Author Topic: Web Shield undermines certificate revocation security  (Read 2849 times)

0 Members and 1 Guest are viewing this topic.

Offline daine

  • Newbie
  • *
  • Posts: 4
Web Shield undermines certificate revocation security
« on: July 24, 2017, 11:16:34 PM »
I have serious concerns about the HTTPS security of Web Shield in Avast Mac Security, because of its blindness to TLS certificate revocations.
This issue has been under public discussion since at least 2015: http://www.thesafemac.com/avasts-man-in-the-middle/

Avast for Windows is, apparently, capable of checking for certificate revocations:
"The only issue mentioned in their study is a lack of revoked certificates checking by Avast, which has been in the market since November 2015 and is fixed in 2016 products."
https://blog.avast.com/independent-test-shows-avast-offers-best-https-protection-in-the-market

But in 2017, Avast Mac Security Web Shield retains this vulnerability. To check for yourself, navigate to https://revoked.grc.com . With Web Shield turned off, my browser blocks access to this site due to its revoked certificate. With Web Shield enabled, I can visit the page without issue.

Will Avast Mac Security ever respect certificate revocation? It's concerning that Web Shield's HTTPS protection undermines a critical security guarantee of the HTTPS protocol.

Offline GeoffBur

  • Newbie
  • *
  • Posts: 11
Re: Web Shield undermines certificate revocation security
« Reply #1 on: August 18, 2017, 04:43:00 PM »
Interestingly I'm not see this issue.  Just tried accessing page in Safari and Vivaldi and neither can connect.

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31341
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: Web Shield undermines certificate revocation security
« Reply #2 on: August 18, 2017, 05:03:23 PM »
GeoffBur,
the OP did say it is the browser that blocks the site, not the webshield.
What you are showing is a image of the browser.

What you should see is a message from avast like in my image (which by the way is on Windows).

Offline daine

  • Newbie
  • *
  • Posts: 4
Re: Web Shield undermines certificate revocation security
« Reply #3 on: August 19, 2017, 05:51:15 AM »
Interestingly I'm not see this issue.  Just tried accessing page in Safari and Vivaldi and neither can connect.

I'm using Safari, and I don't what you're seeing unless I turn off Avast Web Shield. With Avast Web Shield enabled, I can visit the page without issue, in spite of its revoked certificate. I've uninstalled and reinstalled Avast to be doubly sure, and I'm using the latest version ( 12.8 ).

Would you mind verifying whether Web Shield is enabled in your Avast preferences?
« Last Edit: August 19, 2017, 05:52:46 AM by daine »

Offline daine

  • Newbie
  • *
  • Posts: 4
Re: Web Shield undermines certificate revocation security
« Reply #4 on: August 19, 2017, 05:54:36 AM »
GeoffBur,
the OP did say it is the browser that blocks the site, not the webshield.
What you are showing is a image of the browser.

What you should see is a message from avast like in my image (which by the way is on Windows).

I'd be happy to see what you're seeing, or Safari's native revocation response! With Web Shield enabled, I see the full https://revoked.grc.com page, without warning of any kind. I'm glad to see certificate revocation security is working in the Windows version of Avast, confirming what I've read online.
« Last Edit: August 19, 2017, 05:56:57 AM by daine »

Offline daine

  • Newbie
  • *
  • Posts: 4
Re: Web Shield undermines certificate revocation security
« Reply #5 on: October 17, 2017, 12:13:40 AM »
This appears to be fixed, on Avast Mac Security 12.9 / macOS 10.13 . Thanks!!!