Special considerations when using encrypted protocols for interacting with external services

Kaspersky Endpoint Security and Kaspersky Security Center uses an encrypted communication channel with TLS (Transport Layer Security) to work with external services of Kaspersky. Kaspersky Endpoint Security uses external services for the following functions:

• updating databases and application software modules;
• activating the application with an activation code (activation 2.0);
• using Kaspersky Security Network.

Use of TLS secures the application by providing the following features:

• Encryption. The contents of messages are confidential and are not disclosed to third-party users.
• Integrity. The message recipient is certain that the message contents have not been modified since the message was forwarded by the sender.
• Authentication. The recipient is certain that communication is established only with a trusted Kaspersky server.

Kaspersky Endpoint Security uses public key certificates for server authentication. A public key infrastructure (PKI) is required for working with certificates. A Certificate Authority is part of a PKI. Kaspersky uses its own Certificate Authority because Kaspersky services are highly technical and not public. In this case, when root certificates of Thawte, VeriSign, GlobalTrust and others are revoked, the Kaspersky PKI remains operational without disruptions.

Environments that have MITM (software and hardware tools that support parsing of the HTTPS protocol) are considered to be unsafe by Kaspersky Endpoint Security. Errors may be encountered when working with Kaspersky services. For example, there may be errors regarding the use of self-signed certificates. These errors may occur because an HTTPS Inspection tool from your environment does not recognize the Kaspersky PKI. To rectify these problems, you must configure exclusions for interacting with external services.