ESET does not use encryption for updates and is vulnerable to man in the middle attacks.
In particular, the recently disclosed security vulnerability in ESET (CVE-2016-0718) illustrates the impact that a combined lack of encryption can have.
When a client wants to update its signatures, it establishes an HTTP connection to the repository server - this connection is unencrypted and vulnerable to man in the middle. If no signature verification takes place, it is possible to inject malicious code.
Updates from the ERA server are also unencrypted, which is why man in the middle is also possible here.
An TLS Certificate costs no more than €10 per domain per year for the two domains. The vulnerability was confirmed to us by ESET - we did not receive an answer as to whether they wanted to fix this vulnerability.
We expect better communication and more transparency from a security manufacturer at this point.
