Avast WEBforum

Consumer Products => Avast Mac Security => Topic started by: daine on July 24, 2017, 11:16:34 PM

Title: Web Shield undermines certificate revocation security
Post by: daine on July 24, 2017, 11:16:34 PM
I have serious concerns about the HTTPS security of Web Shield in Avast Mac Security, because of its blindness to TLS certificate revocations.
This issue has been under public discussion since at least 2015: http://www.thesafemac.com/avasts-man-in-the-middle/

Avast for Windows is, apparently, capable of checking for certificate revocations:
"The only issue mentioned in their study is a lack of revoked certificates checking by Avast, which has been in the market since November 2015 and is fixed in 2016 products."
https://blog.avast.com/independent-test-shows-avast-offers-best-https-protection-in-the-market

But in 2017, Avast Mac Security Web Shield retains this vulnerability. To check for yourself, navigate to https://revoked.grc.com . With Web Shield turned off, my browser blocks access to this site due to its revoked certificate. With Web Shield enabled, I can visit the page without issue.

Will Avast Mac Security ever respect certificate revocation? It's concerning that Web Shield's HTTPS protection undermines a critical security guarantee of the HTTPS protocol.
Title: Re: Web Shield undermines certificate revocation security
Post by: REDACTED on August 18, 2017, 04:43:00 PM
Interestingly I'm not see this issue.  Just tried accessing page in Safari and Vivaldi and neither can connect.
Title: Re: Web Shield undermines certificate revocation security
Post by: Eddy on August 18, 2017, 05:03:23 PM
GeoffBur,
the OP did say it is the browser that blocks the site, not the webshield.
What you are showing is a image of the browser.

What you should see is a message from avast like in my image (which by the way is on Windows).
Title: Re: Web Shield undermines certificate revocation security
Post by: daine on August 19, 2017, 05:51:15 AM
Interestingly I'm not see this issue.  Just tried accessing page in Safari and Vivaldi and neither can connect.

I'm using Safari, and I don't what you're seeing unless I turn off Avast Web Shield. With Avast Web Shield enabled, I can visit the page without issue, in spite of its revoked certificate. I've uninstalled and reinstalled Avast to be doubly sure, and I'm using the latest version ( 12.8 ).

Would you mind verifying whether Web Shield is enabled in your Avast preferences?
Title: Re: Web Shield undermines certificate revocation security
Post by: daine on August 19, 2017, 05:54:36 AM
GeoffBur,
the OP did say it is the browser that blocks the site, not the webshield.
What you are showing is a image of the browser.

What you should see is a message from avast like in my image (which by the way is on Windows).

I'd be happy to see what you're seeing, or Safari's native revocation response! With Web Shield enabled, I see the full https://revoked.grc.com page, without warning of any kind. I'm glad to see certificate revocation security is working in the Windows version of Avast, confirming what I've read online.
Title: Re: Web Shield undermines certificate revocation security
Post by: daine on October 17, 2017, 12:13:40 AM
This appears to be fixed, on Avast Mac Security 12.9 / macOS 10.13 . Thanks!!!