Re: Avast Free Antivirus - HTTPS scanning causes errors

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
s|b wrote:

Quoted text here. Click to load it

HTTPS scanning is way too slow in Avast.  They perform the MITM attack
by installing a root certificate in your local certificate store (in
Windows, run certmgr.msc to see the Avast cert got installed).  They
then have to intercept client's HTTPS connect to their local transparent
proxy.  You'll notice the web browser will report Avast's cert, not the
site's cert, for the SSL/TLS connection.  The traffic from the server
gets decrypted before passing it on to your client (web browser).  This
lets Avast do the same content interrogation that it can for HTTP
(non-secure) connects.  Then it has to encrypt the traffic before
sending it on to your client.  All that takes time and Avast is too slow
for all of this.  If you didn't notice it, web surfing gets a l-o-t
slower when Avast's HTTPS scanning is enabled.  That's because more and
more sites have gone to HTTPS for connecting to them.  Even if you
specify HTTP, often a site will redirect to their HTTPS page.  

As more site adopt secure connects, and with Avast's HTTPS scanning
enabled, your web experience will slow down.  I eventually had to
disable the HTTPS scanning so I did not have to keep waiting for the
pages to load.  Avast needs to change how they intercept the traffic.
For one, any off-domain content (ads, scripts, libs) should be checked
in parallel, not when your client decides it has to do those retrieves.
That means inspecting the web page (once decrypted) for off-domain
resources to then go get them.  However, that also means parallel
retrieve of ads so the type of content should be configurable.  Until
Avast severely speeds up their HTTPS content interrogation process, it
is way too slow.  You might start to think your ISP halved your
bandwidth or something you installed or configured screwed up your
network traffic to slow it down.  Nope, it's just the HTTPS scanning
"feature" in Avast which is too slow and incurs delays in delivery.  The
more resources a page has, the slower Avast will be to deliver the HTTPS
page.  

In fact, Avast's HTTP (non-secure) interrogation also slows delivery of
the page but they've had years to improve that inspection.  When it
first showed, I had to disable it so page loads were speedy again.  It
took over a year before I enabled it, test, and any delay was tolerable
for the added security.  Security and speed are the antithesis of each
other: you can't have more security without a penalty in speed.  Avast
just needs to work on their MITM method of interrogating HTTPS traffic
to speed it up, and that'll be awhile.

I don't know if it is Avast trying to change the proxy settings in IE or
if some nasty site using Javascript is doing it.  I've done some
searching on Javascript to see if it can change the proxy settings in
IE.  While Javascript can change to a different proxy for an existing
session with a site, I haven't found information that Javascript can
permanently change the proxy settings in IE.  So I suspect it is IE.
The proxy will get changed to 127.0.0.1 (no port assigned).  Without the
port, the web browser doesn't know where to connect locally.  A process
listens on a port for a connect request.  The result is that I get
errors in IE about not being to access a page or find a site.  This
happened often enough that I defined a shortcut (put in a toolbar in the
Windows taskbar) that runs:

C:\Windows\regedit.exe /s C:\Batch\InternetSettings\NoProxy.reg

The .reg file has the settings saved for when IE did *not* have a proxy
defined.  The IE settings are in the registry.  Basically I step atop
whatever settings are in the registry for IE's proxy setting to force
them to define "no proxy" for IE.  The .reg file contains:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings]
"ProxyEnable"=dword:00000000

I got into the habit of clicking on my "No Proxy" shortcut after a long
web surfing session, or anytime I got the error in IE about it could not
find the page or site (whereupon IE worked just fine after that).
Interestingly is that after disabling HTTPS scanning in Avast that I
haven't had to click my "No Proxy" shortcut for quite awhile.  Could be
coincidence, could be consequential, to the HTTPS scanning option.

By the way, if you get into the local certificate manager (certmgr.msc)
and do not find Avast's root certificate then that is the cause of the
"authenticity" error.  For HTTPS scanning to work requires a MITM (Man
In The Middle) attack where your client actually connects to Avast's
local proxy and establishes an SSL/TLS session to that proxy using
Avast's cert.  Avast then pretends to be the client to connect to the
server.  MITM attacks are always possible when a cert gets saved in your
local cert store.  In fact, some companies do the same MITM attack by
setting up their sysprep image for their workstations to have the
company's root cert in the certificate store.  They can get tricky by
using login scripts to push their cert into your local cert store.  They
want the ability to interrogate all traffic moving across THEIR network
which is, after all, THEIR property and they probably had you sign some
form that granted them the right to monitor all traffic across THEIR
network.  Since you're supposed to be working for them when you are at
work and are using their resources, they want to ensure everything you
transmit or receive is related to your job for which they are paying
you.  So run certmgr.msc to see if Avast's cert was added.  

