
ESET does not use encryption for updates and is prone to man in the middle attacks.
In particular, the recently discovered security gap in ESET (CVE-2016-0718) illustrates the impact that a lack of encryption could have been combined.
Vulnerability - Client Updates 1)
When a client wants to update its signatures, it establishes a HTTP connection to the repository server – this connection is unencrypted and vulnerable to man in the middle. If there is no signature check, it is possible to inject malicious code.
Vulnerability - ESET Remote Administrator Repository Updates 2)
Updates from the ERA servers are also unencrypted, which is why a man in the middle is also possible here.
Protection
A TLS certificate costs no more than € 10 per domain for the two domains per year. The vulnerability was confirmed to us by ESET – we did not receive an answer as to whether this vulnerability should be fixed.
At this point, we expect better communication and more transparency from a security manufacturer.