Author Topic: "SSL/TLS Connection Detected" alert always flashing on screen, won't go away  (Read 83139 times)

0 Members and 1 Guest are viewing this topic.

Offline tumic

  • Avast team
  • Advanced Poster
  • *
  • Posts: 723
For gmail there should be no action necessary as the "System Roots" keychain contains the certificate of the appropriate CA by default.

Odvolávám co jsem odvolal, slibuji co jsem slíbil...

Sorry, the CA used for Google gmail is NOT in the "System Roots" keychain (at least not on 10.6.), so it must be added to the "System" keychain manually.
« Last Edit: February 23, 2012, 02:12:27 PM by tumic »

pucicu

  • Guest
Hi,

in order to use SSL/TSL connection to my mailserver, I have to switch of the corresponding settings in my MailClient (i.e. Apple Mail) and simply chose such settings allowing for unsecure connection. Everytime Apple Mail tries to connect to the Mailserver, this request will be passed to avast! and avast! will then connect using SSL/TSL.

Is this correct?

However, I wonder how can I be sure that the Mail transfer is really secured and really handled by avast! and not somehow bypassed, or that Apple Mail is not connecting in parallel to the Mailserver by the – now – unsecure way? For example, if avast! has crashed?

Pucicu

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

pucicu

  • Guest
OK, thanks, and what about my second, more important question?

Offline .: Mac :.

  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 5093
OK, thanks, and what about my second, more important question?

A good many of the popular email services now require encryption ( Check with your email provider). If Avast was not running to forward the secured connection the mail server would reject the connection in this case.
"People who are really serious about software should make their own hardware." - Alan Kay

pucicu

  • Guest
I know only providers which allow both, secure and insecure connections. Therefore, in my opinion it is problematic, to just switch off the secure connection to the mailserver in the mail client. Better would be (perhaps) to use a certain port in the mail client, which ensures that connections will fail if avast is not working.


Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
I know only providers which allow both, secure and insecure connections. Therefore, in my opinion it is problematic, to just switch off the secure connection to the mailserver in the mail client. Better would be (perhaps) to use a certain port in the mail client, which ensures that connections will fail if avast is not working.

If your data is that sensitive, you may consider something like this: http://www.gpgtools.org/
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline tumic

  • Avast team
  • Advanced Poster
  • *
  • Posts: 723
However, I wonder how can I be sure that the Mail transfer is really secured and really handled by avast! and not somehow bypassed, or that Apple Mail is not connecting in parallel to the Mailserver by the – now – unsecure way? For example, if avast! has crashed?

You can set up the firewall to block all outgoing connections to the non-SSL ports:

Code: [Select]
ipfw add deny tcp from me to any dst-port 110
ipfw add deny tcp from me to any dst-port 143

This way, you wan't connect to the non-SSL servers in case the mailshield is off.

pucicu

  • Guest
Hello,

thanky for your replies!

And yes, I'm already using gpgtools. The problem is that most of the other people around do not use it.

The idea with the firewall is good. But as everything, it is not so easy. Unfortunately, I also need to contact to one mailserver which doesn't provide SSL. Nevertheless, I think you suggestion works fine for most of the people.

Thanks again!
Pucicu

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
1. thanky for your replies!
2. And yes, I'm already using gpgtools. The problem is that most of the other people around do not use it.

1. You're welcome.
2. It's a pity.
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline tumic

  • Avast team
  • Advanced Poster
  • *
  • Posts: 723
The idea with the firewall is good. But as everything, it is not so easy. Unfortunately, I also need to contact to one mailserver which doesn't provide SSL. Nevertheless, I think you suggestion works fine for most of the people.

The firewall rules do not have to be as simple as the example. You can specify the exact hosts to be blocked (or passed through).

NiveusLuna

  • Guest
I'm getting an error from Avast! when I try to check my email using Opera. It says that I'm getting an invalid/unknown SSL cert from imap.gmail.com.

I have Avast! set to use only SSL for "imap.gmail.com".

What should I do to correct this?

Offline tumic

  • Avast team
  • Advanced Poster
  • *
  • Posts: 723
I'm getting an error from Avast! when I try to check my email using Opera. It says that I'm getting an invalid/unknown SSL cert from imap.gmail.com.

I have Avast! set to use only SSL for "imap.gmail.com".

What should I do to correct this?

You have to add the certificate of the certification authority that signed imap.gmail.com to the "System" keychain before adding imap.gmail.com to the SSL-only list as the certification authority is not in the "System Roots" keychain. The certificate you are searching for is Equifax Secure Certificate Authority and can be downloaded from http://www.geotrust.com/resources/root-certificates/

tbernis

  • Guest
I too get the annoying ssl pop ups. I use Postbox express with imap gmail.
I tried to resolve the problem using the tips I found here, moved the server
to keychain system, disabled ssl on Postbox, added server on avast advanced
setup, and several combinations of all the tips, but nothing,...

Postbox tries to access gmail but nothing... endless activity donut...

I finally turned everything back to the original setup and disabled avast mail shield.

I'm disappointed with the way Avast tries to tackle email protection, the solution
should be a simple drop in, you can't expect the users to start fiddling around with
system configuration options just to get Avast to work...

This is a -1 for you Avast, I'm keeping you around a while to see how everything
else works and hopefully you'll resolve the email problem with the next update !!

 
« Last Edit: April 05, 2012, 06:08:42 PM by tbernis »

Offline tumic

  • Avast team
  • Advanced Poster
  • *
  • Posts: 723
I too get the annoying ssl pop ups. I use Postbox express with imap gmail.
I tried to resolve the problem using the tips I found here, moved the server
to keychain system, disabled ssl on Postbox, added server on avast advanced
setup, and several combinations of all the tips, but nothing,...

If done the right way, it must work. The whole procedure in 3 steps:
  • Download the Equifax Secure Certificate Authority certificate (http://www.geotrust.com/resources/root-certificates/) and install it into your System keychain using the keychain utility
  • Add imap.gmail.com (or pop.gmail.com for POP3) to the list of SSL-only servers in the avast! preferences
  • Disable SSL in your mail client

If you still see error/warning popups, look into the system log

I'm disappointed with the way Avast tries to tackle email protection, the solution
should be a simple drop in, you can't expect the users to start fiddling around with
system configuration options just to get Avast to work...

There will probably be some automatic configuration in the future, but note, that the auto-configuration tool  has to "play" with your security settings, so let it "somehow work" without knowing what is going on is not very recommended...