Is Your Anti-Virus Spying On You?

I remember a time when anti-virus software was something that you installed on your computer to protect your privacy, as well as keep out all the nasties. However, times have changed. Now we all live in glass houses (although at least mine has vinyl siding). In our post-modern world, where “what’s right for you is right for you, and what’s right for me is right for me” (a most illogical statement if I ever heard one), it would appear some companies think privacy invasion is a necessary evil to “get the job done.” In this case, I’m talking about computer security vendors.

I’ve used avast! Anti-Virus (the free version) for quite some time now, and recommend it to everyone I know as a good, free solution to prevent malware infections. It’s a great product, and I’m not alone in thinking that as more than 230 million other people use it worldwide. However, recently I stumbled upon something that gave me pause.

You don’t mind if we hijack that SSL cert, do you?

A couple of months ago I made the decision to switch to HTTPS for my website in order to encrypt all traffic, and purchased/installed an SSL certificate. While testing things out I decided to poke around a little and clicked the nice green “lock” icon next to the “https://” in Google Chrome’s address bar. Up popped the SSL certificate information just like I expected, but wait… I had to do a double-take, something wasn’t right.

20150629b

Why was avast! showing up as the company that was verifying my SSL certificate. I bought my certificate from Comodo, not avast! So I clicked the “Certificate information” link and sure enough, there they were again…

20150629c

At this point I started thinking, ‘Perhaps avast! owns Comodo. Was there an acquisition I didn’t hear about in the news?’ But then I tried visiting some other websites, including my bank website, and every time I checked avast! was still the certificate issuer. What’s going on here? Has avast! gotten into the SSL certificate business and managed to kill the competition overnight? Not likely.

Give me back my certs!!

I decided to shutdown all avast! processes on my computer. Now when I checked my website everything looked normal…

20150629a

 

Reality set in – avast! didn’t conquer the world of SSL certs while I was sleeping, they just hijacked my computer in order to sniff all HTTPS traffic on it for the purposes of malware detection. Well, sorry, I’m not OK with that.

How to Disable It

  1. Open avast! then click on Settings on the bottom-left
  2. Now click Active Protection (2nd option on the top-left)
  3. Click Customize next to Web Shield
  4. Under Main settings, uncheck Enable HTTPS scanning and then click OK

20150629d

 

Why I’m Not OK with HTTPS Scanning (aka “HTTPS packet sniffing”)

In short: Privacy is important. There’s a reason we wear clothes (well, most of us), have blinds on our windows, and feel just a little ticked off when the NSA and other similar organizations spy on us – because privacy matters. It matters even to those who claim “they have nothing to hide.” It matters because personal boundaries matter. And sometimes we may not want to share a private moment with everyone on earth (unless, of course, you are one of those people who documents every waking moment of their life on Facebook).

I’m not OK with avast! having full access to every banking transaction I do online, along with every other “secure” website I visit.

But, to be fair, I get why they did it. More and more websites are switching to HTTPS. So how is avast! (and I’m sure they’re not the only AV company doing this) going to protect you still? Well, they decided to take the easiest road and sniff your secure traffic. However, that completely undermines the point of HTTPS in my opinion. This is basically a man-in-the-middle attack. If I want to communicate directly & securely with a website, I don’t want a 3rd-party listening in, no matter how “trustworthy” they may be. Sorry, but you’re not invited to this conversation.

To their credit, avast! has a FAQ page dedicated to explaining all the details about HTTPS scanning. What concerns me most though, is that this option is on by default. And I didn’t notice anything during the installation process that highlights this fact or points out how this can affect your privacy. But, maybe I just missed the fine print.

So is your Anti-Virus Spying on you?

According to avast! they don’t transfer any of your HTTPS traffic data back to their servers. So, technically, the answer is no. But the fact that this undermines HTTPS is very concerning. And if one company can intercept ALL of your HTTPS traffic, that’s a backdoor that someone may eventually exploit. My personal choice is to disable it, and hope that AV vendors realize this is not the best way to protect us. There are other methods available, they might just not be as easy.

« »

© 2018 Michael Maw. All rights reserved.