I was looking at some certificates that websites had on Chrome (to confirm its SSL security/authentication), and I noticed that a lot of them are Issued by Avast. For example, here is one from the Weather network’s website

image542×438 11.2 KB

Is it normal for Avast to generate so many of the SSL certificates? If I didn’t have Avast installed would some other certificate authority be issuing these instead?

If you Look in your Browser Settings you will see “Your Browser is being managed by your organisation.” Certainly it does in Firefox, my default browser.

In order for the Web Shield and Mail Shields to to operate as a man in the middle to scan content before it hits your desktop, the Web Shield and Mail Shields have to be able to do that, so they need this certification.

I don’t have that statement in Chrome (my default browser). I have that on my work computer though, which makes sense since it is indeed being monitored by my employer

Regarding the certificate, I restarted my computer and after loading Chrome back up, I checked the certificate for the Weather Network and see that it’s now issued by Amazon

image546×437 10.8 KB

So I guess it can be a different issuer each time? What’s interesting is that the Issue and Expire dates are each the same in both cases.

There was another topic some time ago about something like this, so I thought it might be the same, in regard to SSL certificates.

Bumping this thread to see if anyone has any insight or answers for this as I still notice the same thing. I also see this thing when I go to the details tab when I go to the Details tab of a website’s Avast-issued certificate and am unsure if this is a cause for concern.

image529×256 3.89 KB

Here is the similar topic mentioned by @DavidR: Firefox doesn’t recognize the certificate issuer if HTTPS scanning is on (with repro).

In summary:

• It was an Avast bug in Firefox, now it seems to come up in Chrome.
• Indeed Avast needs to inject its certificate to be able to scan HTTPS websites, but this injection is expected to be invisible to you (it’s called “transparent” HTTPS scanning). If it’s visible, it’s a bug.

If it’s supposed to be “invisible”, what does that mean? It would just show as the certificate issuer being something different?

Is this a bug for everyone using Chrome or just me/certain people?

In “transparent” mode, you (and browsers) can see original certificates.

Definitions of a word “bug” is a bit complicated here, personally I would call a bug as “unplanned, unintended” behavior. Fallback to injection mode from transparent mode is by design, to keep users protected, so it may be undesired but “as planned” so I wouldn’t call it a bug just because of that. Of course it could be caused by a bug (I mean, “unintended fallback”) though.