How does avast! add a signature into my webmail?

10

2

I have the free version of avast! installed on my computer.
When I just sent an email on https://mail.google.com with Firefox a signature was added, saying that the sent mail is

Virus-free. www.avast.com

enter image description here

I am not asking about how to turn it off, I have already done that.

But I am curious, how they managed to add it technically.

Edit (based on comments):
I checked the Firefox Add-ons Manager, but I cannot find any Extension or Plugin from avast!.

This seems to imply that a program installed on my computer can modify the content of a website I am viewing.

hirse

Posted 2016-04-17T09:13:25.027

Reputation: 213

Seemed to be security-related, where else could I ask it? – hirse – 2016-04-17T09:47:19.753

1@hirse: My guess is that you have a Firefox extension from Avast installed. Such extensions have access to the plain text data, i.e. before encryption. – Steffen Ullrich – 2016-04-17T09:58:52.167

@SteffenUllrich, I cannot find an extension or plugin from avast in the Firefox Add-on Manager. – hirse – 2016-04-17T10:13:58.287

2If its not done with a Firefox extension than they do SSL interception, i.e. you would see their MITM CA as trusted in the browsers CA store. Although the browser is then probably configured to use a (local) proxy. – Steffen Ullrich – 2016-04-17T11:48:27.350

It seems that Avast is using different methods for different browsers as this answer explains. Firefox shows legitimate certificates, so I guess they use number 1 for it. With Edge they seem to be proxying with their own root CA.

– techraf – 2016-04-18T05:40:45.620

Answers

8

That's because your antivirus software is attacking you via a man-in-the-middle attack. Or at least that's the possibility I'll talk about below.

People have downvoted this answer and demanded evidence for my claims. Fortunately, someone already added links in the comments. Kaspersky, Bitdefender (see next mention of the word "Bitdefender"), and avast! do this for sure. I don't know about the others. You can also watch this video about it. (Unfortunately, the video is in German but you'll still be able to see what's happening even if you don't speak German. Start watching at 1:40 in this case.)

Go onto a https page (like the GMail website) and click on the small lock left of the address bar of your browser.

Then you have to figure out how to get information about the connection. In Firefox, you have to click onto the arrow button on the right. You already see what you need to see but click onto "More Information" anyways. A window like this will be shown:

As you can see, I visited Wikipedia to create this screenshot and the identity of the website is verified by GlobalSign nv-sa. In your case, you will see the name of your antivirus software or something related to that.

What's happening here is that the antivirus software is directing your browser's traffic through a software it provides. To it intercepts your browser's traffic through man in the middle.

I'm calling this a man-in-the-middle attack not only because it follows the same principle as a malicious man-in-the-middle attack but also because it can severely increase the vulnerability of your system if malicious software (the authors of which can't sign certificates themselves and therefore not intercept your https traffic without you noticing) uses your antivirus software to read the traffic. Furthermore, Bitdefender severely decreases the security of the connection as you can see in this video at 4:38 or by trying it yourself. The user – of course – isn't told this and therefore is attacked by the software they use to defend themselves. Even if it didn't harm the user, it'd still be a man-in-the-middle attack according to definitions you can find online (including the one on Wikipedia).

This is easy enough to do with http. But if you're using https, you'd think that the antivirus software can't read anything. But it can because you're not connecting securely to the webserver but to your antivirus software. It then reads the traffic, manipulates it if it wishes to do so, and encrypts it again. (So there is a secure connection between your antivirus software and GMail.)

Your antivirus software can then just do with your emails (Or any other traffic!) whatever it wants.

UTF-8

Posted 2016-04-17T09:13:25.027

Reputation: 620

4No, it is not the case of Avast. Certificate path to mail.google.com on Firefox is: GeoTrust Global CA -> Google Internet Authority G2 -> mail.google.com. All certificates have correct signatures and Avast still injects its <div> into the email. – techraf – 2016-04-17T13:02:59.307

-1 an anti-virus company that did that wouldn't be in business for long, it would be unable to retain business customers (and savvy individuals). If you can edit your answer with evidence to substantiate your claim, I'll gladly up vote. – None – 2016-04-17T13:32:52.180

3

@Nathan Many companies do so. Including Kaspersky and Avast. Your comment is uninformed to say the least.

– techraf – 2016-04-17T13:38:39.367

Seems you're right, I'm astounded they do that, thanks for the links. Glad I've never used either of them! (if you make a small edit to your answer [my vote is locked in], I will up vote, sorry) – None – 2016-04-17T13:44:09.317

The technical content of this answer seems strong enough. However, my down-vote is because this should not be considered an attack. Virus scanners have been designed, over several decades, to scan incoming traffic streams and to alert users to potential problems. If you do not want to trust a virus scanner at this level, do not install it. – None – 2016-04-17T14:27:57.700

@Nathan I added this to the answer. Thank you, @ techraf. (I can't notify both of you, apparently.) – UTF-8 – 2016-04-17T14:46:29.017

@BrentKirkpatrick I added an explanation of why this is a man-in-the-middle attack. – UTF-8 – 2016-04-17T14:47:25.003

As I understand, use of the word "attack" implies some form of unauthorized access. This means your post is saying that the virus scanner is accessing files/data streams in an unauthorized fashion. This is simply not true, since the user gave the program permission to run. – None – 2016-04-17T14:52:48.027

2@BrentKirkpatrick At no point is the user told that their traffic will be searched nor that this will severely reduce the security of their https connections (it makes it easier for third parties to search the traffic, too). But because this is a discussion about what qualifies as a man-in-the-middle attack and not about technical stuff, I'll stop discussing it. – UTF-8 – 2016-04-17T14:56:34.340

Let us continue this discussion in chat.

– None – 2016-04-17T15:10:34.750

Antivirus companies do indeed tell users how their computer is made more secure by monitoring incoming data streams. This fact is well publicized as a benefit of antivirus software, since the software will stop trojans and virus before they are executed by the machine. To call this feature of antivirus software an "attack" is disingenuous. – None – 2016-04-17T15:21:03.507

I appreciate the detail in this explanation, but I'm curious about one detail - the answer says that when connecting to a site where Avast is intercepting traffic, I would see Avast or something like that as the Verifier. However, I'm getting these Avast footers inserted in my web-based Gmails like the OP, but when I follow the steps outlined in this answer, I see "Verified by Google Inc." So how is Avast intercepting them? – SSilk – 2017-05-20T17:36:46.223

@SSilk Can you go check the Details tab? If your traffic isn't intercepted, GeoTrust Global CA should be the root CA which verifies Google Internet Authority G2 which in turn verifies mail.google.com. If you use avast!, the root CA should be Avast trusted CA which directly verifies mail.google.com. I don't have access to any computer with avast! installed, but they might be using a wildcard certificate (*.google.com), so it might show that. Wirdcard certificates are commonly used for intercepting traffic. – UTF-8 – 2017-05-20T21:44:19.713

The decreased security mentioned at 4:38 in the video is not necessarily an issue: There are two encrypted communications going on here: The browser with BitDefender and BitDefender with the server.

The latter one is the more important one, since it is transmitted over the internet, while the first one stays on the machine. And the weak encryption displayed applies only to the first (less important) connection. It is totally possible that the latter connection is still perfectly secure. But the user has no way of checking this unfortunately. – Andreas – 2018-07-06T21:58:58.093

@Andreas Any violation of the end-to-end principle is a security problem. Not a non-issue. Not an issue. A problem. – UTF-8 – 2018-07-07T11:29:05.247

Asked: 2016-04-17T09:13:25.027

Viewed: 1 500 times

Active: 2018-07-06T21:58:16.317