Author Topic: Avast Web Shield HTTPS Certificate Interception  (Read 3874 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
Avast Web Shield HTTPS Certificate Interception
« on: September 09, 2018, 03:38:51 PM »
I have a question regarding Avast Web Shield HTTPS scanning. A long time ago, when I used Avast Free on a daily basis, I noticed that the Web Shield intercepted HTTPS traffic because all of the sudden every HTTPS website I visited was certified by Avast. The Web Shield was basically intercepting all HTTPS requests made by the browser and acting as a "Man in the Middle" (MITM) between the web server and the web browser. Other products have a similar behavior but this concept of having the SSL chain of trust broken by my AV is something that I'm not very fond of. Therefore, I always disabled Avast Web Shield for HTTPS traffic.

I recently tried the current version of Avast Free on a VM and I was surprise to notice that the Web Shield now lets the browser display the website's certificate, despite the traffic being intercepted by Web Shield. I tested if the an EICAR Test File (http://www.eicar.org/85-0-Download.html) served through HTPS was actually being intercepted, and it was. Therefore, the shield was working correctly for HTTPS traffic while passing the correct certificate down to the browser.

This new behavior I just described was observed in both Chrome and Firefox. However, I noticed that if I used Edge or IE11, the certificate would show up as coming from Avast. This suggests that Avast is not using a generic approach to ALL HTTPS traffic. Avast Web Shield should be using some interface exposed by Chrome and Firefox to manipulate the certificates more freely. And, no, it's not thanks to the "Avast Online Security" addon/extension. I didn't even installed it and I really doubt it that the a WebExtension is able to do this kind of spoofing.

After all that I've said, does anyone have any idea how is Avast doing this? I have found some information on the official Avast blog about this subject, but it is not conclusive:

I'm really curious, from a technical point of view, about how does Avast implement the behavior I've experienced in both Chrome and Firefox. The blog post from 2016 (https://blog.avast.com/independent-test-shows-avast-offers-best-https-protection-in-the-market), mentions the that:
Quote
"For the users of Chrome and Firefox we have introduced a new, completely unobtrusive way of scanning the traffic that is even more transparent and allows the browser to best put all the built-in security checks to use."
It at least confirms that HTTPS Chrome and Firefox traffic is handled in a different way from HTTPS traffic coming from other applications. In fact, I suspect that they are probably using some built-in security feature of these two browsers, otherwise they could have applied this new method to all applications. But I also searched a bit about the possibility of Chrome and/or Firefox providing some security scanning interface for HTTPS traffic, but I have not found anything relevant.

Offline Mattish91

  • Newbie
  • *
  • Posts: 3
Re: Avast Web Shield HTTPS Certificate Interception
« Reply #1 on: January 17, 2019, 11:45:17 AM »
I have this issue right now, it's pretty sad that this issue is still around. i have to turn off the HTTPS-scanning feature since i am running a web server at home, the cert is always bad, cant access anything on my webserver nor any other server for that matter either. Not ok to do that... I can't even access the web server from outside the server either since it's intercepting the way certs load -.-

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48523
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Avast Web Shield HTTPS Certificate Interception
« Reply #2 on: January 17, 2019, 01:13:41 PM »
I have this issue right now, it's pretty sad that this issue is still around. i have to turn off the HTTPS-scanning feature since i am running a web server at home, the cert is always bad, cant access anything on my webserver nor any other server for that matter either. Not ok to do that... I can't even access the web server from outside the server either since it's intercepting the way certs load -.-
Have you tried disabling https scanning for those sites that you seem to have a problem with ???
Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v22H2 64bit, 16 Gig Ram, 1TB SSD, Avast Free 23.5.6066, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet

Offline alanb

  • Poster
  • *
  • Posts: 652
Re: Avast Web Shield HTTPS Certificate Interception
« Reply #3 on: January 17, 2019, 01:52:07 PM »
Quote
disabling https scanning for those sites that you seem to have a problem with

Can you selectively disable HTTPS scanning?

I was under the impression it was either "on" or "off" (but happy to be proved wrong ;))

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48523
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Avast Web Shield HTTPS Certificate Interception
« Reply #4 on: January 17, 2019, 02:02:22 PM »
Quote
disabling https scanning for those sites that you seem to have a problem with

Can you selectively disable HTTPS scanning?

I was under the impression it was either "on" or "off" (but happy to be proved wrong ;) )
You are correct. It would need to be turned off when you visit a website where you have a problem and turned back on after the visit.
Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v22H2 64bit, 16 Gig Ram, 1TB SSD, Avast Free 23.5.6066, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet

Offline alanb

  • Poster
  • *
  • Posts: 652
Re: Avast Web Shield HTTPS Certificate Interception
« Reply #5 on: January 17, 2019, 02:57:49 PM »
Phew!  Thanks bob; glad I'm not losing (what's left of) my mind  :o

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48523
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Avast Web Shield HTTPS Certificate Interception
« Reply #6 on: January 17, 2019, 03:05:51 PM »
Phew!  Thanks bob; glad I'm not losing (what's left of) my mind  :o
Staying active on this forum, is an excellent way to continue to stimulate your brain and,
prevent the onset of "losing your mind". :)
Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v22H2 64bit, 16 Gig Ram, 1TB SSD, Avast Free 23.5.6066, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet

Offline Mattish91

  • Newbie
  • *
  • Posts: 3
Re: Avast Web Shield HTTPS Certificate Interception
« Reply #7 on: January 17, 2019, 07:11:57 PM »
I have this issue right now, it's pretty sad that this issue is still around. i have to turn off the HTTPS-scanning feature since i am running a web server at home, the cert is always bad, cant access anything on my webserver nor any other server for that matter either. Not ok to do that... I can't even access the web server from outside the server either since it's intercepting the way certs load -.-
Have you tried disabling https scanning for those sites that you seem to have a problem with ???

Well it's for every website that i load, and every one accessing the web server on the same machine, i suppose some how this conflicts with Apache?