Avast Blocking Access

[Asyn]

Thanks! - Reply from Asyn was what I was looking for since first posting.
I have disabled HTTPS-scanning in the web shield and this seems to have worked.

You're welcome.

[REDACTED]

I've been an Avast user ( both PC and Mobile ) for over 3 years. Until recently I've had zero problems. But ---- Avast on my PCs is now slowing down the boot and blocking or interfering with EVERY legitimate site! My PC now takes over 6 minutes to complete boot, and as soon as I go to Internet ( Firefox ), every bookmarked site that I use regularly is slowed to an absolute crawl by Avast's interference! Normal sites such as Amazon, my own web banking, my credit card sites, etc. are taking as much as 2 minutes to load, if they load at all. This is now worse than the old dialup 56k modem era. I placed an "exception" to get my Yahoo home page to load, but do I have to enter exceptions for EVERY SITE that I use? Yes, I can disable the web shield and I have, but that should not be needed. I've read that Avast is supposedly "aware" of the problem and was to issue an "update". If so, where is it and why is it even needed for standard trusted use? If this continues much longer I will cancel my annual subscription and demand a refund.

[bob3160]

I've been an Avast user ( both PC and Mobile ) for over 3 years. Until recently I've had zero problems. But ---- Avast on my PCs is now slowing down the boot and blocking or interfering with EVERY legitimate site! My PC now takes over 6 minutes to complete boot, and as soon as I go to Internet ( Firefox ), every bookmarked site that I use regularly is slowed to an absolute crawl by Avast's interference! Normal sites such as Amazon, my own web banking, my credit card sites, etc. are taking as much as 2 minutes to load, if they load at all. This is now worse than the old dialup 56k modem era. I placed an "exception" to get my Yahoo home page to load, but do I have to enter exceptions for EVERY SITE that I use? Yes, I can disable the web shield and I have, but that should not be needed. I've read that Avast is supposedly "aware" of the problem and was to issue an "update". If so, where is it and why is it even needed for standard trusted use? If this continues much longer I will cancel my annual subscription and demand a refund.

If you're looking for help in solving your problem, give us some information that will help us solve your problem.
If you're simply looking for a refund, contact Avast directly:
http://support.avast.com/support/tickets/new

[glnz]

Asyn and polonus - I get the same pop-up message as Tobur above when I visit the Wall Street Journal website www.wsj.com --

"Avast Web Shield has blocked access to this page because the following certificate is invalid: ssl334328.cloudflaressl.com"

Also, the little blue circle in the tab in Firefox does not stop spinning when I get that message.

As far as I can see, it's just when I go to the Wall Street Journal.

My PC is XP Pro SP3 32-bit.  My browser is Firefox 41.0.2.  Also, my Firefox has the add-on Https Everywhere.  Is that the cause?

I don't understand much about certificates, so is Https Everywhere forcing the browser to go for a certificate and somehow that forcing is bad?

Asyn's suggestion to set Avast to stop checking in https doesn't feel right.  Feels like I'd be opening a security hole.

What do y'all think?  Thanks.

[Asyn]

"Avast Web Shield has blocked access to this page because the following certificate is invalid: ssl334328.cloudflaressl.com"

My PC is XP Pro SP3 32-bit.

See: https://forum.avast.com/index.php?topic=177468.msg1258979#msg1258979

[DavidR]

<snip>
My PC is XP Pro SP3 32-bit.  My browser is Firefox 41.0.2.  Also, my Firefox has the add-on Https Everywhere.  Is that the cause?

I don't understand much about certificates, so is Https Everywhere forcing the browser to go for a certificate and somehow that forcing is bad?

Asyn's suggestion to set Avast to stop checking in https doesn't feel right.  Feels like I'd be opening a security hole.
<snip>

Two points (non technical information):
1. XP only has the ability to recognise/check older SSL certificates (as mentioned in the above link), so won't be able to check stronger ones.

2. When a website is using HTTP it naturally won't have an SSL certificate - when forcing it with HTTPS Everywhere - avast would see that https and seek to check that the ssl certificate is valid. Point 1 above could result it being found to be invalid/not present.

Another issue is (as far as I can see) avast doesn't just check that websites ssl certificate, but would check any other off-site (3rd party) links, which could result in an alert/popup.

[glnz]

Asyn and DavidR - Thanks for replying so quickly.

Unfortunately, this does NOT seem to be limited to XP.  Asyn, the continuing posts in your link
 https://forum.avast.com/index.php?topic=177468.msg1258979#msg1258979
point this out.

It's weird that Avast will repeat this pop-up warning over and over, and even weirder that (so far in my experience) it's on the Wall Street Journal web site www.wsj.com 

As you two are real experts, and I've never fussed with certificates, can you (or can you ask Avast to) research this better?  I'm not the only one getting this, and there are still millions with XP who need good AV coverage.  Thanks.

EDIT - ADDED - maybe Avast should modify the block-ups to show not only the certificate that is untrusted but also what URL it is coming from and what web pages are being blocked.  If the blocked pages are just junk marketing, then it's a win and not a problem.

[Asyn]

1. Asyn and DavidR - Thanks for replying so quickly.
2. As you two are real experts, and I've never fussed with certificates, can you (or can you ask Avast to) research this better?  I'm not the only one getting this, and there are still millions with XP who need good AV coverage.  Thanks.

1. You're welcome.
2. Nothing much we can do, as (pointed out by Milos) this is a restriction within XP. For now, we can only hope the devs find/provide a workaround in a later update (R2/3)...

[glnz]

Asyn - could this be one of the certificates issued by Cloudflare to bad guys, and this certificate is now on a blacklist so it SHOULD be blocked?  How could we know?

I wish the avast pop-up showed more info.  What web page is using the certificate and being blocked?

