2013-03-15 08:00:35 by chort
I'm all for having safe defaults in security software, i.e. erring on the side of turning on protection, and leaving it up to the user to disable it if they feel it's too restrictive. Recently I had an experience with a particular anti-virus program that went well beyond this. Every time I turned me head, the program had overridden my choices.
I'll preface my comments by saying this has nothing to do with the lively debates I've had with employees of this company. I was actually using their product well before the Twitter exchanges, and continued to use it until their product betrayed my trust.
Initially I installed avast! after doing a fair amount of research on multi-platform anti-virus for work. avast!, Avira, and BitDefender were on the shortlist. I decided to try avast! first on my home machines to evaluate it for possible use at work.
Because I've been handling dangerous emails for years, and have a number of attack mitigations enabled in my browsers, I turned off the email and web traffic interception capabilities in avast! deliberately. I also uninstalled their browser plugins from Chrome, Firefox, and Safari (through the avast! application), because I like to limit the number of third-parties who have access to my surfing habits. I noticed that every time I would reboot, the avast! browser extensions would magically show up again, without my permission. It was annoying, but since I only reboot to install security patches, it was bearable.
Things started to go downhill, however, when I installed their recent version upgrade. Unfortunately after the upgrade downloaded, I couldn't open the main application to show the browser extensions were disabled, but trust me they were. Here are the screenshots showing the email and web MitM features were turned off.
Seems to indicate their proxy was blocking TLS before?:
Features disabled (by me) prior to reboot:
After reboot, they're turned back on:
This means avast! will MitM my TLS email:
And automatically deleted attachments I told it not to:
And the bloody browser extensions are back (I thought Chrome 25+ blocked this!?!)
OK, all this I can understand, to a point. Previously the MitM features apparently didn't work very well, so they want to turn them back on in case a user disabled them out of frustration. I kind of get this, but there was no warning this would happen and no way to opt-out, let alone opt-in. avast! just silently re-enabled MitM after I had explicitly disabled it.
I became curious though--if MitM was a problem before, but now it suddenly isn't a problem, does that mean perhaps they have a trusted CA to forge certificates on the fly? The installer sure didn't ask me if I wanted to install/trust a new CA, but we better check...Smoking-gun:
Boom! There it is. avast! silently gave themselves the ability to MitM all my traffic. Suppose they end up selling email security gateways or web proxy appliances at some point. Maybe I'm on some shady hotel network, you know, they kind who love to MitM their customer's traffic, and I don't even get a warning, because the CA is already trusted. This pattern of deliberately and repeatedly overriding the user's explicit choices, especially about something as important as which CAs to trust, is unacceptable. I will never use or recommend avast! products, and my company certainly will not be buying any. Good riddance.