Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: nikjy on May 22, 2019, 01:08:43 PM

Title: Avast 19.5.2378 changes all Certificate on Chrome/Firefox
Post by: nikjy on May 22, 2019, 01:08:43 PM
I have just update my Avast product to version 19.5.2378 and it's weird when this version changes all the Certificate in Chrome and Firefox to Avast web/mail shield root, ALL THE WEBSITE EXCEPT some top website like Digicert, Cloudflare, ..!! and more, I can't connect to this website: https://www.cloudflare.com/ssl/encrypted-sni/ on Firefox but in Chrome it's fine, I have also enable secure dns and encrypt sni in Firefox, is this a webshield bug or it's a feature ?? note that in the previous version, there is no Avast web/mail shield root on any website i visited.

Images about this problem is here: https://ibb.co/vsmQ7HX
https://ibb.co/1Qh2TS1
https://ibb.co/zGx3ynB
Title: Re: Avast 19.5.2378 changes all Certificate on Chrome/Firefox
Post by: nikjy on June 26, 2019, 08:18:47 PM
UPDATE: currently using version 19.6.2383 and I solve this issues by changing Web shield : ''Scan HTTPS"", hope this problem be solved
Title: Re: Avast 19.5.2378 changes all Certificate on Chrome/Firefox
Post by: nikjy on July 09, 2019, 12:27:17 PM
YOU GUYS DEV NEED TO DO SOMETHING, SECURITY FOR ALL
Title: Re: Avast 19.5.2378 changes all Certificate on Chrome/Firefox
Post by: DavidR on July 09, 2019, 01:22:45 PM
There is a whole bunch of posts about this in another topic related to this:

Quote
This 'problem' isn't evident in most of the other browsers so why are they able to function without any problems?

Because Chromium-based browsers implicitly trust the OS's root Certificate Store.

Gecko-based browsers have an additional, curated list of trusted CAs.  This allows Mozilla to easily blacklist expired/rogue/compromised certificates.

Avast used a heavy-handed (and unsupported) method of crowbarring their certificate into Mozilla-based browsers (despite advice to the contrary from Mozilla).

The quick solution for all Firefox (and forked) browsers is to set the preference
Code: [Select]
security.enterprise_roots.enabled to TRUE.  It will then implicitly trust the OS's root Certificate Store which makes Avast's hack unnecessary (tested).

Start reading from there and a little above that post for background information.

The next incarnation of Firefox should be change how this is handled to prevent users being impacted in how Avast have implemented this ManInMiddle problem.
Title: Re: Avast 19.5.2378 changes all Certificate on Chrome/Firefox
Post by: nikjy on July 09, 2019, 09:54:50 PM
alright ... JUST update to Firefox 68 and looks like it's completely solved the problem , it's weird that before i update to Firefox 68, setting the security.enterprise_roots.enabled in about:config does not work for me,  idk why, but one thing is certain, Mozilla fixed it, thanks everyone !
Title: Re: Avast 19.5.2378 changes all Certificate on Chrome/Firefox
Post by: DavidR on July 09, 2019, 11:49:38 PM
You're welcome.