[Asyn]

Asyn - could this be one of the certificates issued by Cloudflare to bad guys, and this certificate is now on a blacklist so it SHOULD be blocked?  How could we know?

Probably not, as it also happens with perfectly clean sites. Nevertheless, you're right that Cloudflare certs aren't that trustworthy, see: https://forum.avast.com/index.php?topic=66267.msg1260001#msg1260001

[polonus]

When one goes to -https://www.wsj.com/ in the firefox and Google Browser Google safebrowsing alerts for a Privacy Error Common Name of the Certicate error and blocks website. Encryption (HTTPS) (1)
Communication is encrypted
Multiple endpoints for -www.wsj.com
We've found multiple A or AAAA records for -www.wsj.com. Please choose the host you want to scan from the list below:


185.27.16.17 (port: 443)
185.27.16.8 (port: 443)
See scan results: https://ssldecoder.org/?host=www.wsj.com:185.27.16.17&port=443&fastcheck=0
Connection Data for www.wsj.com / 185.27.16.17
2 warnings!
HTTP Strict Transport Security not set.

OCSP Stapling not enabled.
 DES-CBC3-SHA

Not the right hostname given.

See: http://toolbar.netcraft.com/site_report?url=https://www.wsj.com
Invalid: http://toolbar.netcraft.com/site_report?url=http://a104-86-111-50.deploy.static.akamaitechnologies.com

Ciphersuites containing NULL, EXP(ort), DES and RC4 are marked RED because they are suboptimal.


Stop https scanning to stop the alerts, with HTTPS Everywhere this alert will also occur!
Weakness of Certificate Warning: Certificate for 'Baltimore CyberTrust Root'
1 warning!
SHA-1 certificate. Upgrade (re-issue) to SHA-256 or better.

The configuration should be rightly adopted by Owner, Akamai International BV, Amsterdam, the Netherlands,

polonus (volunteer website analyst and website error-hunter)

[DavidR]

Asyn and DavidR - Thanks for replying so quickly.

Unfortunately, this does NOT seem to be limited to XP.  Asyn, the continuing posts in your link
 https://forum.avast.com/index.php?topic=177468.msg1258979#msg1258979
point this out.

It's weird that Avast will repeat this pop-up warning over and over, and even weirder that (so far in my experience) it's on the Wall Street Journal web site www.wsj.com 

As you two are real experts, and I've never fussed with certificates, can you (or can you ask Avast to) research this better?  I'm not the only one getting this, and there are still millions with XP who need good AV coverage.  Thanks.

EDIT - ADDED - maybe Avast should modify the block-ups to show not only the certificate that is untrusted but also what URL it is coming from and what web pages are being blocked.  If the blocked pages are just junk marketing, then it's a win and not a problem.

Whilst it isn't exclusive to XP it is likely to be more common given that it may not be able to work with the latest SSL certificates. Not to mention that cloudflare has issued a very high percentage of certificated to bad sites, etc. so it is going to come in for more alerts.

In the majority of cases you should see a small black popup with white text and that does tell you what cloudflaressl sub-domain holds what is considered a dodgy certificate.

I have just visited the wsj site and no alerts relating to ssl certificates - some browsers seem to have less of an issue about all of this. I got redirected to the european area of wsj.com when I used connected and note that the wsj.com site is http so avast wouldn't be checking for valid ssl certificates.

I have never been a fan of HTTPS Everywhere, from the days when avast couldn't scan HTTPS sites - even though avast can scan https traffic - I still haven't changed my opinion of forcing https on sites that aren't set up for https.

I would certainly disable the HTTPS Everywhere and see if that ends the hassle as I mentioned earlier as this add-on is certainly going to increase the number of ssl certificate checks.

[glnz]

polonus and David R - thanks again.

The popup does mention ssl334328.cloudflaressl.com , but the popup does not say what web page is using that certificate.

I might drop Https Everywhere soon.  Seems to be too much trouble, at least for now.

[DavidR]

polonus and David R - thanks again.

The popup does mention ssl334328.cloudflaressl.com , but the popup does not say what web page is using that certificate.

I might drop Https Everywhere soon.  Seems to be too much trouble, at least for now.

Generally it is going to be some sort of link from within the site to ssl334328.cloudflaressl.com. This may or may not be correct as I don't know how the ssl validation works.

For a site that is using https I would imaging that there is an ability to check its ssl certificate, be that some internal link/function to check the validty of said ssl certificate when the connection to the site is set to https. This is where triggering https when a site isn't specifically set up for ssl use.

You can actually see this in some sites that although using https, there may be 3rd party content coming from a none ssl source and your browser normally shows a warning relating to that (relating to mixed content).

This are the main reasons I don't believe https should be forced on a site not geared up for it.

[polonus]

Hi DavidR and glnz,

Certainly with pushing by big players like Google and others of HTTPS Everywhere literary everywhere we are going to see more and more of such problems arise. Just leaf through the HTTPS Everywhere Atlas online and there are lot of sites with problems when https becomes enforced. With even so many misconfiguration going on on real sites with proper HTTPS certification an improvement of the situation is still far, far away. Just think of the recent Google Norton Symantec’s Thawte-branded CA issues: https://googleonlinesecurity.blogspot.nl/2015/09/improved-digital-certificate-security.html

I reported in "the virus and worms" many times about misconfigurations, missing security header implementations, serving SSL from the weak encryption side up (gefundenes Fressen to please easy government monitoring, like NSA or how this institute may be named to-day). First educate those that have to enroll https everywhere that they are able to do this in a proper and secure way and then start a global operation like this. Now we still have an enormous amout of https sites where log-in name and password goes "over the wires" as plain txt. See Safer Chrome Security Report extension in Google Chrome!

polonus (volunteer website security analyst and website error-hunter)