Avast 8.0.1497 breaks verified SSL connections

[GlennLinderman]

After upgrading last night, today I cannot access my POP email, yesterday I could. The error is for any connection with SSL, and it seems that Avast must have added a self-signed certificate into the certificate chain, which causes the verification to fail... at least, the error message says that there is one, and yesterday, there was no error.

I'm not running the mail shields, so I assume this is coming from Network Shield?

Will there be an update soon to fix this regression? Or how can I back out the current version to the prior one?

[Eddy]

I'm not running the mail shields, so I assume this is coming from Network Shield?

What happens if you disable the webshield? Is it working fine then?
Also mention you OS and (if you have any) other installed security software.
What mail client are you using?

[GlennLinderman]

Hi Eddy, thanks for the response.

Yes, if I "disable all shields" for 10 minutes, then I get a window of time where the email program will work.

This is running Windows 7; the only other security software running would be the Windows Firewall, and I do not need to disable it for the email to work.

The email program is nPOPuk, available at http://npopuk.org.uk/

nPOPuk has a feature in SSL (which I understand is implemented using the OpenSSL software) to enable or disable "verification" of certificates. Turning off the verification allows the email to work even with Avast's self-signed certificate, but my understanding is that verification is the only protection SSL offers against man-in-the-middle attacks, so doing so is only appropriate for testing.

I had been giving myself the 10-minute window using the Shield Controls from the popup menu in the system tray... that doesn't allow selective disabling of particular shields... and I wondered if that was even still possible in the current interface, but I found it in the main interface, that you can start/stop individual shields. So I tried disabling each of web shield and network shield in turn, and then together, and none of those resolved the problem.

Then I looked to see if mail shield was off like I thought it was (and historically have had) and it was on.  So I turned that one off, and that resolved the problem.

Historically, I have not run mail shield because nPOPuk doesn't run scripts... it simply doesn't know how! So mail shield seemed unnecessary. I also use Thunderbird, which also doesn't run email scripts without first alerting the user, and I have javascript turned off for email also... so again mail shield seemed unnecessary.

I guess, somewhere along the line, a new version of Avast must have changed my configuration, and enabled the mail shield, or there is a possibility that installing a newer version of Avast on this newer computer, I didn't figure out the option to turn off the mail shield, or forgot to, or .

In any case, it seems that the recent update changed something that adds a self-signed certificate to the email path, but while I erroneously reported that it "I'm not running the mail shields" which would have implied that the problem was not in that path of logic, it turns out I was running  them, and the problem is in that path of logic.

Thanks for you help, and I hope this response clarifies the issue, so that it can be fixed.

[GlennLinderman]

Hmm.  Another problem.

I don't use FTP quite as often as I use email, so I'm making an assumption here that this problem is similarly due to the use of a self-signed certificate, probably from the same update to Avast! that caused the email problem.

I have a couple web sites that I access via Secure FTP, and I was not able to access them until I disabled (all, but maybe only one was necessary) the Avast! shields. Once disabled, I connected fine, so the web site and the FTP program seem to be absolved from responsibility.  As above, Windows 7, Windows Firewall enabled, and Avast! is the only other security  software.

This is much more problematical than the email issue; I don't particularly _need_ an email shield since my email programs are configured not to run scripts, or are incapable of running scripts. But network or web shields are very important, and I don't even like to disable them for testing.

[GlennLinderman]

Another problem... tried to create a new bank account, and after filling out a couple pages of forms, the bank informed me that there was suspect activity happening. They gave no clue as to what, but I've never had that sort of thing happen before.

So then I tried to get my free annual credit report from Equifax, and they told me they couldn't do it online "for my security", even though they've done it a number of times in past years.

I'll try again tomorrow with Avast turned off, but this is annoying when the protection software causes problems with normal activities.

[bob3160]

What does any of this have to do with avast!

[Eddy]

SSl has nothing to do with certificates, it is a protocol.

Turning off the verification allows the email to work even with Avast's self-signed certificate

That is at least a strong indication that avast has nothing to do with it.

So I tried disabling each of web shield and network shield in turn, and then together, and none of those resolved the problem.

Those two shields have nothing to do with email.

Historically, I have not run mail shield because nPOPuk doesn't run scripts

Avast doesn't use scripts to check the mail.

It certainly looks like the problem is not avast but something else.

[GlennLinderman]

Bob3160. Thanks for your reply. What this has to do with Avast is that after the latest update from Avast, these problems started.  Turning off Avast! (or at least the mail shield) worked around the email problem.  I haevn't yet had time to verify if turning off Avast! will work around these other problems, but I have never had these sorts of problems before, and Avast! is what has changed.

Eddy. Thanks for your additional reply. Sadly, it appears that your additional reply indicates that you don't understand that certificates are the foundation of the encryption part of the SSL protocol. Turning off verification of the certificates in nPOPuk effectively means that you use the provided encryption keys from the certificates, without verifying that the certificates are actually from whom they say they are from, according to the certificate authorities. Turning off the verification opens up the SSL protocol to man-in-the-middle attacks (google that for more information about what such an attack is). The whole point of verification of certificates with a certificate authority is to prevent such attacks. But it seems that Avast is introducing a self-signed certificate that cannot be verified, and therefore email (and possibly other things) no longer work correctly, when verification is turned on.

