Author Topic: Is it possible for avast! to scan SSL traffic?  (Read 17791 times)

0 Members and 1 Guest are viewing this topic.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 87071
  • No support PMs thanks
Re: Is it possible for avast! to scan SSL traffic?
« Reply #30 on: May 23, 2011, 12:25:38 AM »
Simion, the encryption is to prevent any eye on it. If a program can decrypt it, it won't be secure. Think in your banking transactions over https.

I guess I'm not making myself clear here, so I'll rephrase the question: If Avast can decrypt and scan SSL emails, why can't Avast decrypt and scan SSL webpages?

Technically it doesn't decrypt your SSL email. The Mail Shield redirects your email traffic through its local host proxy, that is good for either sent email or received SSL email. But you must allow avast to handle the secure encrypted SSL connection.

So you using your email program want to check your email, the mail shield redirects that connection through its localhost proxy and the secure email comes back in to the localhost proxy at which point it is no longer encrypted and avast can scan it. If the email is clean then it is passed on to your email program/inbox, etc.

The same if you want to send email, that too gets redirected through the localhost proxy (at this point it isn't a secure encrypted connection) and avast can scan it. If it is clean then avast established the secure connection to transmit your email.

If you failed to uncheck the email accounts SSL requirement in your email program, then avast can't intercept and scan the encrypted traffic.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.10.6038 (build 22.10.7633.734) UI 1.0.733/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

sded

  • Guest
Re: Is it possible for avast! to scan SSL traffic?
« Reply #31 on: May 23, 2011, 12:33:52 AM »
What BitDefender appeared to say they were doing was providing browser plug-ins that wouuld scan the incoming SSL traffic after it had already been decrypted by the browser.  So the browser handles all the SSL processes as usual.  But avast! is already scanning the downloads with File System Shield when executed or opened, so may not be much value added ???  Not really scanning SSL traffic, just scanning the decrypted result before it is used by the browser for display or ?.  
Maybe you could also do something like Avast! does with email.  Set up your browser so it never encrypts anything,  but just sends it along to avast! to do the scanning and then set up the SSL sessions and pass the encrypted traffic back and forth to the server, where encryption/decryption is actually done by a proxy using something like openSSL. But that sounds a lot more complicated than email, so ???

Offline Ashish Singh

  • Poster
  • *
  • Posts: 437
  • Proud to be an Indian
    • Quick Heal
Re: Is it possible for avast! to scan SSL traffic?
« Reply #32 on: May 23, 2011, 06:32:23 AM »
Sorry to bother you people again...
Just confused to see this.....
What is this if its not scanning it...

As I already posted the encryption method also changes and also the encrption key length...
Without anything its 128bit encryption public key and after bitdefender its 256 bit public encryption key...
Also method changes to something Calibia
« Last Edit: May 23, 2011, 06:35:15 AM by Ashish Singh »
Windows 7 Ultimate(32 bit), avast! free (always latest released or beta), Intel Core2Duo, 2GB RAM, Outpost Firewall Pro 7.5,IE 9,TuneUp Utilities 2011,Diskeeper 2011

http://www.incredibleindia.org 

Caution! Online world is full of man made Aliens

Offline Ashish Singh

  • Poster
  • *
  • Posts: 437
  • Proud to be an Indian
    • Quick Heal
Re: Is it possible for avast! to scan SSL traffic?
« Reply #33 on: May 23, 2011, 02:25:26 PM »
Hi
  I got reply from eset people here it is from facebook page
Windows 7 Ultimate(32 bit), avast! free (always latest released or beta), Intel Core2Duo, 2GB RAM, Outpost Firewall Pro 7.5,IE 9,TuneUp Utilities 2011,Diskeeper 2011

http://www.incredibleindia.org 

Caution! Online world is full of man made Aliens

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 87071
  • No support PMs thanks
Re: Is it possible for avast! to scan SSL traffic?
« Reply #34 on: May 23, 2011, 03:08:43 PM »
I think you need a follow-up question/s, such as.

OK, so are you saying it actually decrypts the SSL traffic so it can be scanned, as I thought the whole idea of SSL, secure encrypted connections was to keep prying eyes out including AVs ?

So what is it actually scanning ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.10.6038 (build 22.10.7633.734) UI 1.0.733/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11820
    • AVAST Software
Re: Is it possible for avast! to scan SSL traffic?
« Reply #35 on: May 23, 2011, 03:13:22 PM »
Well, it is possible - but not by decrypting the crypted stream (i.e. not via a proxy).
Using a browser plugin (or possibly some nasty hack of the browser itself), it's necessary to intercept the data which the browser itself already decrypted.

Offline Simion

  • Advanced Poster
  • **
  • Posts: 921
Re: Is it possible for avast! to scan SSL traffic?
« Reply #36 on: May 23, 2011, 04:47:47 PM »
Simion, the encryption is to prevent any eye on it. If a program can decrypt it, it won't be secure. Think in your banking transactions over https.

I guess I'm not making myself clear here, so I'll rephrase the question: If Avast can decrypt and scan SSL emails, why can't Avast decrypt and scan SSL webpages?
<snip>
Technically it doesn't decrypt your SSL email. The Mail Shield redirects your email traffic through its local host proxy, that is good for either sent email or received SSL email. But you must allow avast to handle the secure encrypted SSL connection.

