What is the new certificate?
This depends on your AV manufacturer. It should be a wholly new generated certificate that is signed (or self-signed) upon installation, which is then put in your trusted root store. This way, the certificate is decoupled from the security vendor, and the private key is... well... private and unique to your computer. However, that may or may not happen. The AV vendor could use a single certificate that they generated and included with the installer. In the latter case, if the the security vendor loses control of the cert or the signing keys, it leaves the consumers vulnerable.
What are the new attack vectors
Attack vectors include:
- Bad actors replacing the certificate with their own, and sniffing traffic.
- Security vendor doing something stupid with the certificate like including the private key so that attackers can mint their own certificates from that key and spy on your traffic.
- Alter, change, and inject content on pages you visit.
- Security vendor using weak security on the certificates, which is easy for bad actors to break and thus mint their own to take advantage of the cert installed on your machine.
There numerous other examples of failures resulting from bad implementations, which highlight the intricacies and complexities of trying to do this correctly. In my opinion, there is no need for a security vendor to do this. Vendors claim it will protect you from the dangers of the web, but this supposed increase in security (modest at best) opens you up to the weakest link in the vendor's entire chain. (More humans, more problems.)
