Author Topic: [12.3.2280] Possible bug with HTTPS scan (MITM on Firefox, SSL errors) (Read 5030 times)

NON · « **on:** October 31, 2016, 03:06:08 PM »

Hello,

I have two issues with Web shield https scanning.

1.
According to this topic (https://forum.avast.com/index.php?topic=185658.0) and release notes, Web shield is now using special technique to scan HTTPS connection without MITM except on IE and Edge.
However, my Firefox is now MITMed by Web Shield like IE, see attached image.

2.
Trying to load same webpage (ex. http://www.showroom-live.com/ ) at the same time using two or more browsers (for me IE and FF) ended up with following error on FF: Cannot communicate securely with peer: no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP

Issue 2 was reported by one of Japanese forum users and confirmed by me.
He/She reported same thing happens with Opera and Chrome, although error message were different.

Original topic:
https://forum.avast.com/index.php?topic=192520.0

We (I and Japanese reporter) both use Windows 7 64bit.
I use latest Avast (12.3.2280) while he/she uses a bit old one (11.1.2262).

Does anyone (especially lukor

) know how to solve (or help to solve) these issues?

Thanks.

Edit: typo

NON · « **Reply #1 on:** November 01, 2016, 12:37:28 PM »

Original reporter confirmed Avast do MITM to Firefox, Chrome and Opera.

NON · « **Reply #2 on:** November 04, 2016, 03:20:46 PM »

I got another topic about this issue (MITM on Firefox) in the Japanese forum.
https://forum.avast.com/index.php?topic=192646.0

I also confirmed this issue happens in latest beta (12.3.2281).

lukor · « **Reply #3 on:** November 05, 2016, 08:41:03 AM »

Hi Non,

it happens that MITM must be enabled on certain systems or certain browser versions. It is designed in a way, that if other methods fail, we use MITM even on Firefox/Chrome. For this reason we also provide the browser cert store with our root certificate, so that in case of this "fallback" everything still runs smoothly.

You could try firefox ver. 50, as soon as it cames out, it should again work without MITM most of the times.

Regarding the second reported issue -- multiple access on the site with several browsers -- we need to look at that. It sounds interresting, but currently we have no clue how this might be happening! We will keep you posted soon.

Lukas.

NON · « **Reply #4 on:** November 06, 2016, 05:03:43 PM »

Thanks for the answer.

I'll definitely try FF50 when released.

Now I feel a bit weird because if browser update could resolve this issue, why all browsers (FF, Chrome, Opera) got affected simultaneously?

NON · « **Reply #5 on:** November 21, 2016, 01:23:41 PM »

I can confirm that now Avast with FF50 does not MITM https sites like before.

Author Topic: [12.3.2280] Possible bug with HTTPS scan (MITM on Firefox, SSL errors) (Read 5030 times)

NON

[12.3.2280] Possible bug with HTTPS scan (MITM on Firefox, SSL errors)

NON

Re: [12.3.2280] Possible bug with HTTPS scan (MITM on Firefox, SSL errors)

NON

Re: [12.3.2280] Possible bug with HTTPS scan (MITM on Firefox, SSL errors)

lukor

Re: [12.3.2280] Possible bug with HTTPS scan (MITM on Firefox, SSL errors)

NON

Re: [12.3.2280] Possible bug with HTTPS scan (MITM on Firefox, SSL errors)

NON

Re: [12.3.2280] Possible bug with HTTPS scan (MITM on Firefox, SSL errors)