Like many highly computer literate sons, my parents occasionally call on me to fix their computer. This can be anything from “I turned it off and it won’t boot up again” meaning “The hard disk has failed”, to “I can’t get my email, it comes up with a certificate error”, meaning I’ve forgotten to renew the SSL certificate on my mail server.
This week, my father send me a text message to say neither he nor my mother could receive email – but they could send it fine. I didn’t see any attempts from them to connect in my mail server’s log files, and they said they didn’t see any error messages.
This morning, I found some time to ask my mother to set up a reverse VNC connection to my desktop at home (I can’t remember what people did before VNC – maybe we installed pcAnywhere, or maybe we hopped on a car or train).
Here’s the key piece of information that was missing that I found out this morning – “We installed Kaspersky and email stopped”. D’oh! That piece of information is really important – I did something, and something else happened.
Further investigation showed that my parents installed Kaspersky as Barclays on-line banking suggested it, but then they uninstalled that, and installed AVG, but still couldn’t get email.
What caused the problem? It’s quite straightforward. POP3 doesn’t attempt any form of encryption at all, so I force people to use TLS when picking up mail from my server. It stops the very small risk of somebody finding out an email password by capturing packets, but it also encrypts all the messages being downloaded. I use SSL certificates from CACert which they provide free, and the whole system works better than self-signed certificates, but not quite as well as a full-bodied certificate from a widely-recognised CA.
AVG and Kaspersky intercept outgoing POP3 traffic, if asked, and scan it. They do this by proxying connections through their software, which can’t understand the TLS connections and so waits patiently rather than throwing up an error. The result is the mail client does nothing – no errors and no timeouts. A software stalemate.
This started me thinking – how long before encryption becomes a widespread way for malware starts to use SSL connections to bypass network-based antivirus services? You can’t disable encryption as it’s a form of security, but it’s also a form of stealth. One encrypted TCP connection looks just like the other, and there’s simply no efficient way to scan apart from right at the very edge.