SSL interception in new version of avast

[sebbbb]

Hello there,

I'm wondering how Avast(19.8.2393 (version 19.8.4257.552)) web shield decrypts SSL connection when I am using Firefox 72.0.2?

I read there was multiple ways to do that such as using a firefox extension, an avast root certificate or using the SSLKEYLOGFILE environment variable of NSS if I understand well.

But in my case, I have no extension, the avast root certificate is not used (when I am looking at the certificate chain, I don't see any avast certificate) and SSLKEYLOGFILE seems to not be used.

However, when I block 'google.com' with the web shield and when I search it from https://duckduckgo.com , this is well blocked. It means that avast decrypt the content as expected but how?

Thank you.

[DavidR]

If you are using a security certificate and it is effectively able to intercept that traffic to scan it then it doesn't have to decrypt it.  Decryption is not only (or should be) difficult, but it would also be CPU intensive so you would really see a difference in browsing.

Do you not see it here - Check your Firefox > Options >Privacy & Security > Certificates > View Certificates and you should see Avast there.

[sebbbb]

Thank you very much for your answer.

I not sure to understand what do you mean about "it doesn't have to decrypt it." Also, I believe my question was maybe not very clear, so let me give more details.

As far as I know (but tell me if I am wrong), the certificate given by a server(in my case duckduckgo.com) contains a public key.
This public key is used to
- Either encrypt a session key used to encrypt the HTTP traffic (This is the case of RSA key exchange).
- or either sign parameters used to derive a session key used to encrypt the HTTP traffic (This is the case of the Diffie-Hellman key exchange).
This public key is signed by a trusted authority and the signature can be verified by the public key in the root certificate (I ignore the intermediate certificates for simplicity).

In both cases, for Avast being able to analyze a TLS connection, I see three solutions.
The first one: Firefox directly gives to avast a non-encrypted version of the HTTP traffic
The second one: Avast asks the session key to Firefox with the help of an API for example.
The third one: Avast introduces a root certificate in Firefox. In this case, Avast is able to generate a TLS connection between Firefox and itself.

The two last solutions require a decryption.
However, I cannot find which of the three solutions (or maybe another one) is used by Avast to analyse a TLS connection?


I do see the avast certificate in the Firefox options as shown by the following image : https://imgur.com/V62Jt50
However, this certificate seems to not be used as you can this on the following image : https://imgur.com/U5ohcxs
The point is when I block 'google.com' with the web shield : https://imgur.com/V1Yjz8Z
and when I try to search 'google.com': https://imgur.com/SzzTpUc
This is blocked, as wanted (by the way, note that this this the research in duckduckgo that is blocked and not only the site of 'google.com') : https://imgur.com/8jNBXCB


This is the expected behavior, but I don't understand how does it work technically : Since the avast certificate seems to not be used, how does Avast analyses a TLS traffic?

Thank you

[DavidR]

You mentioned decryption as an option:

I'm wondering how Avast(19.8.2393 (version 19.8.4257.552)) web shield decrypts SSL connection when I am using Firefox 72.0.2?

I'm simply saying that hasn't got to as it is essentially handling the secure connection back to your computer, but if it did have to decrypt secure traffic (if that were possible) it would require a lot of processing power and greatly slow browsing, so you would notice.

Avast isn't using a certificate given by the duckduckgo server (that is validating the site) as such, but using it own certificate, your image is showing the site certificate, not the same as that used by avast to be able to scan the https traffic from the site to you.

If you blocked google.com in the web shield that is the expected behaviour if you are trying to go directly to google.com.
However if you try a search on google.com from duckduckgo, you aren't exactly connecting to google.com, but as it is in the url of the search string, I presume that is why you are getting an avast alert.

I don't fully understand the technicalities of it either as an Avast User like yourself not an Avast Team member.