Kaspersky Security can scan the traffic transmitted over secure connections that were established using the following protocols: TLS 1.3, TLS 1.2, TLS 1.1, TLS 1.0 and SSL 3.0.
The application does not monitor traffic that is transmitted over encrypted connections using the TLS 1.3 protocol, if the Encrypted Server Name Indication technology is used in TLS 1.3.
The application does not monitor traffic that is transmitted over encrypted connections using the SSL 2.0 protocol.
By default, Kaspersky Security intercepts the traffic, transmitted through the secure connections, decrypts it and sends it for scanning to the Mail Anti-Virus, the Web Anti-Virus, and the Web Control components. Kaspersky Security components process the traffic according to the configured settings.
If secure connections scan is disabled, application components have the following limitations:
If an error occurs while scanning an encrypted connection, the connection with the web resource is terminated. By default, Kaspersky Security also adds the domain name of the web resource to the list of domains whose secure connections result in a scan error. All web resources of domains in this list are excluded from secure connections scans. When there is another attempt to access web resources of this domain, Kaspersky Security allows the connection to be established but does not decrypt and scan the traffic. You can configure the action that is taken by Kaspersky Security when a secure connection scan error occurs.
When decrypting the traffic, Kaspersky Security validates the certificate of the server, secure connection to which is being established. By default, Kaspersky Security allows a connection to be established when a certificate error is detected. However, if the connection is being established through a browser, a certificate error warning is displayed on the screen. You can configure the action that is taken by Kaspersky Security when a web resource certificate error is detected.
Kaspersky Security does not scan secure connections that are included in the list of predefined exclusions from secure connections scan. The list of predefined exclusions is generated by Kaspersky experts, is included into the Kaspersky Security application distribution kit, and is updated automatically when application databases are updated. You can view the list of predefined exclusions in the local interface of Light Agent for Windows.
You can also configure the following exclusions from secure connections scan:
When scanning secure connections, Kaspersky certificate is used. This certificate is automatically installed to the trusted certificates storage on the protected virtual machine when Kaspersky Security is installed, and is deleted when the application is removed.
Kaspersky Security changes the Mozilla™ Firefox™ browser settings on the protected virtual machine, for browser to use the system trusted certificates storage.