Issues and questions on HTTPS Scanning - Avast Internet 2015

[bob3160]

I tweeted at @avast_antivirus today to enquire about this issue, they got a bit mixed up and thought I was asking about disabling HTTPS scanning, but eventually when I pointed out this post on a Google blog they directed me to this thread.

As we've had similar problems with a new web filter at my workplace I thought I'd chime in with my 2 cents based on the research I've done related to that.

A Man-in-the-Middle attack such as what Avast and other HTTPS scanning web filters perform is literally the only way you can scan the content of an HTTPS connection. This involves the web filter essentially setting itself up as a certificate authority on your local computer (in the case of Avast) or network (in the case of enterprise products like Sophos UTM for example), and then switching out the certificate of any given HTTPS web site with one it generated, so that it has the encryption keys to be able to decrypt the content for scanning. If you don't want it to do that, the only other thing available is a thing called Server Name Indication, which lets the web filter see the name of the server the connection is going to, but that usually isn't nearly enough information for it to decide whether it should allow or block it.

With an increasing number of web sites switching to HTTPS only (encouraged by initiatives such as this and this) this issue is only going to get more pronounced. The bottom line is, do you care more about your connection being encrypted or your computer being protected from viruses and malware? You already trust avast to some extent, or you wouldn't have installed it on your computer - if they wanted to steal your data they could already do that a thousand times over.

I think the least bad compromise you can come up with is to enter HTTPS sites you really don't want Avast to scan (like your online banking website for example) into the URL Exclusions list in the settings.

Note: I am not an employee of or affiliated with Avast or Sophos, I'm just an IT Technician who has encountered these similar issues at work.

Thanks for an interesting and easy to understand explanation to a very complex issue.

[REDACTED]

I installed Windows 10 yesterday.  Ever since then I have not been able to use gmail, google or amazon in Firefox.  There is a problem with the https connection. For example when trying to connect to google, Firefox gives this error message.
'Secure Connection Failed. An error occurred during a connection to www.google.co.uk. Peer's certificate has an invalid signature. (Error code: sec_error_bad_signature).  The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the web site owners to inform them of this problem.'
I was altered to this forum from a Firefox forum. And despite a history of the same problem on this forum, this is the first time I have had the problem. As a test I turned off Avast, and the error message disappeared and I was able to use those websites as usual. So Windows 10 does not seem to be an issue. Chrome does not have this problem. But I cant help thinking it's a bit of a cop out having to include URL exceptions in Avast. Is there any chance that the problem will be fixed in a next update of Avast please?  Many thanks.

[REDACTED]

phillipp, a forum moderator over at Firefox, has cracked it!  The fix has worked for me, happy with that, here's what he wrote

hey, please disable https scaning within avast:

Open the Avast dashboard on the affected system.
Select Settings from the left sidebar menu.
Switch to Active Protection.
Click on Customize next to Web Shield.
Uncheck the "Enable HTTPS Scanning" option and click ok.
http://www.ghacks.net/2014/10/31/avasts-https-scanning-interferes-with-firefox-and-other-programs/ 

[bob3160]

phillipp, a forum moderator over at Firefox, has cracked it!  The fix has worked for me, happy with that, here's what he wrote

hey, please disable https scaning within avast:

Open the Avast dashboard on the affected system.
Select Settings from the left sidebar menu.
Switch to Active Protection.
Click on Customize next to Web Shield.
Uncheck the "Enable HTTPS Scanning" option and click ok.
http://www.ghacks.net/2014/10/31/avasts-https-scanning-interferes-with-firefox-and-other-programs/

It certainly wasn't "cracked" by anyone at Firefox. That temporary bypass has been mentioned on this forum for quite some time.

[REDACTED]

Hi

I am having the same certificate verification problem with AVAST HTTPS scanning module with the Skype & Mclaren F1 websites...

I'm concerned that it appears to be using MItM (an actual attack) to subvert another legitimate security feature (HTTPS) in order to do so.  That would seem to totally undermine what HTTPS provides -- my connection is no longer secured on the far side as Avast has made itself my effective far side when this is happening.  Avast needs to work in concert with, not counter to, HTTPS in order to be effective.  As it is, it's now difficult to initially see if my allegedly secure connection is being hijacked by Avast or an actual attack.  (Do I not show an EV because there's no EV or because Avast has hijacked my HTTPS connection and broken the EV?  Is someone else hijacking the HTTPS connection?)  Avast represents a legitimate security source, and an apparent MItM approach isn't the sort of thing a legitimate enterprise should be doing.

I hold the same reservations over the MITM technique employed (as quoted above), however HTTPS does not leave a true alternative. REALLY, My MAIN problem is: that Avast is sometimes using a SHA1 coding for it's certificates which is causing severe verification issues within Chrome (and Firefox?). Chrome is rightly flagging SHA1 as a security risk on Secure sites.

However, I can shed light on why people are getting errors - the certificate that web shield is re-signing with is only sha1 encrypted - chrome is showing warning for sha1 certs - they are being phased out. Should you be using an sha2 signed certificate?

SHA1 is a universally recognised WEAK(COMPROMISED?) coding platform that is being phased out of existence. It surprises me that a SECURITY COMPANY would choose to use this certificate format for one of it's most critical modules. (For reference: When a site works correctly, the Avast coding is the newer SHA256 - Why are Avast still using SHA1 on some sites?)

I am a relative newbie here on the forums, but consider myself above average on PC matters and fairly clued in on aspects of security etc.

Howard

[REDACTED]

How does Avast protect its root certificate so that it can't be used by a malicious user to sign fake certificates?

[b06jeo]

How does Avast protect its root certificate so that it can't be used by a malicious user to sign fake certificates?

https://www.avast.com/en-us/faq.php?article=AVKB190#artTitle
does it help?