Thank you very much for your answer.
I not sure to understand what do you mean about "it doesn't have to decrypt it." Also, I believe my question was maybe not very clear, so let me give more details.
As far as I know (but tell me if I am wrong), the certificate given by a server(in my case duckduckgo.com) contains a public key.
This public key is used to
- Either encrypt a session key used to encrypt the HTTP traffic (This is the case of RSA key exchange).
- or either sign parameters used to derive a session key used to encrypt the HTTP traffic (This is the case of the Diffie-Hellman key exchange).
This public key is signed by a trusted authority and the signature can be verified by the public key in the root certificate (I ignore the intermediate certificates for simplicity).
In both cases, for Avast being able to analyze a TLS connection, I see three solutions.
The first one: Firefox directly gives to avast a non-encrypted version of the HTTP traffic
The second one: Avast asks the session key to Firefox with the help of an API for example.
The third one: Avast introduces a root certificate in Firefox. In this case, Avast is able to generate a TLS connection between Firefox and itself.
The two last solutions require a decryption.
However, I cannot find which of the three solutions (or maybe another one) is used by Avast to analyse a TLS connection?
I do see the avast certificate in the Firefox options as shown by the following image :
https://imgur.com/V62Jt50However, this certificate seems to not be used as you can this on the following image :
https://imgur.com/U5ohcxsThe point is when I block 'google.com' with the web shield :
https://imgur.com/V1Yjz8Zand when I try to search 'google.com':
https://imgur.com/SzzTpUcThis is blocked, as wanted (by the way, note that this this the research in duckduckgo that is blocked and not only the site of 'google.com') :
https://imgur.com/8jNBXCBThis is the expected behavior, but I don't understand how does it work technically : Since the avast certificate seems to not be used, how does Avast analyses a TLS traffic?
Thank you