37

I just noticed something weird in my browser: the certificate for www.google.com has been issued by avast! Web/Mail Shield Root. Should I be worried? I am using avast! Antivirus so it's probably a built-in feature, but I don't know why this is happening and what the benefits/risks are.

Screenshot of the certificate tree

Joseph Sible-Reinstate Monica
  • 7,110
  • 3
  • 21
  • 35
Pieter
  • 1,295
  • 4
  • 13
  • 18

3 Answers3

35

The whole goal of HTTPS is to prevent eavesdropping so that anyone monitoring your web traffic can't see what you're sending. As useful as it is, HTTPS presents a bit of a problem to antivirus software because when you visit sites over an encrypted connection, your antivirus software cannot see what sites you're visiting or what files you're downloading, at least until the download finishes. This presents a risk because if you download a virus, the antivirus software won't know about it until the download is finished and the virus is already saved to your hard drive, allowing criminals to bypass the "live defense" features of AV by simply hosting the malware on an HTTPS site.

The solution that many antivirus programs use is to install its own SSL certificate as a root certificate so that it can essentially man-in-the-middle all HTTPS traffic to scan for malware. I'm guessing this is what avast! is doing.

Whether this behavior presents additional security issues is debatable but I don't think it's something you need to be deeply concerned about - after all, your own antivirus software is doing the man-in-the-middling, not a malicious party. If it worries, you, you can disable this behavior - go to Settings>Active Protection>Web Shield>click on "customize" and tick the box next to "Disable HTTPS scanning." If you do this, avast! won't be able to proactively block malware on HTTPS sites.

tlng05
  • 10,244
  • 1
  • 33
  • 36
  • 14
    If the AV is doing this for all HTTPS connections, regardless of certificate validity, then you definitely do have a problem. As long as *everything* is running through the SSL proxy, and the SSL proxy is trusted by the browser, you have no way of knowing when a site's certificate should really be trusted or not. – Iszi Nov 23 '14 at 19:23
  • 4
    @iszi After installing avast myself I found that indeed this is the case, so it may definitely be safer to disable HTTPS scanning until avast fixes this. – tlng05 Dec 23 '14 at 19:08
  • 3
    Is a unique key for the trusted CA Certificate installed on each system? If not, there's a security issue. – mc0e Feb 22 '15 at 16:34
  • 4
    This is basically Superfish again. – Shadur Feb 26 '15 at 06:04
  • 1
    @Shadur while it appears to do something similar to superfish, it is implemented in a manner that is MUCH more secure, mitigating most of the security risks. See my answer here: https://security.stackexchange.com/questions/82285/are-the-certificates-from-skype-click-to-call-and-avast-web-mail-shield-any/82306?noredirect=1#comment136075_82306 – tlng05 Feb 26 '15 at 10:59
  • 1
    FWIW - You can exclude specific URLs from the Avast webshield (via Settings), in case you'd like to turn off HTTPS scanning on specific trusted sites. *(I suppose this would have made more sense as a comment to the accepted answer, but I can't comment yet)* – Fred H Mar 14 '15 at 14:01
  • 1
    Note that disabling it does not remove the installed certificate. In order to be truly safe *you need to manually remove the certificate from the root store*. – lc. Oct 16 '15 at 02:35
  • From https://blog.avast.com/2015/05/25/explaining-avasts-https-scanning-feature/ " Avast’s trusted Web Shield technology scans HTTPS sites for malware and threats... The Avast WebShield must use a MITM approach in order to scan secure traffic, but the important difference is that the “middle man” we use is located in the same computer as the browser and uses the same connection... We want to emphasize that no one else has the same unique key that you have from the installation generated certificate. This certificate never leaves the computer and is never transmitted over the internet." – Orangutech Mar 17 '16 at 17:23
  • (Need 3 more rep points to add an answer, sorry for the split reply) "As more and more online services are moving to HTTPS, attacks are increasing. An encrypted connection ensures that the connection cannot be modified by anyone else, but it does not guarantee that the actual content being downloaded is safe. Just as with plain HTTP, if a legitimate website is hacked, malware scripts and binaries can be placed into the HTTPS page that appears to be safe. That’s why it is imperative for security software to check this attack vector." – Orangutech Mar 17 '16 at 17:30
  • This answer should be updated to note that in 2020, Avast was caught using this technique to collect user browsing data from users of their antivirus software and sell it to third parties. ([Source](https://www.vice.com/en_us/article/qjdkq7/avast-antivirus-sells-user-browsing-data-investigation)) So, if you care about your privacy you should not allow an untrustworthy company like Avast to perform SSL interception. – augurar May 02 '20 at 10:11
  • Additionally, studies have found that commercial SSL interception often degrades the security of SSL through faulty implementation.[[1](https://www.us-cert.gov/ncas/alerts/TA17-075A)] – augurar May 02 '20 at 20:50
2

This is happening because as others described, the Mail/Web shield needs to be able to scan your web traffic before it is saved on your system / does any harm.

Scanning encrypted SSL/TLS sockets requires that Avast can decrypt the connection. There is no other way for Avast to decrypt the connection than to generate its own certificate with a known derived decryption key, then signing them with a custom Root Certificate from Avast installed on your system.

This completely compromises internet privacy. (1) Man-In-The-Middle attacks by any person exchanging the website's keys to their own so that they may tap in on your connection will go unnoticed by your browser. (2) Unsecure website certificates (maliciously exchanged, cracked or shared with third-parties) will be accepted by your browser and the whole concept of secure, encrypted and authenticated connections is ignored.

There is a checkbox in “preferences” in Avast that says “scan secured connections”. I recommend you to turn this off if you value internet privacy.

Vitdom
  • 29
  • 1
1

Comment to @user54791 and @iszi's comment:

Avast shields untrusted certificates with a certificate issued by a different issuer, called "avast! Web/Mail Shield Untrusted Root". As long as this issuer stays untrusted, there is still a security warning when a HTTPS connection with an untrusted certificate is accessed.

So there is no need to disable HTTPS scanning for that matter.

Avast's wrapper certificate for untrusted certificates

Adrian W
  • 111
  • 3
  • That's only true if you consider Avast to be as competent as your web browser developer to decide whether a site's certificate should be trusted or not. – mhsmith May 31 '17 at 11:05