This week, we publish a copi article that inform about the possible monitoring of Avast antivirus users even through encrypt communication. We have now manag to secure an official statement from Avast regarding the issue. You can find the previous article here . Fortunately, Avast confirm to us that it uses a whitelist of services it considers safe. These include, for example, most banking institutions. But is it appropriate for any third party to try to read encrypt communications? Read Avast’s full statement and the follow-up comment by the author of the original post.
Avast’s official statement
We consider the article to be misleading. It is possible to accept questions from an ignorant user about how HTTPS scanning differs from the Lenovo Superfish case, but to hear this parallel from a security expert without further explanation is deliberate manipulation or ignorance.
First of all, we would like to point out that as far as the distribution of viruses is concern, it is necessary to monitor the HTTPS channel, as we register an average of 26,660 infect unique URLs every day.
The main problem with Lenovo Superfish is that Lenovo computers that have it have the same certificate install on them all, which can be easily abus. It is possible for an attacker to create a page that looks like something trustworthy, e.g. Gmail.com, while placing dangerous content on it – e.g. viruses. If there was no antivirus that also scans HTTPS communication, it would be impossible to stop such viruses. This problem persists whether superfish is running or not, it is caus by a certificate that is widely known and easily exploit being install on the system.
The second problem with Superfish and the like is that when verifying a connection via HTTPS it does (apparently) no verification of the certificates us. So, if it is running, spoofing pages under any name is simple again, the attacker does not even have to try to use special certificates – Lenovo Superfish will allow access to any encrypt page without authentication. It is tempting again especially because the communication is also encrypt in this case and therefore escapes many detection routines.
Both of these problems do not exist at all in the case of Avast.
Avast actually provides a service in Web Shield to scan HTTPS sites.
HTTPS scanning – Ability to detect
Decrypt TLS/SSL protect traffic in the Web-content filtering component. This feature will protect you against viruses coming through HTTPs traffic as well as adding compatibility for SPDY+HTTPS/ HTTP 2.0 traffic. You can tune/disable this feature in the settings section.
It’s a valuable service because it adds protection even against malware that would otherwise hide under SSL/TLS encryption. As the author of the article surely knows, any domain owner can easily get an SSL/TLS certificate for their domain, for free. Why he didn’t mention it is a question, it will probably be relat swen phone number data to the fact that he is employ by a company that provides SSL certificates to websites, but not for free.
In general, we can say that we are in this type of ad observing a significant shift of all websites from unencrypt communication via HTTP to encrypt HTTPS. Large companies such as Google, Facebook, etc. are the first to switch, but all smaller websites are also with them. It is no longer the case that only sensitive websites such as banks use HTTPS. And so the problem that has always exist, of a legitimate bw lists site being infect and hosting virus code on its site without the knowlge of its operator.