Info von den Devs: The certificate used by webshield is unique for every installation and even gets regenerated when avast is reinstalled. No two users use and trust the same certificate.
Also, most of the certificate attributes, such as validity dates, common name, subject etc. are preserved and verified by the browser no matter if HTTPS scanning in Avast is turned ON or OFF. The issuer is verified in WebShield using Windows native functions from CryptoAPI, against the Windows Certificate Store - the same certificate store that Internet Explorer and others (Chrome) use as well. The certificate that we use to certify the page for the browser never leaves your pc, nor is transfered on the wire. Yes, it is accessible to apps running on the same machine with the Administrator rights, but it is worth noting, that such apps can also create and add any number of their own trusted certificates into the certificate store.
Moreover, we have a list of banking sites, that are automatically ignored. WebShield does not scan your bank! If your bank is not in this list, please write to me, we'll add it to the list.
We also try hard to ignore sites with EV certificates. The detection here is done live based on the certificate seen previously from the same domain/host. As soon as we see the site using an EV certificate we stop scanning anything more from that same site -- all future connections are automatically ignored. The motivation here is the same - if the company (the server) took all the efforts to obtain EV certificate, it's probably their job to keep their site clean.
Just wanted to say, that there is nothing safe in the mere fact, that the connection is encrypted by one of the cyphers negotiated during HTTPS connect. Anyone can create a HTTPS page and host anything he/she wants on that page. In case the malware distributor also owns the domain (something like wxw.malwaredistributionisfun.com) the certificate can be obtained for free.
Schönen Feiertag,
Asyn
