Advice Request Avast Web Shield HTTPS Certificate Interception

[petersaints]

I have a question for the community regarding Avast. A long time ago, when I used Avast Free on a daily basis, I noticed that their Web Shield intercepted HTTPS traffic because all of the sudden every HTTPS website I visited was certified by Avast. The Web Shield was basically intercepting all HTTPS requests made by the browser and acting as a "Man in the Middle" (MITM) between the web server and the web browser. Another AV that I have noticed to do EXACTLY the same is the new Kaspersky Free 2019. This concept of having the SSL chain of trust broken by my AV is something that I'm not very fond of. Therefore, I disabled Avast Web Shield for HTTPS traffic. In fact, I eventually disabled it altogether because I don't like the idea of willingly let my AV spy all my web traffic.

I recently tried the current version of Avast Free on a VM and I was surprise to notice that the Web Shield is now lets the browser display the website's certificate, despite the traffic being intercepted by Web Shield. I tested if the an EICAR Test File (Download ° EICAR - European Expert Group for IT-Security) served through HTPS was actually being intercepted, and it was. Therefore, the shield was working correctly for HTTPS traffic, while passing the correct certificate down to the browser.

This new behavior I just described was observed in both Chrome and Firefox. However, I noticed that if I used Edge or IE11, the certificate would show up as coming from Avast. This suggests that Avast is not using a generic approach to ALL HTTPS traffic. Avast Web Shield should be using some interface exposed by Chrome and Firefox to manipulate the certificates more freely. And, no, it's not thanks to the "Avast Online Security" addon/extension. I didn't even installed it and I really doubt it that the a WebExtension is able to do this kind of spoofing.

After all that I've said, does anyone have any idea how is Avast doing this? And why is not Kaspersky doing the same? Have you tried to test if the certificates get replaced or not on other products with a Network Inspection layer?

 

[RoboMan]

The fact that you install a software from a security provider means you have full trust in them. Of course most web filtering modules will inject the browser, this is how they protect you. Even AdGuard does this in order to filter ads and tracking from websites. If you can't handle it then I suggest you use some kind of operating system that needs no antivirus or either live by the fact that every security extension/software will somehow inject your browsers.

 

[Atlas147]

I use Kaspersky free and it does this to all HTTPS websites, however I don't feel that there is any slow down whatsoever so I'm fine with it. As long as it does not compromise speed and security I think I will leave it on.

One of the main ways of telling malicious phishing attacks apart from real websites in the past was the fact that most real websites had HTTPS while the phishing websites didn't, but now that it's so easy to get free SSL certificates for your websites I think this has slowly become obsolete. Even visiting a website with HTTPS now you have to be careful that it's not a phishing website.

 

[Azure]

I recently tried the current version of Avast Free on a VM and I was surprise to notice that the Web Shield is now lets the browser display the website's certificate, despite the traffic being intercepted by Web Shield.

That’s interesting. Did you ask on the Avast forum? Perhaps @RejZoR knows more about this.

 

[petersaints]

The fact that you install a software from a security provider means you have full trust in them. Of course most web filtering modules will inject the browser, this is how they protect you. Even AdGuard does this in order to filter ads and tracking from websites. If you can't handle it then I suggest you use some kind of operating system that needs no antivirus or either live by the fact that every security extension/software will somehow inject your browsers.

I understand your point of view, and since it's completely valid, I didn't saw me asking to remove this feature from Avast or any other product. A clear way to opt-out out of it is more than fine for me.

In fact, if the network inspection is done really well and efficiently I may actually not even want to opt-out. And that's the reason why I wanted to ask the community about what is Avast doing to achieve such a transparent HTTPS traffic scanning on Chrome and Firefox, while other similar products can't.

After searching a bit about the subject I actually found a couple of official blog posts about the project:

• Explaining Avast’s HTTPS scanning feature
• Independent test shows Avast offers best HTTPS protection in the market
• Avast's HTTPS scanner receives A rating

However, other than promoting Avast Web Shield implementation as the best one around, a claim which you should take with a grain of salt because it's coming from Avast. At least, they back up those claims with a couple of academic studies:

• https://madiba.encs.concordia.ca/~x_decarn/papers/tls-proxy-ndss2016.pdf
• The Security Impact of HTTPS Interception

I'm really curious, from a technical point of view, about how did they implement the behavior I've experienced in both Chrome and Firefox. Regarding this topic, the following quote, as mentioned in their blogpost from 2016 mentioned above (Independent test shows Avast offers best HTTPS protection in the market), is all that I could found:

"For the users of Chrome and Firefox we have introduced a new, completely unobtrusive way of scanning the traffic that is even more transparent and allows the browser to best put all the built-in security checks to use."

It at least confirms that HTTPS Chrome and Firefox traffic is handled in a different way from HTTPS traffic coming from other applications. In fact, I suspect that they are probably using some built-in security feature of these two browsers, otherwise they could have applied this new method to all applications. But I also searched a bit about the possibility of Chrome and/or Firefox providing some security scanning interface for HTTPS traffic, but I have not found anything relevant.

​

 

[Ink]

Avast Web Shield should be using some interface exposed by Chrome and Firefox to manipulate the certificates more freely. And, no, it's not thanks to the "Avast Online Security" addon/extension. I didn't even installed it and I really doubt it that the a WebExtension is able to do this kind of spoofing.

After all that I've said, does anyone have any idea how is Avast doing this? And why is not Kaspersky doing the same? Have you tried to test if the certificates get replaced or not on other products with a Network Inspection layer?

Have you tried the Avast Forums?

 

[petersaints]

Have you tried the Avast Forums?

No, I havent't. But I intend to