Why is 'avast! Web/Mail Shield Root' listed as CA for google.com?
I just noticed something weird in my browser: the certificate for
www.google.comhas been issued by
avast! Web/Mail Shield Root. Should I be worried? I am using avast! Antivirus so it's probably a built-in feature, but I don't know why this is happening and what the benefits/risks are.
The whole goal of HTTPS is to prevent eavesdropping so that anyone monitoring your web traffic can't see what you're sending. As useful as it is, HTTPS presents a bit of a problem to antivirus software because when you visit sites over an encrypted connection, your antivirus software cannot see what sites you're visiting or what files you're downloading, at least until the download finishes. This presents a risk because if you download a virus, the antivirus software won't know about it until the download is finished and the virus is already saved to your hard drive, allowing criminals to bypass the "live defense" features of AV by simply hosting the malware on an HTTPS site.
The solution that many antivirus programs use is to install its own SSL certificate as a root certificate so that it can essentially man-in-the-middle all HTTPS traffic to scan for malware. I'm guessing this is what avast! is doing.
Whether this behavior presents additional security issues is debatable but I don't think it's something you need to be deeply concerned about - after all, your own antivirus software is doing the man-in-the-middling, not a malicious party. If it worries, you, you can disable this behavior - go to Settings>Active Protection>Web Shield>click on "customize" and tick the box next to "Disable HTTPS scanning." If you do this, avast! won't be able to proactively block malware on HTTPS sites.
If the AV is doing this for all HTTPS connections, regardless of certificate validity, then you definitely do have a problem. As long as *everything* is running through the SSL proxy, and the SSL proxy is trusted by the browser, you have no way of knowing when a site's certificate should really be trusted or not.
@iszi After installing avast myself I found that indeed this is the case, so it may definitely be safer to disable HTTPS scanning until avast fixes this.
Is a unique key for the trusted CA Certificate installed on each system? If not, there's a security issue.
@Shadur while it appears to do something similar to superfish, it is implemented in a manner that is MUCH more secure, mitigating most of the security risks. See my answer here: https://security.stackexchange.com/questions/82285/are-the-certificates-from-skype-click-to-call-and-avast-web-mail-shield-any/82306?noredirect=1#comment136075_82306
FWIW - You can exclude specific URLs from the Avast webshield (via Settings), in case you'd like to turn off HTTPS scanning on specific trusted sites. *(I suppose this would have made more sense as a comment to the accepted answer, but I can't comment yet)*
Note that disabling it does not remove the installed certificate. In order to be truly safe *you need to manually remove the certificate from the root store*.
From https://blog.avast.com/2015/05/25/explaining-avasts-https-scanning-feature/ " Avast’s trusted Web Shield technology scans HTTPS sites for malware and threats... The Avast WebShield must use a MITM approach in order to scan secure traffic, but the important difference is that the “middle man” we use is located in the same computer as the browser and uses the same connection... We want to emphasize that no one else has the same unique key that you have from the installation generated certificate. This certificate never leaves the computer and is never transmitted over the internet."
(Need 3 more rep points to add an answer, sorry for the split reply) "As more and more online services are moving to HTTPS, attacks are increasing. An encrypted connection ensures that the connection cannot be modified by anyone else, but it does not guarantee that the actual content being downloaded is safe. Just as with plain HTTP, if a legitimate website is hacked, malware scripts and binaries can be placed into the HTTPS page that appears to be safe. That’s why it is imperative for security software to check this attack vector."
This answer should be updated to note that in 2020, Avast was caught using this technique to collect user browsing data from users of their antivirus software and sell it to third parties. (Source) So, if you care about your privacy you should not allow an untrustworthy company like Avast to perform SSL interception.