Author Topic: HTTPS certificates - verification  (Read 3572 times)

0 Members and 1 Guest are viewing this topic.

jcs.avast-soro-lap06@soroban.co.uk

  • Guest
HTTPS certificates - verification
« on: January 30, 2016, 06:44:33 PM »
We are always advised to check the certificate when accessing sites such as banks. This should show the certificate path to the root CA and the contents of the certificate.

When I use Chrome as my browser this works as expected. I can inspect the contents of the certificate and the certificate chain

When I use Internet Explorer however all I can see is an Avast mail/web shield certificate.

I do not understand why the behaviour is different between the two browsers.

I cannot see any way to inspect the certificate or certificate chain in Internet Explorer

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31225
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: HTTPS certificates - verification
« Reply #1 on: January 30, 2016, 10:07:18 PM »
For IE see these links > http://lmgtfy.com/?q=internet+explorer+check+certificate

The behavior is different because they are totally different browsers.
They are not even based on the same engine.

jcs.avast-soro-lap06@soroban.co.uk

  • Guest
Re: HTTPS certificates - verification
« Reply #2 on: January 31, 2016, 04:47:30 PM »
I know how to inspect the installed certificates. What I want to do is to check the actual certificate that is being used by the current HTTPS session in the browser. All advice given to us is to ensure that the path is encrypted (padlock shown) and to verify the certificate and its path. Avast is hiding the path and is not providing me with the means to check it on IE

To do this you Click on the padlock. It should show the certificate being used. You can then go and see the path to the root certificate for that site.

I have used Google.co.uk as a well knwon site.

For Chrome the certificate path is valid = GeoTrust CA -> Google Internet Authority G2 -> google.co.uk
For IE the certificate path is  = Avast! Web/Mail shield root -> google.co.uk

I have attached screen shots of the Certificate path displayed for Chrome browser (Certificate Path using Chrome.jpg)and for Internet Explorer 10 (Certificate path using Internet Explorer.jpg)

As an IT security specialist I can understand why Avast might want to deliberately intercept the HTTPS session in order to inspect the content. I sometimes have to do this in secure internet gateways in systems I design for clients. In this case however I need a method to inspect the original certificate chain when using IE.

I would also like to know why the behaviour is different between Chrome and IE

It it is relevant I am using Windows 8 Home 64 bit and the most recent version of Avast.

« Last Edit: January 31, 2016, 04:50:40 PM by jcs.avast-soro-lap06 »

Offline Andrey,pro

  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 5015
  • Things happen
Re: HTTPS certificates - verification
« Reply #3 on: February 01, 2016, 02:33:50 PM »
Hello jcs.avast-soro-lap06,

Which version of Avast do you have installed? The new HTTPS scanning mechanism was introduced in v11, so Avast is no more replacing the root certificate by it's own (Avast! Web/Mail shield root ) on Win7 and higher. If you're on the latest version try to use Avast Cleaner to reinstall antivirus: http://files.avast.com/iavs9x/avastclear.exe

jcs.avast-soro-lap06@soroban.co.uk

  • Guest
Re: HTTPS certificates - verification
« Reply #4 on: February 01, 2016, 02:57:30 PM »
I am using version 11.1.2245

If I have understood your response it is IE that is not behaving correctly and Chrome is behaving correctly. I am not sure just how Avast hooks into the OS to intercept browsers

I will try the uninstall/reinstall as you suggested when I get the time.

Offline Andrey,pro

  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 5015
  • Things happen
Re: HTTPS certificates - verification
« Reply #5 on: February 01, 2016, 03:04:35 PM »
I checked it in IE 11 and there is no avast Avast! Web/Mail shield root certificate, see attached picture (sorry, it's in Russian). My OS is Windows 10.

Offline lukor

  • Administrator
  • Super Poster
  • ***
  • Posts: 1884
    • AVAST Software
Re: HTTPS certificates - verification
« Reply #6 on: February 01, 2016, 11:35:47 PM »
Hi, we are not able to scan HTTPS connections in IE (and EDGE) without our own certificates being injected into the browser.

This behavior is expected in IE even on the latest version on Avast.

The certificate is created adhoc and signed by Avast Web/Mail shield root. All attributes of the certificate are kept the same (such as Common Name or validity periods), just the issuer must be your very own PC, in order for the local scanner to be able to decrypt the traffic and scan it.

Please see the FAQ for more detailed info:
https://www.avast.com/faq.php?article=AVKB190#artTitle

You can turn of HTTPS scanning in the WebShields settings dialog if you don't like it.

Offline Andrey,pro

  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 5015
  • Things happen
Re: HTTPS certificates - verification
« Reply #7 on: February 02, 2016, 11:35:43 AM »
Sorry guys, my fault, I disabled HTTPS scaning for some reason that's why I was unable to reproduce such behaviour.