inline type, and if none such
    > exists, the MIME plain text part should be displayed (or nothing at
    > all). Everything else is attached content.


    I wouldn't know that this is a standard. After unwrapping, it's
    recommended practice to use the first text/plain part as the `main'
    part.

    Even if it's a standard, there are very few mail-readers, which follow
    it. The more common GUI readers do at least HTML display by default,
    and only resort to text/plain, if no text/html is found. If neither of
    them are found, then they seem to display the first part, that can be
    displayed inline, whatever it is.

    This is also how my reader behaves, with the only difference that it
    prefers text/plain over text/html, when both are present.


    > > That is even true for single-part documents. If the content type
    > > says it's an image, then it's an image and some mail programs will
    > > display them right away.

    >
    > WTF? Which mail program is that broken?


    At least Claws Mail (the one I'm using), Thunderbird and Outlook Express
    do this. Also I don't see any reason to consider this broken behaviour.
    It's the way MIME-enabled programs are supposed to work.


    Regards,
    Ertugrul Söylemez.


    --
    Security is the one concept, which makes things in your life stay as
    they are. Otto is a man, who is afraid of changes in his life; so
    naturally he does not employ security.
     
    Ertugrul Soeylemez, Jun 15, 2007
    #12
  13. Art

    Sebastian G. Guest

    Ertugrul Soeylemez wrote:

    > The more common GUI readers do at least HTML display by default,



    Which only proves that most defaults suck. :)

    > and only resort to text/plain, if no text/html is found. If neither of
    > them are found, then they seem to display the first part, that can be
    > displayed inline, whatever it is.
    >
    > This is also how my reader behaves, with the only difference that it
    > prefers text/plain over text/html, when both are present.



    Well, this just shows that yours sucks as well. If only text/html is
    present, mine displays empty, as it should.

    >>> That is even true for single-part documents. If the content type
    >>> says it's an image, then it's an image and some mail programs will
    >>> display them right away.

    >> WTF? Which mail program is that broken?

    >
    > At least Claws Mail (the one I'm using), Thunderbird and Outlook Express
    > do this. Also I don't see any reason to consider this broken behaviour.
    > It's the way MIME-enabled programs are supposed to work.


    Rendering MIME parts without explicit consent? I'd definitely consider this
    broken. If I wanted an attached image to render as image, I'd double-click
    to open it, and then it would be opened with the default image display
    program of my system.

    BTW, at least for Thunderbird I know that can be configured appropriately.
     
    Sebastian G., Jun 15, 2007
    #13
  14. "Sebastian G." <> (07-06-15 17:56:24):

    > > The more common GUI readers do at least HTML display by default,

    >
    > Which only proves that most defaults suck. :)


    Indeed. But that's the default in your reader, not in mine. ;)


    > > and only resort to text/plain, if no text/html is found. If neither
    > > of them are found, then they seem to display the first part, that
    > > can be displayed inline, whatever it is.
    > >
    > > This is also how my reader behaves, with the only difference that it
    > > prefers text/plain over text/html, when both are present.

    >
    > Well, this just shows that yours sucks as well. If only text/html is
    > present, mine displays empty, as it should.


    It displays HTML without any formatting, i.e. it just removes the HTML
    tags properly and displays whatever is left. A few tags like <a> are
    interpreted to preserve links. That's probably much more secure than
    opening the text/html part with a browser, which would be your way of
    viewing HTML content.

    Sure, you can just refuse to accept HTML mails at all, but that's not
    possible for me.


    > > At least Claws Mail (the one I'm using), Thunderbird and Outlook
    > > Express do this. Also I don't see any reason to consider this
    > > broken behaviour. It's the way MIME-enabled programs are supposed
    > > to work.

    >
    > Rendering MIME parts without explicit consent? I'd definitely consider this
    > broken.


    A text/plain part is nothing but just another MIME part. Technically
    there is no reason to handle it differently.


    > If I wanted an attached image to render as image, I'd double-click to
    > open it, and then it would be opened with the default image display
    > program of my system.


    That's what my program did in earlier versions. Inline display of
    images used to be a plugin. Now it has been merged into the main
    program, because most users appeared to use the plugin anyway. However,
    you can still disable it easily.


    Regards,
    Ertugrul Söylemez.


    --
    Security is the one concept, which makes things in your life stay as
    they are. Otto is a man, who is afraid of changes in his life; so
    naturally he does not employ security.
     
    Ertugrul Soeylemez, Jun 16, 2007
    #14
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Olivier PELERIN

    SSL with backend SSL on CSS 11500

    Olivier PELERIN, Aug 30, 2004, in forum: Cisco
    Replies:
    0
    Views:
    3,683
    Olivier PELERIN
    Aug 30, 2004
  2. jenny
    Replies:
    0
    Views:
    947
    jenny
    Nov 30, 2006
  3. Trax
    Replies:
    1
    Views:
    664
    All Things Mopar
    Feb 12, 2006
  4. Replies:
    0
    Views:
    775
  5. The Master of The Known Universe

    Top 3 firewalls, anti-virus apps, anti-spyware apps

    The Master of The Known Universe, May 9, 2006, in forum: Computer Support
    Replies:
    10
    Views:
    1,056
    clouds
    May 13, 2006
Loading...

Share This Page