Author Topic: SSL interception in new version of avast  (Read 329 times)

0 Members and 1 Guest are viewing this topic.

Offline sebastien15753

  • Newbie
  • *
  • Posts: 2
SSL interception in new version of avast
« on: January 29, 2020, 12:03:42 AM »
Hello there,

I'm wondering how Avast(19.8.2393 (version 19.8.4257.552)) web shield decrypts SSL connection when I am using Firefox 72.0.2?

I read there was multiple ways to do that such as using a firefox extension, an avast root certificate or using the SSLKEYLOGFILE environment variable of NSS if I understand well.

But in my case, I have no extension, the avast root certificate is not used (when I am looking at the certificate chain, I don't see any avast certificate) and SSLKEYLOGFILE seems to not be used.

However, when I block 'google.com' with the web shield and when I search it from https://duckduckgo.com , this is well blocked. It means that avast decrypt the content as expected but how?

Thank you.

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 82691
  • No support PMs thanks
Re: SSL interception in new version of avast
« Reply #1 on: January 29, 2020, 12:22:43 AM »
If you are using a security certificate and it is effectively able to intercept that traffic to scan it then it doesn't have to decrypt it.  Decryption is not only (or should be) difficult, but it would also be CPU intensive so you would really see a difference in browsing.

Do you not see it here - Check your Firefox > Options >Privacy & Security > Certificates > View Certificates and you should see Avast there.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.1.2397 (build 20.1.5069.558) UI-1.0.460/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline sebastien15753

  • Newbie
  • *
  • Posts: 2
Re: SSL interception in new version of avast
« Reply #2 on: January 29, 2020, 08:53:19 PM »
Thank you very much for your answer.

I not sure to understand what do you mean about "it doesn't have to decrypt it." Also, I believe my question was maybe not very clear, so let me give more details.

As far as I know (but tell me if I am wrong), the certificate given by a server(in my case duckduckgo.com) contains a public key.
This public key is used to
- Either encrypt a session key used to encrypt the HTTP traffic (This is the case of RSA key exchange).
- or either sign parameters used to derive a session key used to encrypt the HTTP traffic (This is the case of the Diffie-Hellman key exchange).
This public key is signed by a trusted authority and the signature can be verified by the public key in the root certificate (I ignore the intermediate certificates for simplicity).

In both cases, for Avast being able to analyze a TLS connection, I see three solutions.
The first one: Firefox directly gives to avast a non-encrypted version of the HTTP traffic
The second one: Avast asks the session key to Firefox with the help of an API for example.
The third one: Avast introduces a root certificate in Firefox. In this case, Avast is able to generate a TLS connection between Firefox and itself.

The two last solutions require a decryption.
However, I cannot find which of the three solutions (or maybe another one) is used by Avast to analyse a TLS connection?


I do see the avast certificate in the Firefox options as shown by the following image : https://imgur.com/V62Jt50
However, this certificate seems to not be used as you can this on the following image : https://imgur.com/U5ohcxs
The point is when I block 'google.com' with the web shield : https://imgur.com/V1Yjz8Z
and when I try to search 'google.com': https://imgur.com/SzzTpUc
This is blocked, as wanted (by the way, note that this this the research in duckduckgo that is blocked and not only the site of 'google.com') : https://imgur.com/8jNBXCB


This is the expected behavior, but I don't understand how does it work technically : Since the avast certificate seems to not be used, how does Avast analyses a TLS traffic?

Thank you

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 82691
  • No support PMs thanks
Re: SSL interception in new version of avast
« Reply #3 on: January 29, 2020, 10:44:06 PM »
You mentioned decryption as an option:
Quote from: sebastien15753
I'm wondering how Avast(19.8.2393 (version 19.8.4257.552)) web shield decrypts SSL connection when I am using Firefox 72.0.2?

I'm simply saying that hasn't got to as it is essentially handling the secure connection back to your computer, but if it did have to decrypt secure traffic (if that were possible) it would require a lot of processing power and greatly slow browsing, so you would notice.

Avast isn't using a certificate given by the duckduckgo server (that is validating the site) as such, but using it own certificate, your image is showing the site certificate, not the same as that used by avast to be able to scan the https traffic from the site to you.

If you blocked google.com in the web shield that is the expected behaviour if you are trying to go directly to google.com.
However if you try a search on google.com from duckduckgo, you aren't exactly connecting to google.com, but as it is in the url of the search string, I presume that is why you are getting an avast alert.

I don't fully understand the technicalities of it either as an Avast User like yourself not an Avast Team member.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.1.2397 (build 20.1.5069.558) UI-1.0.460/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro