20

My Girlfriend has a years-old laptop from lenovo. I checked it over and wasn't surprised that the Superfish / Komodia Root CA certificate was not present. However I found some others that appear to be similar in function if not purpose.

There's keys which appear to have been installed by Avast anti-virus and Skype, both of which are expected to be on the machine. However, the puprose of these keys is presumably quite similar to superfish - interception of secure web content by dynamically creating signed SSL certificates for remote sites.

This potentially opens up similar security issues to what was found with the Superfish software. i.e. if an attacker has these keys they can issue certificates that will be trusted by the local computer.

1). If I understand correctly, in order for these programs to play MITM, they need to have access to the private key associated with the installed cert authority. So it can be obtained by reverse engineering the sotware. Correct?

2) Can anyone confirm whether or not these keys are individually generated for each installation?

mc0e
  • 491
  • 2
  • 14
  • @AndréDaniel that seems like a good way for the extension to operate, but then what is the certificate installed for? – mc0e Mar 03 '15 at 12:25
  • I said that based on the fact that their extension is only compatible with certain browsers (a certificate-based approach would work for any browser), but turns out I was wrong (Google for "skype click to call certificate). Sorry about that. :c –  Mar 03 '15 at 13:43

2 Answers2

20

My understanding is that Superfish installs the exact same certificate and private key into every computer, so once you obtain the hard-coded private key you can use it to man-in-the-middle anyone who has superfish installed. Avast does not do this; it dynamically generates a unique certificate and private key for every install.

This is what the Avast certificate on my desktop looks like: enter image description here

And here is the Avast certificate on my laptop: enter image description here

So clearly, they are different certificates. This means I cannot just grab the Avast private key from my own computer and use it to attack someone else who has Avast installed. The same cannot be said for superfish.

Another difference is that Avast does not just blindly man-in-the-middle everything. Instead, it first verifies the validity of the original certificate. If the original certificate is valid, it will proceed to man-in-the-middle the traffic so it can scan for malware. But if there is a problem with the original certificate, it will intentionally man-in-the-middle with a certificate NOT installed in the trusted certificate list, generating a browser warning. You can see this working in the screenshots below:

When visiting a website with a valid certificate, Avast MITMs the traffic to scan for malware...

enter image description here

But if I visit a site with a self-signed certificate, Avast will intentionally MITM with an untrusted certificate to generate a browser warning - notice the name "Avast Web/Mail Shield UNTRUSTED root"

enter image description here

This way, Avast avoids accidentally causing a user to visit a website with a bad certificate. It's not perfect, but it's still a lot safer than blindly man-in-the-middling everything, with a root certificate that is identical and trusted on every computer like Superfish does.

tlng05
  • 10,244
  • 1
  • 33
  • 36
  • 5
    Actually, Superfish also tries to verify the original certificate, but it fails majorly: https://blog.filippo.io/komodia-superfish-ssl-validation-is-broken/ – huyz Feb 23 '15 at 07:05
  • What happens if, for example, you visit Google but its certificate is issued by GoDaddy? – Iszi Feb 24 '15 at 13:26
  • @iszi I don't think that would be possible unless GoDaddy gets compromised or Google decides to switch to GoDaddy. – tlng05 Feb 24 '15 at 17:03
  • @user54791 Ever hear of DigiNotar? – Iszi Feb 24 '15 at 18:08
  • 1
    @Iszi If an attacker manages to obtain a valid, non-revoked certificate issued by GoDaddy for google.com, all browsers would automatically trust it and it wouldn't matter if Avast is installed. If it's later revoked, Avast will realize that and block access to the page. Then it displays a popup "Avast web shield has blocked access to this page because the certificate has been revoked." – tlng05 Feb 24 '15 at 20:56
  • @user54791 "...it wouldn't matter if Avast is installed" is incorrect. With Avast (or any SSL proxy) installed, the end-user will never see the original certificate. This deprives the end user (and any other utilities behind the proxy) of the ability to verify the real certificate against certificates seen previously by them, other trusted parties, or the online community. This removes their ability to independently judge the validity of the certificate, or the signing authority, for themselves. [My answer on a related question](http://security.stackexchange.com/a/82422/953) has more details. – Iszi Feb 24 '15 at 22:35
  • 1
    @Iszi You can turn off Avast's HTTPS scanning to see the real certificate with literally three clicks, so I think anyone knowledgeable or concerned enough to want to check the certificate manually can still easily do so. People who want to use browser plugins to check certificates can disable it permanently in settings. For the majority of end users, getting infected with malware is probably a bigger security threat than the off chance of encountering a compromised certificate, so I think the default of enabling HTTPS scanning is sensible. – tlng05 Feb 25 '15 at 02:04
  • The point remains that even the most secure SSL proxy leaves you more vulnerable to a MitM attack than none at all, and Avast adds nothing to protect a user against an attacker tricking them into entering their critical information into a spoofed web form. Any security-conscious user is probably more comfortable forgoing the extra antivirus protection than accepting higher MitM risk. Regardless, this is not a choice we should have to make. – Iszi Feb 25 '15 at 15:02
  • This is an excellent answer w.r.t. Avast. I would have liked more info regarding Skype Click to Call, but in retrospect I should probably have made this two questions, so I'll mark this as correct. – mc0e Mar 03 '15 at 12:30
0

IF you are unsure about Avast's behaviour, check the Avast Certificate validity date.

Avast reports, as for now, the Certificate to be valid between 2013- 10- 22 and 2016- 07- 06 as expiry date for this page in HTTPS://, Issued to *.stackexchange.com, and issued by

"avast! Web/Mail Shield Root".

Disabling Avast protection for 10 minutes, and checking again, the only change is that the issuer has exactly the same info, but the certificate issuer changes to

"DigiCert SHA2 High Assurance Server CA"

The expiry date from the original certificate isn't changed, neither what it's issued to.

Mikael Fors
  • 1