I have a question regarding Avast Web Shield HTTPS scanning. A long time ago, when I used Avast Free on a daily basis, I noticed that the Web Shield intercepted HTTPS traffic because all of the sudden every HTTPS website I visited was certified by Avast. The Web Shield was basically intercepting all HTTPS requests made by the browser and acting as a "Man in the Middle" (MITM) between the web server and the web browser. Other products have a similar behavior but this concept of having the SSL chain of trust broken by my AV is something that I'm not very fond of. Therefore, I always disabled Avast Web Shield for HTTPS traffic.
I recently tried the current version of Avast Free on a VM and I was surprise to notice that the Web Shield now lets the browser display the website's certificate, despite the traffic being intercepted by Web Shield. I tested if the an EICAR Test File (
http://www.eicar.org/85-0-Download.html) served through HTPS was actually being intercepted, and it was. Therefore, the shield was working correctly for HTTPS traffic while passing the correct certificate down to the browser.
This new behavior I just described was observed in both Chrome and Firefox. However, I noticed that if I used Edge or IE11, the certificate would show up as coming from Avast. This suggests that Avast is not using a generic approach to ALL HTTPS traffic. Avast Web Shield should be using some interface exposed by Chrome and Firefox to manipulate the certificates more freely. And, no, it's not thanks to the "Avast Online Security" addon/extension. I didn't even installed it and I really doubt it that the a WebExtension is able to do this kind of spoofing.
After all that I've said, does anyone have any idea how is Avast doing this? I have found some information on the official Avast blog about this subject, but it is not conclusive:
I'm really curious, from a technical point of view, about how does Avast implement the behavior I've experienced in both Chrome and Firefox. The blog post from 2016 (
https://blog.avast.com/independent-test-shows-avast-offers-best-https-protection-in-the-market), mentions the that:
"For the users of Chrome and Firefox we have introduced a new, completely unobtrusive way of scanning the traffic that is even more transparent and allows the browser to best put all the built-in security checks to use."
It at least confirms that HTTPS Chrome and Firefox traffic is handled in a different way from HTTPS traffic coming from other applications. In fact, I suspect that they are probably using some built-in security feature of these two browsers, otherwise they could have applied this new method to all applications. But I also searched a bit about the possibility of Chrome and/or Firefox providing some security scanning interface for HTTPS traffic, but I have not found anything relevant.