Thank you, I think that fine line distinction was the missing piece of the puzzle for me. To paraphrase: Avast, through the local host proxy, establishes and decrypts the SSL connection as opposed to the individual emails. Is that correct?

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 87071
  • No support PMs thanks
Re: Is it possible for avast! to scan SSL traffic?
« Reply #37 on: May 23, 2011, 05:14:17 PM »
Well it established the SSL connection but it still doesn't decrypt/encrypt that is done outside of the localhost proxy as part of the regular SSL communication. what is in the localhost proxy isn't encrypted (as it is still local).

So it goes something like this for outbound email, email client > avast Mail Shield redirects to localhost proxy and scans > SSL connection > email server. That is essentially the same for inbound or outbound email, as the request originates from your email client.

So any pop3 email coming back would be returned in the same manner, email server, SSL connection > avast! localhost proxy (at this point it is on your system and the SSL communication has ended) so it can be scanned > email client, inbox.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.10.6038 (build 22.10.7633.734) UI 1.0.733/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Simion

  • Advanced Poster
  • **
  • Posts: 921
Re: Is it possible for avast! to scan SSL traffic?
« Reply #38 on: May 23, 2011, 06:01:07 PM »
So, is it correct to say that Windows plays an integral part in the actual encryption/decryption, as part of the SSL communication?

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 87071
  • No support PMs thanks
Re: Is it possible for avast! to scan SSL traffic?
« Reply #39 on: May 23, 2011, 06:14:02 PM »
I don't know the exact process that handles the encryption/decryption but yes I believe it would have to be windows and not your email client (and definitely not avast!).
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.10.6038 (build 22.10.7633.734) UI 1.0.733/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Ashish Singh

  • Poster
  • *
  • Posts: 437
  • Proud to be an Indian
    • Quick Heal
Re: Is it possible for avast! to scan SSL traffic?
« Reply #40 on: May 23, 2011, 06:19:19 PM »
again I come to my question. Can we implement this method to avast to scan SSL connections?
Because only thing I have seen in all the three AVs to scan SSL connections is that they only install a certificate in the browsers... I mean eset, Kaspersky,Bitdefender which I have tested.

I didn't find any other changes in my browser or system
« Last Edit: May 23, 2011, 06:25:28 PM by Ashish Singh »
Windows 7 Ultimate(32 bit), avast! free (always latest released or beta), Intel Core2Duo, 2GB RAM, Outpost Firewall Pro 7.5,IE 9,TuneUp Utilities 2011,Diskeeper 2011

http://www.incredibleindia.org 

Caution! Online world is full of man made Aliens

Offline Simion

  • Advanced Poster
  • **
  • Posts: 921
Re: Is it possible for avast! to scan SSL traffic?
« Reply #41 on: May 23, 2011, 06:39:58 PM »
I don't know the exact process that handles the encryption/decryption but yes I believe it would have to be windows and not your email client (and definitely not avast!).
OK Many thanks, DavidR. :)

Offline Simion

  • Advanced Poster
  • **
  • Posts: 921
Re: Is it possible for avast! to scan SSL traffic?
« Reply #42 on: May 23, 2011, 06:41:34 PM »
Hi Ashish, sorry I hijacked your thread, but it is related. :)

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 87071
  • No support PMs thanks
Re: Is it possible for avast! to scan SSL traffic?
« Reply #43 on: May 23, 2011, 07:24:35 PM »
again I come to my question. Can we implement this method to avast to scan SSL connections?
Because only thing I have seen in all the three AVs to scan SSL connections is that they only install a certificate in the browsers... I mean eset, Kaspersky,Bitdefender which I have tested.

I didn't find any other changes in my browser or system

How is it possible to implement something which is totally unclear what it is that they are doing. All I have seen so far is smoke and mirrors, saying it scans SSL, without any idea of how or what it is actually doing.

I guess any idiot AV can scan encrypted files, but what they can't do is decrypt them and scan the contents. Scanning an encrypted file is unlikely to find anything because of the encryption; essentially this is no different if they are going to try and scan an https traffic stream.

If it were so good, why is it disabled by default ?
Wild-assed guess:
Either it is unlikely to detect anything because it is encrypted, which falls into the smoke and mirrors marketing hype. Or there is a huge overhead in doing so.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.10.6038 (build 22.10.7633.734) UI 1.0.733/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11820
    • AVAST Software
Re: Is it possible for avast! to scan SSL traffic?
« Reply #44 on: May 23, 2011, 08:24:21 PM »
Thank you, I think that fine line distinction was the missing piece of the puzzle for me. To paraphrase: Avast, through the local host proxy, establishes and decrypts the SSL connection as opposed to the individual emails. Is that correct?

No (or maybe yes, I'm not sure how exactly the question is meant). The connection from the mail client to avast! proxy must not be crypted (i.e. it's necessary to disable SSL in the mail client).
Later, avast! performs an encrypted communication with the e-mail server itself.

Doing the same for web browsers would be a problem (as the browser wouldn't see the remote certificates, wouldn't show you the "encryption" icon, etc.)
But yes, it's possible that avast! will implement a browser plugin for specific browser(s?) in the future which would be able to extract the already-decrypted data from the browser and scan them, before the browser really uses them. No promises though :)