Importance and particulars of using the secure protocols in Kaspersky Lab solutions
To interact with Kaspersky Lab services Kaspersky Endpoint Security 11.1 for Windows and Kaspersky Security Center 11.0 have switched to the secure communication channel using the TLS protocol. These Kaspersky Lab services include the Update, Activation 2.0 and Kaspersky Security Network service.
Previous communication channel without TLS ensured the integrity of transmitted data by using the digital signature verification. Encryption was used to ensure privacy. The new approach with the use of TLS allowed to unify the infrastructure of communication with Kaspersky Lab services. Permanent cryptographic protection of communication channels enhances the security of interaction and allows to develop such approaches to building server/service infrastructures that would be common and consistent and ensure integrity and security.
Switching to TLS provides complex protection of the communication channel on account of the following points:
- Encryption. Messages content is private and is not disclosed to outside users.
- Integrity. A message recipient can be sure that the content remained unchanged since the message had been sent.
- Server authentication. The user can be sure that the connection is established only to trusted Kaspersky Lab servers.
Server authentication is based on the use of public key certificates. To enable server authentication it is required to build the public key infrastructure (PKI). One of the PKI components is the Certification Authority. Since Kaspersky Lab services are not public, and are purely technical, it is easier to use their own Certification Authority. In this case, Kaspersky Lab PKI will keep working even if the root certificates (thawte, verisign, globaltrust, etc) are revoked.
As a result of switching to the secure communication channels, environments with MITM (software and hardware proxies that support parsing HTTPS protocol) will be considered as unsafe. Errors may occur upon connecting to Kaspersky Lab services. Besides while working in such environment you can get error messages that the connection is using self-signed certificates. The reason is that Kaspersky Lab solutions use their own PKI. HTTPS Inspection tool from your environment does not recognize Kaspersky Lab PKI. To eliminate the consequences it is necessary to use the exclusions: