Avast Anti-Virus For Mac Uses “Man In The Middle” Scheme To “Protect” You… Yikes! [UPDATED]
When I was traveling to India and Australia, I started to notice that every time I started Apple Mail, I would get this popup:
What it was telling me was that because I was using SSL, it could not verify the identify of my e-mail server and something else might be pretending to to be my e-mail server. That was a concern and I because I first saw this in the Dubai Airport, I thought it was their WiFi that was doing this.
Boy, was I wrong on that front.
I really didn’t have time to pursue it then, but since I’ve got back to Canada, I’ve looked into this and discovered a very troubling cause. When you click on “Show Certificate” you get this:
If you look at the red rectangle, the certificate is issued by “Avast untrusted CA”. Now I run my own mail server and I buy certificates from Verisign. So the only explanation for this is that Avast Anti-Virus For Mac is substituting my certificates for its own. What’s worse is that it expired around the time I left for my trip, which is why I was getting the pop ups in the first place. If that hadn’t happened, I would not have noticed. I confirmed that this was the case by disabling their “Mail Shield” feature as pictured below:
The second I did that, the problem went away and I confirmed that the certificates I purchased were in use. I continued to dig and discovered that Avast is doing the same thing with its “Web Shield”. When I go to Google.ca and check the certificate, I get this:
It uses a “Avast trusted CA” certificate. Disabling the “Web Shield” allows the browser to use whatever certificate the website provides.
What Avast is doing is known as a “Man In The Middle Attack” where you get in the middle of a secure connection between two parties and intercept data. This is very similar to what the adware that Lenovo had on some of their computers was doing. That my friends is completely unacceptable. When you use SSL certificates, you are assuming that the connection is secure (or at least as secure as it can be) from those who would like to do something evil to you. So when a company like Avast does something as extremely stupid as this, they potentially expose their customers to all sorts of risks which is ironic as you’re using a product like Avast Anti-Virus to protect you from risks. Not only that, one has to wonder what info Avast has access to by doing this? When I go online to bank, can they see my personal info for example? I doubt they’re looking, but you really have to wonder.
Now my guess is that Avast is using this “Man In The Middle” scheme to intercept any sort of bad stuff that might hit your system. Thus they have good intentions, but it’s still pretty stupid and deserves to be called out because you have to hope that Avast is going to be trustworthy. Even if they are, some evil doer can leverage what Avast has done to cause all sorts of havoc on your system.
My friends, it’s not worth the risk.
As of last night, I no longer have Avast on any of my Macs. Nor am I recommending it to any of my customers. Plus I will be updating my review on this product to link to this story. Avast really dropped the ball here and they need to change the way they protect users if they wish to stay in business. Because creating an environment where you or some evil doer can snoop on users is not a good business model.
UPDATE: Avast responded to me. Click here to see what they said.
March 22, 2015 at 2:56 am
That is not right..
May 20, 2015 at 11:00 am
Hi IT Nerd,
We apologize for alarming you during your travels, but we would like to explain our HTTPS scanning feature in order to clarify what Avast is doing, as it is not a MiTM scheme.
As more and more online services are moving to HTTPS-by-default or even HTTPS-only, attacks are increasingly coming over HTTPS. That’s why it is imperative for security software to check this attack vector. To address this, our trusted Web Shield technology (and Mail Shield) scans HTTPS sites for malware and threats.
To detect malware and threats on HTTPS sites, Avast must remove the SSL certificate and add its self-generated certificate. Our certificates are added into the root certificate store in Windows and in major browsers to protect against threats coming over HTTPS traffic that otherwise could not be detected.
If you do not want Avast to scan HTTPS traffic, you have the option of disabling the feature in the Avast settings: (-> Avast -> Settings -> Active Protection -> Web Shield -> uncheck “Enable HTTPS scanning”)
Avast whitelists websites if we learn that they don’t accept our certificate. Users can also whitelist sites manually, so that the HTTPS scanning does not slow access to the site.
I hope this mitigates your anxiety, and that you will continue to trust and use Avast as protection on your Macs and that you will recommend Avast to your customers.
Best regards,
Deborah Salmi
Global social media manager
Avast Software
May 21, 2015 at 9:00 am
Thank you for taking the time to reach out to me. I’ve reposted this as part of a larger follow up on this story: https://itnerd.wordpress.com/2015/05/21/avast-responds-to-my-post-about-their-anti-virus-product/
August 3, 2018 at 7:40 am
[…] the shark on the trust front a very long time ago. Remember, these were the guys who were doing a man in the middle attack with their Mac antivirus app in the interests of protecting you. Thus they have a bit of a track […]