Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Sotrae on May 22, 2019, 01:08:43 PM

Title: Avast 19.5.2378 changes all Certificate on Chrome/Firefox
Post by: Sotrae on May 22, 2019, 01:08:43 PM

I have just update my Avast product to version 19.5.2378 and it's weird when this version changes all the Certificate in Chrome and Firefox to Avast web/mail shield root, ALL THE WEBSITE EXCEPT some top website like Digicert, Cloudflare, ..!! and more, I can't connect to this website: https://www.cloudflare.com/ssl/encrypted-sni/ on Firefox but in Chrome it's fine, I have also enable secure dns and encrypt sni in Firefox, is this a webshield bug or it's a feature ?? note that in the previous version, there is no Avast web/mail shield root on any website i visited.

Images about this problem is here: https://ibb.co/vsmQ7HX
https://ibb.co/1Qh2TS1
https://ibb.co/zGx3ynB

Title: Re: Avast 19.5.2378 changes all Certificate on Chrome/Firefox
Post by: Sotrae on June 26, 2019, 08:18:47 PM

UPDATE: currently using version 19.6.2383 and I solve this issues by changing Web shield : ''Scan HTTPS"", hope this problem be solved

Title: Re: Avast 19.5.2378 changes all Certificate on Chrome/Firefox
Post by: Sotrae on July 09, 2019, 12:27:17 PM

YOU GUYS DEV NEED TO DO SOMETHING, SECURITY FOR ALL

Title: Re: Avast 19.5.2378 changes all Certificate on Chrome/Firefox
Post by: DavidR on July 09, 2019, 01:22:45 PM

There is a whole bunch of posts about this in another topic related to this:

Quote from: alanb on July 06, 2019, 06:46:19 PM

Quote

This 'problem' isn't evident in most of the other browsers so why are they able to function without any problems?

Because Chromium-based browsers implicitly trust the OS's root Certificate Store.

Gecko-based browsers have an additional, curated list of trusted CAs.  This allows Mozilla to easily blacklist expired/rogue/compromised certificates.

Avast used a heavy-handed (and unsupported) method of crowbarring their certificate into Mozilla-based browsers (despite advice to the contrary from Mozilla).

The quick solution for all Firefox (and forked) browsers is to set the preference

Code: [Select]

security.enterprise_roots.enabled to TRUE.  It will then implicitly trust the OS's root Certificate Store which makes Avast's hack unnecessary (tested).

Start reading from there and a little above that post for background information.

The next incarnation of Firefox should be change how this is handled to prevent users being impacted in how Avast have implemented this ManInMiddle problem.

Title: Re: Avast 19.5.2378 changes all Certificate on Chrome/Firefox
Post by: Sotrae on July 09, 2019, 09:54:50 PM

alright ... JUST update to Firefox 68 and looks like it's completely solved the problem , it's weird that before i update to Firefox 68, setting the security.enterprise_roots.enabled in about:config does not work for me,  idk why, but one thing is certain, Mozilla fixed it, thanks everyone !

Title: Re: Avast 19.5.2378 changes all Certificate on Chrome/Firefox
Post by: DavidR on July 09, 2019, 11:49:38 PM

You're welcome.