Avast intercepts HTTPS connections even when told not to do it.

[Aditza]

Today my Firefox was upgraded to v67 and after the upgrade, the first thing that i notice at the top of the options is
"Your organization has disabled the ability to change some options."

i decide to dig deeper... and i discover that all these years Avast had been injecting a HTTPS Root Certificate in my Firefox even though i expressly told it NOT to intercept and scan my HTTPS connections.

As i have HTTPS scanning disabled, what is that Root Certificate doing there being injected by system policy into the Firefox Root Certificate store?

[Aditza]

update: that was Avast 19.4... i saw today that v19.5 was released.... so...

- i deleted all the policies from under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\Certificates\
- i allowed Avast to update to latest version from today, 19.5.2378 (build 19.5.4444.492)
- let it reboot the machine...

and what do you know... the Avast Root Certificate policy is back after the update even if HTTPS scanning is supposed to be disabled?! WTH?

[Aditza]

also... there's a bug there in Firefox's Enterprise Policy processor.. i already have REVOKED that certificate system-wide via the certificate manager console, but Firefox still considers that Root CA as a valid Root.... *facepalm*.. it should consider it as a REVOKED ROOT CA instead, as MS Edge / Internet Explorer / Chrome properly consider.



edit: opened a bug with Mozilla too, because the browser should see the certificate as revoked not as trusted.
https://bugzilla.mozilla.org/show_bug.cgi?id=1553233
/edit

[mchain]

Hi Aditza,

Please read this topic in its entirety:  https://forum.avast.com/index.php?topic=227029.msg1504630#msg1504630

[Aditza]

Hi Aditza,

Please read this topic in its entirety:  https://forum.avast.com/index.php?topic=227029.msg1504630#msg1504630

please read again the part where i make sure to disable HTTPS / SSL scanning in Avast options....i even went in Troubleshooting -> open old settings and made sure that the mail shield scanner (customise -> SSL Scanning -> scan SSL connections) and the web shield scanner had all appropriate checkboxes disabled.

Even with those, Avast still sets the ImportEnterpriseRoots Enterprise policy in Firefox... causing it to consider as trusted ANY CUSTOM ROOT Certificate that might have been added to the OS certificate store, not just Avast's scanner certificate.

Also, please note that Firefox's Enterprise policies should be used ONLY in an enterprise-related product ... injecting Root certificates into everyone's browsers is a major faux pas imho.

https://bugzilla.mozilla.org/show_bug.cgi?id=1541927  - says right at the top of the thread: Enterprise.

[no face]

injecting Root certificates into everyone's browsers is a major faux pas imho.

Yup, this is not cool. I've always had https scanning turned off because i don't trust third parties installing their own certificates but avast are sneaking it in anyway. They seriously need to respect user's choices, i've already dumped ccleaner after they stealth updated it so don't make me dump this as well.

[Aditza]

I deleted Firefox's cert.db and key.db, (acually named cert9.db and key9.db) and i even uninstalled almost ALL of Avast's scanning modules, i only kept the file shield scanner...

... and after the customary reboot, the avast! Web/Mail Shield Root certificate still gets injected into Firefox, even if at this point, there should be no Avast modules that need it since i uninstalled them.

[no face]

I didn't realise it was that persistent, what i did was i moved it to untrusted root certificates in certmgr.msc. I suppose the question is if the certificate is installed by default but it doesn't do anything? I really don't know but avast needs to be clearer on this stuff and RESPECT USER'S CHOICES. It's been going on well before the latest update though.

[Aditza]

even if you add it to untrusted certificates via certmgr.msc (i did that too), Firefox actually ignores the "untrusted" section from there and loads the revoked certificate as if it were a trusted root certificate.
Try this in your Firefox:
- open Firefox settings (Tools menu -> Options)
- in the options search box type "cert" -> press the View Certificates button
- scroll to the Avast certificate, select it
- press the View certificate button

does your Firefox say that the certificate is valid for use as a SSL Certification Authority?
If so, then adding it to untrusted certificates via certmgr.msc is ignored by your Firefox too.

[no face]

I see what you mean about firefox ignoring untrusted and loading it anyway, even if you delete it from within firefox it just comes back. As to what firefox says about the certificate, i can't see the wording you mentioned about it being valid for use as an SSL Certification Authority within the certificate itself and i have looked through the general and details tabs.

EDIT: I'm seeing this (so it can't be verified)...

[no face]

By the way, the option security.enterprise_roots.enabled in about:config is set to true for me and it was my understanding that if this is so then firefox would import windows certificates as discussed here - https://www.ghacks.net/2019/03/26/firefox-shield-study-to-import-windows-root-certificates/. As outlined on ghacks, it's only being tested for some users to asses the impact. Is yours set to false by any chance?

[Aditza]

So long, and thanks for all the fish, Avast.

https://files.avast.com/iavs9x/avastclear.exe fixed the certificate problem for me.
I am now a happy user of something else :p


https://www.youtube.com/watch?v=N_dUmDBfp6k&t=82

[no face]

Can't say i blame you to be honest, i've been thinking the same thing myself. The certificate just reinstates itself within certmgr after a reboot anyway.