We are always advised to check the certificate when accessing sites such as banks. This should show the certificate path to the root CA and the contents of the certificate.
When I use Chrome as my browser this works as expected. I can inspect the contents of the certificate and the certificate chain
When I use Internet Explorer however all I can see is an Avast mail/web shield certificate.
I do not understand why the behaviour is different between the two browsers.
I cannot see any way to inspect the certificate or certificate chain in Internet Explorer
I know how to inspect the installed certificates. What I want to do is to check the actual certificate that is being used by the current HTTPS session in the browser. All advice given to us is to ensure that the path is encrypted (padlock shown) and to verify the certificate and its path. Avast is hiding the path and is not providing me with the means to check it on IE
To do this you Click on the padlock. It should show the certificate being used. You can then go and see the path to the root certificate for that site.
For Chrome the certificate path is valid = GeoTrust CA → Google Internet Authority G2 → google.co.uk
For IE the certificate path is = Avast! Web/Mail shield root → google.co.uk
I have attached screen shots of the Certificate path displayed for Chrome browser (Certificate Path using Chrome.jpg)and for Internet Explorer 10 (Certificate path using Internet Explorer.jpg)
As an IT security specialist I can understand why Avast might want to deliberately intercept the HTTPS session in order to inspect the content. I sometimes have to do this in secure internet gateways in systems I design for clients. In this case however I need a method to inspect the original certificate chain when using IE.
I would also like to know why the behaviour is different between Chrome and IE
It it is relevant I am using Windows 8 Home 64 bit and the most recent version of Avast.
Which version of Avast do you have installed? The new HTTPS scanning mechanism was introduced in v11, so Avast is no more replacing the root certificate by it’s own (Avast! Web/Mail shield root ) on Win7 and higher. If you’re on the latest version try to use Avast Cleaner to reinstall antivirus: http://files.avast.com/iavs9x/avastclear.exe
If I have understood your response it is IE that is not behaving correctly and Chrome is behaving correctly. I am not sure just how Avast hooks into the OS to intercept browsers
I will try the uninstall/reinstall as you suggested when I get the time.
I checked it in IE 11 and there is no avast Avast! Web/Mail shield root certificate, see attached picture (sorry, it’s in Russian). My OS is Windows 10.
Hi, we are not able to scan HTTPS connections in IE (and EDGE) without our own certificates being injected into the browser.
This behavior is expected in IE even on the latest version on Avast.
The certificate is created adhoc and signed by Avast Web/Mail shield root. All attributes of the certificate are kept the same (such as Common Name or validity periods), just the issuer must be your very own PC, in order for the local scanner to be able to decrypt the traffic and scan it.