I would, with my email clients, much rather have certificate verification in place than Avast! mail shields. However, for the web that is less appealing, as there are many scripts involved. It is not clear to me what the difference is between web shield and network shield; perhaps I should read more about that -- I'm not sure what specific protections I get from each, nor it is clear that I can repeatedly access these sites I've had trouble with and get any further, or if, once my information has been received and treated as suspect, if it will continue to be treated as suspect because it is the same information, even if the original source of the suspicion is removed.  So if I try these things with Avast! turned off, and they work, it is indicative that Avast! was the problem, but if they still don't work, it really doesn't prove anything, unless the company can be contacted and explain the  original suspicion. Finding a support person at the company that actually understands the computer systems and implementations well enough to confirm what the source of the suspicion is might be extremely time-consuming, if even possible.

Because of the seemingly related problem with email, where my email client nPOPuk gave a good error message, and has good controls to understand what is going on, I was able to pinpoint Avast! as the source of that problem. So this makes me extremely suspicious of Avast! being the source of these other problems as well, but I'll agree it isn't (yet) proof.  More when I get a chance to try these things again.

My mother (I'm her tech support) called yesterday having problems with her Thunderbird, which started right after her Avast! update. Since it sounded very similar, I had her disable the mail shield, and that also solved her problem.

Since I hadn't had a problem with my Thunderbird, even with mail shield enabled, I looked at Thunderbird's certificate list, and discovered that somewhere along the line, an Avast! self-signed certificate had been added to the trusted list.  I removed it now, and enabled Avast! mail shield, and generated the same error she described on my own machine, I'll attempt to attach it here.

This is Thunderbird's way of saying the same thing that nPOPuk did: self-signed certificate can't be verified.

[Eddy]

Sometimes a repair of avast solves things. Have you tried that already? If not, I suggest you give it a try. Let's see what happens.

Another thing to try is to add googlemail to the the (global)exclusion list.

[GlennLinderman]

Thanks, Eddy, for your additional reply, and pm (which I can't reply to). I'm not sure what you mean by "a repair of Avast!", I couldn't find anything in the interface that is called that.

Tuesday and yesterday were really busy, but I did get a chance on Tuesday to experiment with the one bank site, and determined that the "suspicious activity" that they were reporting was apparently because I included a couple special characters in my password, even though there was fine print nearby saying to use only alphanumerics. So that problem is not related to Avast!

Not sure about the free credit report site. I tried again the next day, and it still wouldn't give me a report via the web... wanted me to send them personal information by mail to prove my identity. I have successfully accessed the reports via the web before, but it has been a couple years, not even from this computer, but I have run Avast! on my last several computers! But, lots has changed besides Avast! This may or may not be related to Avast!, but with the email problem, and the bank problem together, it seemed it could be related, so I wanted to report it. With the bank problem now understood and resolved, and not related to Avast!, it seems less likely that the free credit report problem is related, but hard to be sure one way or the other. I haven't encountered other web problems in the last couple days, so probably not.

So it seems I have one problem with the latest Avast! that I can document and demonstrate: that the mail shield inserts a self-signed certificate into the computer (somewhere, somehow) that causes nPOPuk and Thunderbird to report problems. If Avast! is going to use a certificate, it should be one signed by a trusted certificate authority. I understand that Avast! would not be able to scan an encrypted communication stream without either having an add-on for (each) email program, or being able to proxy the communication stream.

Happily, my email programs do not run scripts, so I am pretty safe from problems that intrude via email, and the File Shield should provide protection from attachments that may be problems, if I actually attempt to run them. But the use of a self-signed certificate, which results in errors being displayed to the user, and a failure to obtain mail when the Mail Shield is enabled, seems problematical. The mail programs are correctly detecting that there is a man-in-the-middle attack potential, and although it is by Avast! which might be trusted by its users, it is quite alarming to non-technical users such as my mother, and quite annoying to me until I realized  that somehow Mail Shield was enabled on my machine and the source of the problem.

I certainly couldn't recommend running without Mail Shield to a user of Outlook or Outlook Express or M$ Mail, which are happy to run scripts that arrive via email.

[bob3160]

"Thanks, Eddy, for your additional reply, and pm (which I can't reply to). I'm not sure what you mean by "a repair of Avast!", I couldn't find anything in the interface that is called that."
Control Panel > Add/Remove (Programs and Features) > Select avast! > scroll down and select Repair.

[Eddy]

Ok, so all problems are solved except for the email (to put it short).

Try this:
1) Run Certmgr.msc, go to Trusted Root Certification Authorities and find "avast! Mail Scanner Root" certificate and export it to a file

2) Go to the mail client's certificate store and import that certificate