Add a module to check the SSL protocol (Certificates) For All Traffic [M1135]

1. What version of CIS, or Comodo Firewall, are you currently using:
7.0.317799.4142

2. What actually happened or you saw:
At the moment users have the option to filter websites, but do not have a module that checks the SSL protocol - Certificates for whether they are invalid or corrupted.

3. What you wanted to happen or see:
It would be good to add a module which will enable inspection of SSL protocol, and when an abnormal situation detected (invalid or corrupted certificates) displays a warning through which the user can choose to allow or block this communication. This would analyze all encrypted traffic, and not just that through the browser
The warning could be displayed on screen or even in the system tray.

4. Why you think it is desirable:
A module of this kind will allow CIS to detect possible problems which not all browsers are able to correctly identify. It would also add an extra layer of security to all encrypted connections, regardless of whether they are made through the browser.
Eset Internet Security has a component like this. Useful information about it can be found on this page and also on this page.

5. Any other information:
Perhaps this could be added as an extra rule in the Website Filtering component, which is already part of CIS.
Maybe part of the existing code in Webinspector and / or Comodo SSL analyzer can be useful in the development of this module.

This sounds like an interesting wish. However, I would have thought that a browser would handle this sort of issue. Can you please provide a link for a similar product so I can look into this deeper? If I am unsure about how this would work I’m sure that others may be uncertain as well.

Thank you.

Sure, no problem.
The product I tested was ESET Smart Security, and the link below has the screen with the feature I mentioned:

In this second link have a warning about a connection made ​​by safe application and an untrusted certificate has been detected:

official site: Cyber security with Data Encryption and Antivirus | ESET

Some similar mechanism could be added in the future in CIS,
That allows filter / check connections with SSL protocol (for browsers or software) and display certificate details allowing accept or not.

Or even maybe a WebShield check the content received through the secure connection and detect an unknown and / or dangerous patterns and alert us about it. :-La

When tested ESET it allowed to block connection attempts coming from secure sites (remote port 443) and at that time I was not using any browser or application.
Demonstrating that malicious actors are using more sophisticated attacks …

Another idea is to enhance rules and standards for SSL connections allow specific settings in the CIS. :slight_smile:

thanks

Thank you for the links. I think the best place to put something like this, at least for the moment, would be part of the Website Filtering component. This sort of check could be used as an added rule, perhaps to check all SSL encryption and pop up a warning for any SSL certificate found to be invalid or corrupted, with a question or whether to continue or not. This rule could then be editable through the Website Filtering component.

This may be exactly what you had in mind, but I want to make sure before I make any changes to the first post. This could potentially be very valuable as it would therefore monitor all traffic, not just that through the browser.

Let me know if I am now on the same wavelength as you.

Thanks.

I think a feature like this could be useful to all browsers, but without doubt it would be great if it allows monitoring of all traffic.

This feature would analyze and / or filter connections that are established by the SSL protocol, validating and identifying the patterns of certificates.
If it is corrupted or invalid, allow us to block / stop this communication.

Maybe it can be part of the web filter or be added to a new area in the settings.
In this option we could edit the settings, create some exception or adjust something on the alert.

The “warning” screen, we could have options to continue, block and monitor the connection. And a checkbox to remember the choice.

I think this wish is as a draft during a brainstorm, can always be improved through collective collaboration. :slight_smile:

Thank you. I have edited the first post, the title, and added a poll. I have tried to pull all these ideas together in the first post. However, please be very critical of my wording and proposed idea. I want to make sure we get this right before it is forwarded as a wish for voting.

Thank you.

Great, I agree with the adjustments.
Any more information is needed?

thank you

Thank you for submitting this Wish Request. I have now moved this to the WAITING AREA.

Please be sure to vote for your own wish, and for any other wishes you also support. It is also worthwhile to vote against wishes you think would be a waste of resources, as implementing those may slow down the wishes you would really like to see added.

Thanks again.

Thanks!

I am trying to get my head around some thoughts about this.
Apologies in advance, if my thinking out loud is off track here.
Could this idea be used in conjunction with CertSentry if it was to be included with CIS?
Also considering CertSentry works with other system software, wouldn’t CertSentry be more suited to included into CIS in preference to Dragon?
CertSentry-Comodo Help

Also would the following infrastructure help with this wish if it was to be incorporated into CIS?
COMODO SSL Analyzer
Comodo Introduces SSL Analyzer to Help Businesses Select Certificates

Great points captainsticks :-TU
I think that Comodo has the expertise in this area and it would be great if the CIS incorporate some of these features. :slight_smile:

Comodo SSL analyzer was incorporated in Webinspector, is it possible to use part of this mechanism?

http://app.webinspector.com/detection_technologies

[attachment deleted by admin]

I would like to thank everyone who has voted on this particular enhancement. As this wish has accumulated the necessary 15 points I have added this to the tracker for consideration by the devs. However, do note that even though this wish will be considered by the devs, it does not necessarily mean that it will be implemented. I will update this topic when I have any additional information.

Thank you.