SSL/TLS

ESET Internet Security is capable of checking for threats in communication that use the SSL protocol. You can use various filtering modes to examine SSL protected communication with trusted certificates, unknown certificates, or certificates that are excluded from SSL-protected communication checking.

Enable SSL/TLS protocol filtering – If protocol filtering is disabled, the program will not scan communication over SSL.

SSL/TLS protocol filtering mode is available in the following options:

Filtering mode

Description

Automatic mode

Default mode will only scan appropriate applications such as web browsers and email clients. You can override it by selecting applications for which their communication will be scanned.

Interactive mode

If you enter a new SSL protected site (with an unknown certificate), an action selection dialog is displayed. This mode allows you to create a list of SSL certificates / applications that will be excluded from scanning.

Policy mode

Select this option to scan all SSL protected communication except communication protected by certificates excluded from checking. If a new communication using an unknown, signed certificate is established, you will not be notified and the communication will automatically be filtered. When you access a server with an untrusted certificate that is marked as trusted (it is on the trusted certificates list), communication to the server is allowed and the content of the communication channel is filtered.

The List of SSL/TLS filtered applications can be used to customize ESET Internet Security behavior for specific applications.

List of known certificates – Allows you to customize ESET Internet Security behavior for specific SSL certificates.

Exclude communication with trusted domains – When enabled, communication with trusted domains will be excluded from checking. The trustworthiness of a domain is determined by a built-in whitelist.

Block encrypted communication utilizing the obsolete protocol SSL v2 – Communication using the earlier version of the SSL protocol will automatically be blocked.

Root certificate

Add the root certificate to known browsers – For SSL communication to work properly in your browsers/email clients, it is essential that the root certificate for ESET be added to the list of known root certificates (publishers). When enabled, ESET Internet Security will automatically add the ESET SSL Filter CA certificate to known browsers (for example, Opera). For browsers using the system certification store, the certificate is added automatically. For example, Firefox is automatically configured to trust Root authorities in the system certification store.

To apply the certificate to unsupported browsers, click View Certificate > Details > Copy to File and manually import it into the browser.

Certificate validity

If the certificate trust cannot be established – In some cases, a website certificate cannot be verified using the Trusted Root Certification Authorities (TRCA) store. Therefore, someone (for example, the administrator of a web server or a small business) has signed the certificate, and considering this certificate as trusted is not always a risk. Most large businesses (for example, banks) use a certificate signed by the TRCA. If Ask about certificate validity is selected (selected by default), the user is prompted to choose an action to take when encrypted communication is established. You can select Block communication that uses the certificate to always terminate encrypted connections to sites with unverified certificates.

If the certificate is corrupt – This means that the certificate was incorrectly signed or is damaged. In this case, ESET recommends that you leave Block communication that uses the certificate selected. If Ask about certificate validity is selected, the user is prompted to select an action to take when the encrypted communication is established.


note

Illustrated examples

The following ESET Knowledgebase article may only be available in English:

Certificate notifications in ESET Windows home products

"Encrypted network traffic: Untrusted certificate" is displayed when visiting web pages