- Run certmgr.msc.
- Go to the "Certificates - Current User -> Trusted Root Certificates ->  
  Certificates" tree node in the left pane.
- Look for the cert titled "avast! Web/Mail Shield Root".

The cert gets added when you install Avast, not when you later decide to
use or not use their HTTPS feature.  I have seen Avast installs that
were missing the Avast cert.  Did not see enough such scenarios to know
if the user had some other security software that blocked adding new
certs unless permitted by the user via prompt or policy.  Maybe the user
deleted the cert.  I don't remember if there was an easy fix for a
missing Avast cert (if you still want to use HTTPS scanning).  Only
remember having to uninstall Avast, probably do some remnant registry
and file/folder cleanup, and reinstall Avast to get it to add its cert
during its installation.  Having the cert does not mandate that you must
use Avast's HTTP scanning feature.  As I recall, uninstalling Avast will
NOT have it remove its cert, so you have to do the remnant cleanup.

Re: Avast Free Antivirus - HTTPS scanning causes errors

On Sun, 28 Jun 2015 15:30:42 -0500, VanguardLH wrote:

Quoted text here. Click to load it

I can't say I've noticed this. Maybe it's because I'm running W7 HP x64
SP1 on a SSD, I don't know? I have a cable connection, 30Mbps d/l; 3Mbps
u/l, does that make much difference?

Quoted text here. Click to load it

Haven't noticed this and I have the HTTPS Everywhere add-on installed in
Fx. Which site(s) and which browser(s) did you use to make a comparison?

Quoted text here. Click to load it

Nope.


What I said. ;-)

Quoted text here. Click to load it

I unchecked Enable HTTPS scanning and then did an image search with
Startpage.com. I've set it up so 100 results are loaded; that's a *lot*
of thumbnails. But I really can't see a significant difference in speed.

Quoted text here. Click to load it

Not here. I have IE 11.x installed, but I rarely use it.

Quoted text here. Click to load it

Probably.


Doesn't happen here.

Quoted text here. Click to load it


It's there alright. Says something about 'Server Authentication <none>'.

--  
s|b

Re: Avast Free Antivirus - HTTPS scanning causes errors

s|b wrote:

Quoted text here. Click to load it

The [part of the] program doing work doesn't run off of storage media.
It is loaded in system memory and runs from there.  CPU and memory
speeds are more relevant.  I have 50 Mbps downstream.

Quoted text here. Click to load it

That add-on has NOTHING to do with encryption.  That only tries to
connect to an HTTPS version of a web page *if* available.

Quoted text here. Click to load it

You are lucky.  Read their forums.  I'm not alone.

Quoted text here. Click to load it

How often do you check if IE is using a proxy or not?  Did you check
immediately after you got the "page can't be displayed" error in IE?

Quoted text here. Click to load it

Then the problem with non-connectivity is Avast's transparent HTTPS
proxy went unresponsive.  When proxies go dead, usually you have to kill
the process and reload it (which may require more than one process kill
and then loading them in the correct order).  Typically the cure is to
shutdown Windows and reboot.

Re: Avast Free Antivirus - HTTPS scanning causes errors

On Mon, 29 Jun 2015 11:11:12 -0500, VanguardLH wrote:

Quoted text here. Click to load it

CPU: AMD A8-3870K Black Edition Quad-Core APU
RAM: 8 GiB DDR3 (2x4GiB; dual channel)
  
Quoted text here. Click to load it

So I probably encounter /more/ HTTPS websites than someone who doesn't
have the add-on installed. (My point being.)

Quoted text here. Click to load it

  
Quoted text here. Click to load it

I hardly use IE. I'm not going to check its settings every time I open a
web page with it. You mean the proxy settings are changed and then
changed back again?
  
Quoted text here. Click to load it

  
Quoted text here. Click to load it

I added https://startpage.com * (and several other addresses) to the
exclusions and everything runs fine now.

--  
s|b

Site Timeline