The IT Nerd

Frequent readers will recall that while I was traveling on business in India and Australia, I tripped over something weird in the airport in Dubai:

Before I board my flight, I should mention that I am seeing what looks like “man in the middle” behavior when it comes to SSL connections. Certificates appear to be coming from the access point and not from the server. I haven’t got time to definitively prove this, but if this is the case, this is not cool.

I didn’t seriously troubleshoot this until I got home from the trip. When I did, I discovered that it was the Avast anti-virus application that was the issue:

What Avast is doing is known as a “Man In The Middle Attack” where you get in the middle of a secure connection between two parties and intercept data. This is very similar to what the adware that Lenovo had on some of their computers was doing. That my friends is completely unacceptable. When you use SSL certificates, you are assuming that the connection is secure (or at least as secure as it can be) from those who would like to do something evil to you. So when a company like Avast does something as extremely stupid as this, they potentially expose their customers to all sorts of risks which is ironic as you’re using a product like Avast Anti-Virus to protect you from risks. Not only that, one has to wonder what info Avast has access to by doing this? When I go online to bank, can they see my personal info for example? I doubt they’re looking, but you really have to wonder. 

I was so bothered by this, I stopped using Avast. That was back in late March. Yesterday, I was contacted by a representative of Avast. Here’s what they said:

Hi IT Nerd,
We apologize for alarming you during your travels, but we would like to explain our HTTPS scanning feature in order to clarify what Avast is doing, as it is not a MiTM scheme. 

As more and more online services are moving to HTTPS-by-default or even HTTPS-only, attacks are increasingly coming over HTTPS. That’s why it is imperative for security software to check this attack vector. To address this, our trusted Web Shield technology (and Mail Shield) scans HTTPS sites for malware and threats.

To detect malware and threats on HTTPS sites, Avast must remove the SSL certificate and add its self-generated certificate. Our certificates are added into the root certificate store in Windows and in major browsers to protect against threats coming over HTTPS traffic that otherwise could not be detected. 

If you do not want Avast to scan HTTPS traffic, you have the option of disabling the feature in the Avast settings: (-> Avast -> Settings -> Active Protection -> Web Shield -> uncheck “Enable HTTPS scanning”)

Avast whitelists websites if we learn that they don’t accept our certificate. Users can also whitelist sites manually, so that the HTTPS scanning does not slow access to the site. 

I hope this mitigates your anxiety, and that you will continue to trust and use Avast as protection on your Macs and that you will recommend Avast to your customers. 

Best regards,
Deborah Salmi
Global social media manager
Avast Software

While I appreciate the fact that someone from Avast reached out to me. I don’t agree that this is not a man in the middle scheme. Let me explain why. When you want to scan secure traffic such as HTTPS traffic from websites for viruses and the like, you have three ways to do it:

1. You add a “hook” in the client SSL library so that you get the outgoing data right before it gets encrypted, and the incoming data just after it has been decrypted. This is an option that a lot of anti-virus vendors go with. Though it requires them to do a lot more work. For example, Firefox and IE implement SSL differently. So the anti-virus vendor would have to write code that recognizes how each browser does SSL. That’s a lot of work and if you multiply that by the number of browser types and add to that the number of e-mail clients that are out there, that increases the amount of work that an anti-virus company has to do. But many do and do it well.
2. Secure traffic requires public and private keys for encryption to work. You have the former, the server has the latter. If you had both, you can scan all the traffic you want. But this is clearly not a workable solution unless you control the server in question. That’s because no third party server is going to give anyone their private key. Thus this option is usually off the table.
3. You use a Man in The Middle scheme, which includes generating a fake server certificate on a certificate authority that you control and that has been installed in the “trusted CA” store of the client. This method is easy to implement and generally works (though it is possible to break client certificates using this method which would in turn take away your ability to access some resources). The main reason I am not a fan of this method is that it can create potential security risks. An example of this is the adware that Lenovo had on some of their computers which opened up massive security holes on the computers that it was installed on.

In short, Avast is using option number three and that’s not good. I say that because you have to trust that they way they implement option number three doesn’t ever open you up to some third party pwning you. You also have to trust that Avast themselves aren’t doing anything nefarious. I’m pretty sure that they’re not, but I am not 100% sure. Admittedly, that’s likely a side effect of the things that people like Edward Snowden have reported. The fact that you can turn it off if you don’t like it is not a solution either. Avast is correct when they say that more and more of your online world is moving towards secure traffic and you have to protect yourself from threats that use secure traffic. But the way they do it isn’t how it should be done. I would encourage Avast to abandon this method and move to something far more secure, such as using the “hook” method that I described earlier. That would encourage me to use an Avast product again.

In case you were wondering if Avast were the only ones guilty of using a man in the middle scheme, they’re not. ESET’s NOD32 based on my Google searches does something very similar. There are likely others that do this as well. If you want to know which method your anti-virus application uses, try to connect to various HTTPS sites and have a look at their certificate chain which is what I did when I was looking at this back in March. If all the chains go back to a single certificate authority that you don’t recognize or in the case of Avast says that it’s from the “Avast Trusted CA”, then that’s the man in the middle method. If the chains go back to various existing root CAs that you recognize, then that’s the “hook” method. Remember, the “hook” method is good. The Man In The Middle method is bad. And any anti-virus vendor that uses the latter should be avoided.

This entry was posted on May 21, 2015 at 8:19 am and is filed under Commentary with tags Avast, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.