I have serious concerns about the HTTPS security of Web Shield in Avast Mac Security, because of its blindness to TLS certificate revocations.
This issue has been under public discussion since at least 2015: http://www.thesafemac.com/avasts-man-in-the-middle/
But in 2017, Avast Mac Security Web Shield retains this vulnerability. To check for yourself, navigate to https://revoked.grc.com . With Web Shield turned off, my browser blocks access to this site due to its revoked certificate. With Web Shield enabled, I can visit the page without issue.
Will Avast Mac Security ever respect certificate revocation? It’s concerning that Web Shield’s HTTPS protection undermines a critical security guarantee of the HTTPS protocol.
I’m using Safari, and I don’t what you’re seeing unless I turn off Avast Web Shield. With Avast Web Shield enabled, I can visit the page without issue, in spite of its revoked certificate. I’ve uninstalled and reinstalled Avast to be doubly sure, and I’m using the latest version ( 12.8 ).
Would you mind verifying whether Web Shield is enabled in your Avast preferences?
I’d be happy to see what you’re seeing, or Safari’s native revocation response! With Web Shield enabled, I see the full https://revoked.grc.com page, without warning of any kind. I’m glad to see certificate revocation security is working in the Windows version of Avast, confirming what I’ve read online.