Hi Mike808,
thanks for the question. We are just preparing more detailed page about all the internals of how Avast's HTTPS scanning works - so I'll post the link here as soon as it is published later this week.
In short:
There is a huge difference between Avast a Superfish.
Mainly because Superfish reportedly used the same private key in all their issued certificates. This allows an attacker to create a web page, pretending to be any domain, such as fake google.com, signed by fake certificate and yet trusted by any user with Lenovo's Superfish. Pages like this test can exist for Superfish:
https://filippo.io/Badfish/None of the above is possible with WebShield's HTTPs scanner - the certificate used by webshield is unique for every installation and even gets regenerated when avast is reinstalled. No two users use and trust the same certificate.
Also, most of the certificate attributes, such as validity dates, common name, subject etc. are preserved and verified by the browser no matter if HTTPS scanning in avast is turned ON or OFF. The issuer is verified
in WebShield using Windows native functions from CryptoAPI, against the Windows Certificate Store - the same certificate store that Internet Explorer and others (Chrome) use as well. The certificate that we use to certify the page for the browser never leaves your pc, nor is transfered on the wire. Yes, it is accessible to apps running on the same machine with the Administrator rights, but it is worth noting, that such apps can also create and add any number of their own trusted certificates into the certificate store.
Moreover, we have a list of banking sites, that are automatically ignored. WebShield does not scan your bank! If your bank is not in this list, please write to me, we'll add it to the list.
We also try hard to ignore sites with EV certificates. The detection here is done live based on the certificate seen previously from the same domain/host. As soon as we see the site using an EV certificate we stop scanning anything more from that same site -- all future connections are automatically ignored. The motivation here is the same - if the company (the server) took all the efforts to obtain EV certificate, it's probably their job to keep their site clean.
We are working on a more detailed FAQ page, I'll update you here with link in a few days. Please feel free to post any concerns about the security of the whole scanning process - we really want this to be trustworthy service, and in case any problem is found, we'll do our best to quickly fix it.
Just wanted to say, that there is nothing safe in the mere fact, that the connection is encrypted by one of the cyphers negotiated during HTTPS connect. Anyone can create a HTTPS page and host anything he/she wants on that page. In case the malware distributor also owns the domain (something like
www.malwaredistributionisfun.com) the certificate can be obtained for free.
Lukas