"We were able to come up with alternative attacks that still worked and Kaspersky resolved it quickly," Ormandy said in an advisory made public Wednesday. The company fixed the issue on Dec. 28, he said.
Security vendors justify their SSL/TLS interception practices through a legitimate need to protect users from all threats, including those served over HTTPS. However, their implementations have often resulted in security issues. That's because performing certificate validation correctly is not easy and is something that browser vendors themselves have perfected over many years.
Sign up for Computerworld eNewsletters.