When I was traveling to India and Australia, I started to notice that every time I started Apple Mail, I would get this popup:
What it was telling me was that because I was using SSL, it could not verify the identify of my e-mail server and something else might be pretending to to be my e-mail server. That was a concern and I because I first saw this in the Dubai Airport, I thought it was their WiFi that was doing this.
Boy, was I wrong on that front.
I really didn’t have time to pursue it then, but since I’ve got back to Canada, I’ve looked into this and discovered a very troubling cause. When you click on “Show Certificate” you get this:
If you look at the red rectangle, the certificate is issued by “Avast untrusted CA”. Now I run my own mail server and I buy certificates from Verisign. So the only explanation for this is that Avast Anti-Virus For Mac is substituting my certificates for its own. What’s worse is that it expired around the time I left for my trip, which is why I was getting the pop ups in the first place. If that hadn’t happened, I would not have noticed. I confirmed that this was the case by disabling their “Mail Shield” feature as pictured below:
The second I did that, the problem went away and I confirmed that the certificates I purchased were in use. I continued to dig and discovered that Avast is doing the same thing with its “Web Shield”. When I go to Google.ca and check the certificate, I get this:
It uses a “Avast trusted CA” certificate. Disabling the “Web Shield” allows the browser to use whatever certificate the website provides.
What Avast is doing is known as a “Man In The Middle Attack” where you get in the middle of a secure connection between two parties and intercept data. This is very similar to what the adware that Lenovo had on some of their computers was doing. That my friends is completely unacceptable. When you use SSL certificates, you are assuming that the connection is secure (or at least as secure as it can be) from those who would like to do something evil to you. So when a company like Avast does something as extremely stupid as this, they potentially expose their customers to all sorts of risks which is ironic as you’re using a product like Avast Anti-Virus to protect you from risks. Not only that, one has to wonder what info Avast has access to by doing this? When I go online to bank, can they see my personal info for example? I doubt they’re looking, but you really have to wonder.
Now my guess is that Avast is using this “Man In The Middle” scheme to intercept any sort of bad stuff that might hit your system. Thus they have good intentions, but it’s still pretty stupid and deserves to be called out because you have to hope that Avast is going to be trustworthy. Even if they are, some evil doer can leverage what Avast has done to cause all sorts of havoc on your system.
My friends, it’s not worth the risk.
As of last night, I no longer have Avast on any of my Macs. Nor am I recommending it to any of my customers. Plus I will be updating my review on this product to link to this story. Avast really dropped the ball here and they need to change the way they protect users if they wish to stay in business. Because creating an environment where you or some evil doer can snoop on users is not a good business model.
UPDATE: Avast responded to me. Click here to see what they said.
This entry was posted on March 21, 2015 at 10:36 am and is filed under Commentary with tags Avast, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.