Technische Details vom Entwickler: WebShield only valides the parts that it really have to validate and changes - this is the signing certificate. Other things are left unchanged and it is left on the browser/user to validate it - such as common name, expiration dates, etc. What we do in HTTPS Scanner (WebShield), is obtaining the certificate from the server (say: facebook), and re-signing it with our root certificate. Originaly it might be: Issuer: Facebook, signed by: Digicert, now it will be Issuer: Facebook, signed by: Avast.
All the information from the original certificate are left intact, such as: validity dates,
Subject:
CN = *.facebook.com
O = "Facebook, Inc."
L = Menlo Park
ST = CA
C = US
All extensions, alternate names, such as:
Not Critical
DNS Name: *.facebook.com
DNS Name: facebook.com
DNS Name: *.fbsbx.com
DNS Name: *.fbcdn.net
DNS Name: *.xx.fbcdn.net
DNS Name: *.xy.fbcdn.net
DNS Name: fb.com
DNS Name: *.fb.com
Of course, since we have changed the root certificate, something is indeed lost, but many things remain for you to inspect. Such as if the name in the original certificate didn't match, you can still verify if it matches close enough so that you'll trust it or not. If the original certificate was signed by an untrusted root, it will be signed now also by an untrusted root (here being the "avast! Web/Mail Shield Untrusted Root" certificate). It's not exactly the same as without HTTPS Scanner, but still as close as we were able to do it.