thanks checked out clear, nice to run the test though.

Its not a bug, its a feature!

More news - Ad-aware and PrivDog (from the makers of Comodo) have the same vulnerability.

Another note--very many security suites perform SSL/TLS interception, at least optionally, using their own root certificate which they set up your machine to trust. I know first-hand that at least Kaspersky and NOD32 have this 'feature'.

While they may be less vulnerable to exploitation if they properly validate certificate chains before replacing them with self-signed copies and use unique private signing keys (Superfish apparently does neither), the fact remains that you are granting these apps access to any such protected information. And it is far easier for these root certs to be compromised than a real root cert as any bit of malware on your machine can do it. IMO these 'features' are not worth the risk of enabling, ever.

Whoa.  If BitDefender does this, we're in a world of HIPAA hurt.

Sony's rootkit, Superfish, PrivDog????  I dunno, it's getting to the point where you don't know if there's anyone left to trust in the software/hardware development world.  It's like they're all out for fast, easy money, and all too often  to the detriment of their customers. 

To say it is disappointing is very much a gross understatement. 

There really needs to be some international laws put in place to seriously penalise the companies/persons responsible for all this 'bundled' crap that nobody wants, and I'm not talking small fines, either.  If the 'crap' is potentially harmful and compromises users safety, then the fines should be in the several millions... with prison terms for the orchestrators, ring leaders, etc.

In fact, I reckon ALL OEM bloatware should be illegal... that PCs laptops and tablets come with just the operating system and no more.  If HP, Dell, Lenovo and others have additional software that customers would like to use, then make it available for download from the manufacturer's site.... NOT preinstalled.  And I say from the manufacturers sites because C-Net and others bundle various items of crap with software titles and seem to have a never ending bag of tricks with which to dupe users into installing unwanted junk.  If OEMs were to follow this practice the public outcry would be huge and they'd be forced to backtrack... if they were game to try it after this latest debacle.

Oh, and before I go, it's the fechen advertising execs.  Blame them, it's ALL their fechen fault... always seeking more ways to force more and more ads down your throat.

Bitdefender does support SSL scanning in recent versions.

No, it does install its own root cert. Performing a man-in-the-middle attack with fake certificates is the only way that AV suites can scan SSL/TLS encrypted traffic before it hits the browser. They could scan the traffic after it hits the browser with browser extensions, but most don't seem to use that option any more. As noted earlier, it boils down to three questions:

- Do you trust the AV software/provider with access to the encrypted information?

- Does the AV software properly validate certificates before replacing them with fakes (PrivDog doesn't)?

- Does the AV software use unique root certificates for each installation so there is no 'skeleton key' for phishers to use against you (Superfish doesn't)?

The mere fact that they are doing it does mean that you are introducing an additional vulnerability to your system. So long as you consent to it and they do the second and third things above though, the scope of that vulnerability is pretty limited (malware has to be on your machine to take advantage of the fake root cert) compared to Superfish. So it mostly boils down to the question of trust and evaluating that risk against the risk of downloading malware on HTTPS connections (which depends as much on the user's browsing habits as anything).

Now, if you're using a business version I can't say whether that has it or not--I'm only talking about consumer versions here. Though even if the business version does not scan encrypted traffic, there is no guarantee your employer is not decrypting traffic itself with an impersonating proxy or other means.

I've never seen a consumer AV suite where it was forced always on (though it may be on by default). Personally, I'm more secure knowing my bank is actually my bank and just blocking scripts/embeds than I am having the AV snooping my private traffic and rendering me unable to personally validate site identities.