MovinYou must have noticed the affair between the computer manufacturer Lenovo and the Superfish program, which read confidential user data with its own certificate. This news went viral all over the internet. Lenovo commented that it has already ended the project. But are the risks gone? Currently, another problem was discovered with Avast, which uses its own certificates instead of the server’s certificate, and even worse.
You can find an article about the Superfish case, for example, on Lupa . It discusses a laptop manufacturer’s program performing an active Man-in-the-middle attack on users using its own (spoofed) SSL certificates. A MITM attack is the concept of forging a fake certificate for a user. He accidentally communicates with the attacker, not with the server. Communication is not private. The server’s genuine SSL certificate is not used.
Lenovo has already been mentioned. What about Avast?
Avast uses the same principle. In the case of the Avast program, the installation and use of “web shield” is done voluntarily by the user. The feature is certainly presented as essential. After all, this is part of the security software, which is supposed spain phone number data to protect us in the first place. However, it wants us so perfectly that it does not trust standard SSL certificates and the program installs the manufacturer’s Root certificate in the root certificates of the user’s system, with which its working certificates are “issued”. It then replaces the server certificates itself.
How do you recognize the modification in the browser?
If you open any page with a green address bar with Avast Web Shield active. For example, your bank’s internet banking. In speed, a common site like SSLmarket.cz. Instead of the prestigious Symantec Secure Site EV certificate, a fake Avast certificate will be imposed, which of course is not an EV, but is issued for the same domain and is trusted (thanks to the root of avast in the repository).
The possibility of monitoring even remarketing paid facebook marketing has the advantage of remarketing when paying online by card
The biggest difference is that you are not communicating directly with the server, and certainly not with Symantec’s most trusted EV certificate. This gives Avast the ability to read your encrypted communications before sending data to the server even for activities you really don’t want it to. For example, when paying online using a debit card.
The EV certificate must be eliminated by Avast
The certification authority issues the EV certificate after thorough verification and it is not possible to make your own EV certificate. Fortunately, the authorities that issue them are “hard-coded” in the browsers. Avast solves this problem by completely eliminating the EV certificate. He is not interested in the green line, nor is Certificate Transparency ; it simply won’t allow bw lists users to use this additional HTTPS security.g to HTTPS. We can hardly ignore.