Researchers have identified Avast as the only antivirus product that does not degrade the client’s security when scanning HTTPS traffic.
Websites using HTTPS can increase privacy, as the connection between the browser and the website’s server is encrypted. This means that the browser and the web server are the only points that see your browsing activity and the data you enter. Today, anyone who owns a URL can obtain a TLS/SSL certificate, needed to encrypt the web traffic, and create a HTTPS website. This, of course, includes cybercriminals. Because of this, back in 2014, Avast introduced a way to scan HTTPS URLs for malicious activity in order to protect our users from being infected via malware transmitted over HTTPS sites.
A group of scientists from the University of Michigan, University of Illinois Urbana-Champaign, University of California Berkeley, International Computer Science Institute, as well as from Mozilla, Cloudﬂare, and Google, have published a report that reveals that HTTPS scanning can cause new security issues. The results show that the only antivirus program that did not degrade client security was Avast Antivirus. Our HTTPS scanner for Windows was rated with an A, the best possible grade. The Avast HTTPS scanner is available in all our free and premium versions of Avast Antivirus, and is now also used by all our AVG versions for Windows.
More than half of all website visits run on HTTPS
About 52% of web traffic runs on HTTPS, and Avast detects and blocks an average of 42,000 infected unique HTTPS URLs every day. In January, Avast prevented about 3.5 million users from downloading malware or accessing malware distribution sites using HTTPS, making our interception of HTTPS traffic essential for our users’ security.
However, HTTPS scanning requires complex technology and effort to keep the web connection encrypted at the same level as it was before the interception. Unfortunately, according to the research, for the most part, security companies don’t meet this standard; the researchers wrote in their paper: “97% of Firefox, 32% of e-commerce, and 54% of Cloudfare connections that were intercepted became less secure.”
They also found that the cryptographic algorithms used by the products, which function as proxies, often did not only use weaker cryptographic algorithms, but between 10 and 40% of the products used ciphers that were known to have been broken previously, and “would allow an active man-in-the-middle attacker to later intercept, downgrade, and decrypt the connection.”
Avast keeps the security characteristics of HTTPS connections
At Avast, to protect the user, we provide a truly transparent proxy in which we don’t change any security characteristics of the connection. If it was safe before Avast intercepted the HTTPS traffic and checked it for malware, it should stay safe also with Avast’s security scan.
The report also pointed out that the Avast version for Mac advertises a broken cipher. The researchers have used an old version of Avast for Mac, dating back to March 2016. We have released several updates since, so the problem no longer exists. It is possible that the study also refers to older versions of our competitors’ products, which means they may have also optimized their features since.