Problem with Calibre security certificate

[GeorgePP]

Hi,
First a profile confession – I am new to Calibre, marginally computer literate and no programming skills.
My problem seems to be stemming from the site certificate on calibre-ebook.com which Windows says it cannot verify. Consequently whenever I open Calibre I get a message from Kapersky Web Antivirus asking that I continue (or close) then verify my choice: a time wasting procedure.
I have entered exceptions in Kapersky Web Antivirus to
https://code.calibre-ebook.com/
https://code.calibre-ebook.com/*
https://code.calibre-ebook.com/plugins/plugins.json.bz2
did not help
Worse I cannot connect to the plugins – new or update. These are the details of the Calibre message:

calibre, version 2.54.0
ERROR: Update Check Failed: Unable to reach the plugin index page.

Traceback (most recent call last):
File "site-packages\calibre\gui2\dialogs\plugin_updater.py", line 434, in __init__
File "site-packages\calibre\gui2\dialogs\plugin_updater.py", line 61, in read_available_plugins
File "site-packages\calibre\utils\https.py", line 198, in get_https_resource_securely
File "httplib.py", line 1216, in connect
File "ssl.py", line 350, in wrap_socket
File "ssl.py", line 566, in __init__
File "ssl.py", line 788, in do_handshake
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)

If the answer is already on the forum I apologise I could not find it. I got plenty of answers by searching the web but they are for programmers in Python, beyond my ability to manage.
I would be grateful for your help.

[kovidgoyal]

You have a MiTM SSL proxy installed on your machine. That means some software on your machine is intercepting all secure traffic un-encrypting it and then re-encrypting it with its own certificate. This is extremely dangerous, it means some software on your machine can read all your secured communications. Commonly these are used to inject ads into HTTPS traffic, but some idiotic antivirus programs also install them.

If I were you, I'd wipe the machine and install a new copy of windows straight from Microsoft.

All calibre communication with code.calibre-ebook-com is using a private certificate, so it will fail when a MitM proxy is installed. You can always download the plugins manually using a browser from http://plugins.calibre-ebook.com and then install them in calibre by using the Install from zip file button.

[GeorgePP]

First many thanks for the incredible fast reply.
Then Ouch. I have never done a full re-install. I assume this means re-installing all the other programs on my system disk? Also I assume no point of doing a recovery from an Acronis image (also never done this). Fortunately (I think?) I have data on a separate SSD. Is there a possible alternative course? Is there any way of finding which program runs this MiTM SSL proxy? Does the problem only occur with private certificates – that is why it has not occurred before?
I am hoping this is not a virus –I have done all the usual things with updates of Windows etc, running Kaspersky for a few years plus the full Malwarebytes program.
Thanks again for your advice.

[kovidgoyal]

Yes, it means doing a full re-install of everything. If you google MitM SSL proxy you will get various bits of advice on how to try and detect which program is causing it.

MitM SSL proxies work by inserting their root certificate into the windows certificate store, therefore all normal SSL connections will work, only a connection using a private certificate (i.e. not using the windows certificate store) will fail.

[GeorgePP]

Again, thank you.
I will follow up your advice and will post the eventual result.
BTW I forgot to mention that the link http://plugins.calibre-ebook.com opens a page called Index of calibre plugins with individual plugins listed, but I could not find a zip file on it.

[kovidgoyal]

Click the download plugin link to get the zip file for that plugin.

[PeterT]

I can't help but think that the MITM is probably Kapersky Web Antivirus itself.

[GeorgePP]

Thanks for the reply, I misunderstood and thought it would be a zip file containing all the plugins.

As promised, reporting back hoping it may help someone with a similar problem.
As you suggested my AV program was the problem. After some research on the net I got a hint of similar problems on the Kaspersky forum. Apparently the program’s setting to scan encrypted connections causes the problem.

This is what worked:
Kasperksy 2016 Internet Security: open Settings > Additional > Network:
Encrypted connections scanning section, you can enable/disable scanning for encrypted connections that use the SSL protocol.
1.Do not scan encrypted connections
If this option is selected, Kaspersky Internet Security does not scan SSL traffic.
2.Scan encrypted connections upon request from protection components
This option is selected by default.
3.Always scan encrypted connections
Advanced Settings
Clicking this link opens a window in which you can modify additional settings for secure connections and install the Kaspersky Lab certificate.

As a first step as recommended I disabled option 2 and enabled option 1 > Do not scan encrypted connections. Starting calibre, the warning of a bad Security certificate disappeared and the links to the calibre site for the plugins worked normally.

As this step diminishes the security provided by KAV, I tested the next suggestion which apparently works for most such cases. I re-enabled option 2 and opened the Advanced Settings and installed the Kaspersky Lab certificate. Everything still works as before.

I think this has solved the problem and that KAV was acting as the MiTM agent causing it. Would be very happy to hear your comments and again thanks for your help.

[kovidgoyal]

That's odd, I dont see how it could possibly work if Kaspersky is still MitMing the traffic. If it's working, then whatever changes you made mean that Kaspersky is not MitMing the traffic anymore and therefore cannot scan the encrypted traffic.

[eschwartz]

Option two sounds like it only scans encrypted traffic from specified domains using some sort of blacklist.

I do wonder how practically speaking this helps in a security sense.

[BetterRed]

Quote:

Originally Posted by eschwartz

I do wonder how practically speaking this helps in a security sense.

- Just more buttons and knobs with which the anorak coated hordes can twiddle.

[GeorgePP]

Thank you for the interesting comments. For the sake of brevity I did not post everything from Kaspersky. Some of the issues raised may be explained by the further details below. While I am no expert my understanding is that basically letting Kaspersky scan encrypted connections does entail trading privacy for extra security.

In fairness to Kaspersky here are the further details. Under “Encrypted Connections scanning” is a link “websites” with a list pf perhaps 100+ sites and the warning “..may be inaccessible when scanning of encrypted connections is enabled” . Curiously many Kaspersky links including Kaspersky.com are listed.

On option 2, “Scan encrypted connections upon request from protection components”, the full explanation is :
” Kaspersky Internet Security uses the installed Kaspersky Lab certificate to verify the security of SSL connections only if this is required by the Web Anti-Virus, Parental Control, Kaspersky URL Advisor, and Safe Money protection components. If the Parental Control, Kaspersky URL Advisor, and Safe Money protection components are disabled, Kaspersky Internet Security does not verify the security of SSL connections. This option is selected by default.”

The comments on option 3 “Always scan encrypted connections” are helpful regarding how installing the Kaspersky Certificate helps (taken on trust of the statement as the mysteries of certificates are beyond me):
“If this option is selected, Kaspersky Internet Security always uses the installed Kaspersky Lab certificate to ensure that connections are secure.
Use of the Secure Sockets Layer (SSL) protocol for connections allows safely exchanging data on the Internet. The SSL protocol makes it possible to identify the parties exchanging data using electronic certificates, encrypt data during transfer, and ensure the integrity of data during transfer.
If Kaspersky Internet Security detects an invalid certificate when connecting to a server (for example, when the certificate has been replaced by someone with malicious intentions), the application displays a notification prompting you to accept or reject the certificate, or else to view information about the certificate. If Kaspersky Internet Security is operating in automatic protection mode, it automatically terminates any connection that uses an invalid certificate, without displaying any notification.”

As I understand it option 2 is a compromise - scanning sites referred as suspicious by the other modules but not all encrypted sites. Since the installation of the Kaspersky Lab certificate the calibre certificate is accepted as safe.