This is news. Security software, like antivirus programs, intended to guarantee online security, could perhaps thwart the security of online transactions.
A new research conducted at the Concordia University, Montreal, Canada shows that security certificate might even make online computing less safe. 14 commonly used software programs were used for the research, conducted by Mohammad Mannan, assistant professor in the Concordia Institute for Information Systems Engineering (CIISE), and PhD student Xavier de Carné de Carnavalet. They found that these software programs, which claim to make systems safe by blocking virus and protecting data, “were doing more harm than good. “
As explained in a news release brought out by the university, “At the root of the problem is how security applications act as gatekeepers, filtering dangerous or unwanted elements by inspecting secure web pages before they reach the browser.” The news release further says, “Normally, browsers themselves have to check the certificate delivered by a website, and verify that it has been issued by a proper entity, called a Certification Authority (CA). But security products make the computer “think” that they are themselves a fully entitled CA, thus allowing them to fool browsers into trusting any certificate issued by the products.”
The research and its inferences would most likely make every computer user, especially those who carry out online transactions, sit up and think about the usefulness of having security software/antivirus that they have been using for long, on which they have bestowed maximum trust.
Says Xavier de Carné de Carnavalet, “Out of the products we analyzed, we found that all of them lower the level of security normally provided by current browsers, and often bring serious security vulnerabilities…While a couple of fishy ad-related products were known to behave badly in the same set-up, it’s stunning to observe that products intended to bring security and safety to users can fail as badly.”
The research was supported in part by an NSERC Discovery Grant, a Vanier Canada Graduate Scholarship and the Office of the Privacy Commissioner of Canada’s Contributions Program and the findings were originally presented at the Network and Distributed System Security Symposium 2016, held in February in California.
Mohammad Mannan is quoted (in the University release) as saying- “We reported our findings to the respective vendors so they can fix their products…Not all of them have responded yet, but we hope to bring their attention to these issues.””
The release also quotes de Carnavalet- “We also hope that our work will bring more awareness among users when choosing a security suite or software to protect their children’s online activities…We encourage consumers to keep their browser, operating system and other applications up-to-date, so that they benefit from the latest security patches”. He is also quoted as saying- “Parental control apps exist that do not interfere with secure content, but merely block websites by their domain name, which is probably effective enough.”
These findings would definitely be eye-openers to the vendors of online security products while they would also be informative for internet users across the world.