One site okay, the other not

I ran into the certificate problem with my Mac, Chrome was not recognizing certificate authorities
That was due to the security update that downgraded the Avast certificate (removing it from the system)

The solution to that is to unistall Avast, and then re install it. This puts the certificate back into the system
problem resolved… at least on one site

I had the problem with a secure paypal site, but the re install solved that problem, and now it trusts that site
But today I ran into another site that says it uses the Avast certificate, but Chrome says it isn’t trusted!
the two sites are
https://www.paypal.com/webapps/mpp/paypal-safety-and-security this site is trusted no problems now
but
https://secure.thisistrue.com/ is NOT trusted, I can still get to the site but it isn’t trusted

The certificates for each basically show the same authority… Avast
for the paypal one
Your connection to www.paypal.com is encrypted with 256-bit encryption.

The connection uses TLS 1.0.

The connection is encrypted using CAMELLIA_256_CBC, with SHA1 for message authentication and RSA as the key exchange mechanism.

The connection does not use SSL compression.

and for the thisistrue site

Your connection to secure.thisistrue.com is encrypted with 256-bit encryption.

The connection uses TLS 1.0.

The connection is encrypted using CAMELLIA_256_CBC, with SHA1 for message authentication and RSA as the key exchange mechanism.

The connection does not use SSL compression.

but as I said, the paypal site is shown as trusted, but the other is NOT

How is this possible? Oh, and the thisistrue site owner stated he had a GoDaddy certificate, but I think that is covered by Avast, as GoDaddy is the parent company

still no resolution

the thisistrue site stilll claims untrustworthy certificate while the paypal one is fine

Yet they use the same certificate!

And not a word from support either

For some reason OpenSSL we use does not find the root certificate for secure.thisistrue.com
(Go Daddy Class 2 Certification Authority) even it is in the certificate file the webshield uses.

openssl s_client -CAfile /Library/Application\ Support/Avast/config/com.avast.proxy.cer -connect secure.thisistrue.com:443

will give you the same error.

I will try to investigate it a little bit more.

more fuel for the fire

https://support.avast.com/index.php?languageid=1&group=eng&_m=knowledgebase&_a=viewarticle&kbarticleid=1037

gives me a certificate not trusted error as well. Your own site!

I can bypass it of course and get to the page, but the https indication is red indicating not trusted.

The reason are the misconfigured servers (also true for support.avast.com :frowning: ) that do not send
the intermediate SSL certificates as required. So all you can do is to conntact the server administrator
and let him know to fix the server configuration (I have done this for support.avast.com, should be fixed
soon).

If you ask why the browser does not handle the broken server as untrusted, it’s because the browsers
usually do cache all intermediate SSL certificates they “see”, so if they than connect to a such broken
server, they try to search the cached SSL certificates to complete the certificate chain.

And now the question is, why doesn’t Avast do the same?

The answer is, that it is an ugly hack that requires a lot of error prone code. So the benefit
of doing so (in a security software like avast!) is, as we believe, not high enough to outweigh
the risks.