Should you trust Avast with this kind of access to your private information? Avast has essentially chosen to hijack your web browser’s security without your permission, inserting itself as a silent watcher into all your secure communications. For example, Avast is probably intercepting e-mail being transmitted securely between your mail server and your e-mail client so that it can be scanned for attached malware. I imagine that they are using this power to monitor secured communications for possible malware. It’s unlikely that Avast is using the power to snoop on your communications for malicious purposes. On Avast’s own forums, questions about this are treated as bugs – not because of the potential security issues involved, but because of whatever has caused the user in each case to become aware of the problem, such as the error message that brought this matter to my attention. This is an extremely serious issue, but surprisingly, it apparently isn’t new! Searching the web for “Avast untrusted CA” or “Avast trusted CA” shows that people have been aware of this on a small scale for some time. I doubt anyone needs me to lecture them on the potential security issues involved in having a third-party watching their banking transactions without permission! As with Google, and as would happen with any other secure site, it turns out their certificate gets replaced with the Avast certificate. Suppose, for example, that you go to the Bank of America site to transfer some funds or pay a bill. Unfortunately, this issue isn’t limited to Google. Those who do are probably using a search engine like DuckDuckGo, rather than Google, anyway. Okay, who cares, right? I mean, sure, there are some potential privacy issues involved there, but in reality, most people don’t care much if someone’s monitoring their searches. This means that Avast has complete control over the connection between the browser and Google, and has the power to intercept – or even modify – any data being transmitted. (I’m guessing the certificate on the affected reader’s system was outdated, and had not been properly updated for some reason.)Īs can be seen from the screenshot, the certificate claims to be for Google, but was not issued by the authority that Google actually uses (GeoTrust Global). On my test system, though, the Avast certificate was trusted. Some testing this morning showed that Avast is replacing Google’s certificate with one of their own. The error message pointed the finger at a certificate issued by a certificate authority named “Avast untrusted CA.” I received an e-mail from a reader yesterday asking why he was getting an error in Chrome complaining that his connection to Google was not private.
#AVAST SECURE ME FOR MAC SOFTWARE#
No legitimate software would ever behave this way, would it?ĭon’t be too sure. So we shouldn’t be surprised at its misbehavior.
Surely this kind of thing could only be done by unethical hackers, right? I mean, Superfish is essentially adware, and in my opinion has now crossed the line into malware territory. It should be immediately obvious that this is a Very Bad Thing. This is what security experts call a “man-in-the-middle attack,” meaning something or someone that interjects itself between two parties attempting to have secured communications. What Superfish has done is replace these certificates with one of its own, which gives the software the ability to intercept any data being sent to or from such a secure site. This protects you from snoops, who cannot see any potentially sensitive data being transmitted.
So, when you connect to your bank’s website, for example, a certificate is used to encrypt all data sent between your browser and the bank site. The lock icon shown by browsers when the user is connecting to an “HTTPS” site is an indication that the connection is being secured, using a form of encryption that relies on an SSL “certificate” issued by a trusted certificate authority.
Replacing SSL certificates is a significant security issue. It turns out that the same behavior is being exhibited by software that many people are inclined to trust: Avast’s anti-virus software! The primary issue concerning experts is that Superfish replaced SSL certificates, used for ensuring secure connections on the internet, with its own certificates. The security community is ablaze with news of Superfish being pre-installed on some Lenovo computers. February 24th, 2015 at 12:47 PM EST, modified
0 kommentar(er)
