Tag Archives: HTTPS @en

‘Tis the Season to Shop Online

The holiday season is coming up and we expect that many will opt to shop online to avoid the big crowds in city centers, malls and stores. 

In America, Cyber Monday, the cyber version of shopping day Black Friday, was born in the mid 2000s. Cyber Monday sales have steadily increased since its inception and according to IBM Digital Analytics, sales grew 8.5% in 2014. According to ComScore, purchases are now also being made from smartphones with overall spending from mobile devices in the millions.

Americans aren’t the only ones who have embraced Cyber Monday, many other retailers around the world have come together to offer deals on the Monday after U.S. Thanksgiving and in China, Singles’ Day (November 11th) has become a major ecommerce day with 27,000 online merchants participating in 2014

via v3.co.uk

via v3.co.uk

This is not only an exciting time for online retailers and online shoppers but also for cyber criminals. I spoke with our senior malware analyst, Jaromír Hořejší about how cybercriminals are preparing for Cyber Monday:

Cybercriminals will use the same tactics they always do, but target consumers more during Black Friday with “special” offers via fake email campaigns to trick people into shopping on fraudulent sites to steal their information and money.

It is, therefore, vital you have antivirus installed on all of your devices. Antivirus software, like Avast, will detect and block phishing attacks before they can affect consumers.

Consumers should also make sure all of the software on their devices is up-to-date. Attackers often exploit vulnerabilities, which can be found in outdated software and by exploiting outdated software they can infect your device to then steal your financial information while you shop online.

In addition, consumers should shop at online stores that are known and credible. Credible sites usually use the HTTPS protocol, assuring secure communication. You can recognize if a site is using the HTTPS protocol by the little padlock in the address bar of your browser. If you are on a check out page and you don’t see the HTTPS padlock, do not enter your personal data and financial information!

How to minimize risks while shopping online

  • Use a payment service or your credit card – Experts agree that payment services like PayPal are safe because of their security practices and the encryption technology they use. Link it to a credit card so you get your credit card’s fraud protections in addition to PayPal’s. If you only use a credit card, designate one card for online purchases so if something unusual happens, you don’t have to track down all your other cards.
  • Keep a paper trail – Once you place your order, print or save records of the transaction. Check your credit card statement to make sure transactions match and there were no unauthorized charges.
  • Avoid shopping while using public Wi-Fi – Unsecure public Wi-Fi hotspots do not give you any protection from hackers who want to monitor what you are doing online. It’s not difficult for someone to intercept and modify communications between you and another site. If you have to do it, then use a Virtual Private Network (VPN) so your communications will be encrypted.
  • Use a secure browser – the new premium versions of Avast 2016 include SafeZone browser, which isolates banking and payment sites in a protected space, so users have an extra secure place to bank and pay bills online.

 Follow Avast on Facebook and Twitter  for more security tips, news, and trends. 

Explaining Avast’s HTTPS scanning feature

Avast scans HTTPS

Avast Web Shield scans HTTPS sites for malware and threats.

Internet users with basic security knowledge are aware that they should look for the padlock icon in the address bar or the HTTPS in a web address to indicate that a website is secure. We have gotten used to seeing it on bank sites or shopping carts where we input our credit card information. More and more, regular websites are making the switch from unencrypted HTTP to encrypted HTTPS. Last year, search giant Google sweetened the pot by adding HTTPS to their ranking algorithm. That action encouraged webmasters everywhere to make the switch to HTTPS.

But is HTTPS really more secure than HTTP?

The simple answer is not always. As more and more online services are moving to HTTPS, attacks are increasing. An encrypted connection ensures that the connection cannot be modified by anyone else, but it does not guarantee that the actual content being downloaded is safe. Just as with plain HTTP, if a legitimate website is hacked, malware scripts and binaries can be placed into the HTTPS page that appears to be safe.

That’s why it is imperative for security software to check this attack vector. To address this, Avast’s trusted Web Shield technology scans HTTPS sites for malware and threats.

How Avast’s HTTPS scanning feature works (the short version)

Avast is able to detect and decrypt TLS/SSL protected traffic in our Web-content filtering component. To detect malware and threats on HTTPS sites, Avast must remove the SSL certificate and add its self-generated certificate. Our certificates are digitally signed by Avast’s trusted root authority and added into the root certificate store in Windows and in major browsers to protect against threats coming over HTTPS; traffic that otherwise could not be detected.

Avast whitelists websites if we learn that they don’t accept our certificate. Users can also whitelist sites manually, so that the HTTPS scanning does not slow access to the site.

This video gives you an overview, but if any of this didn‘t make much sense to you, read below for a more detailed explanation. You can also explore the FAQ about HTTPS scanning in Web Shield.

What is HTTP and why is it being changed?

HyperText Transfer Protocol or HTTP is the network protocol used to deliver virtually all files and other data on the World Wide Web. When you visit a website you may see the HTTP:// prefix in the address. This means your browser is now connected to the server using HTTP. The problem with HTTP is that it is not a secure way to establish a connection, opening a door to cybercrooks who want to eavesdrop on your activities.

Hackers can eavesdrop via an HTTP address because when you connect to a website with HTTP, your browser assumes it is connected to the correct web server. The problem with this is that there is no way to authenticate that you are actually connected to the correct website. This is a big problem if you think you are connecting to your bank’s website, but you are really on a compromised network and have been redirected to a fake website. This is when the hacker can eavesdrop and see any passwords, credit cards, or other data.

HTTPS is meant to solve this problem

HTTPS, which literally stands for HTTP Secure, is the safe encrypted counterpart to HTTP. When you connect with HTTPS , it provides identity verification and security, so you get the benefit of encryption that prevents others from eavesdropping on your communications and ensures you that you are connected to the intended server.

What is a website security certificate?

HTTPS encryption and authentication are provided by security protocols known as TLS and SSL. The SSL protocol verifies that you are connected to the intended server with a “handshake” which proves the identity of the server to the client. This is achieved using SSL security certificates, which contain various pieces of information like the name of the holder, the domain, validity date, the certificate’s public key, and the digital signature.

Usually the certificate is digitally signed by a trusted certificate authority (CA) that it already knows. For the connection to succeed, the server, and in some cases the client, must provide a certificate that allows the computer to determine if the connection should be trusted or not. If the private key to the certificate is leaked, anyone can mimic the server’s identity.

Why does Avast create a ‘certificate authority’ and how is it created?

When the browser is about to make a connection to a HTTPS server, Avast Web Shield takes over the handshake and connects itself to the server. When the server sends its certificates, Web Shield verifies them against the Windows System Certificate Store – the same list of trusted certificates that Internet Explorer, Chrome, Opera, and other programs use. Web Shield scans the flow of the data connection, and after verifying that the communication is secure, hands over the connection to the browser.

Avast Web/Mail certificate rootWhat is a MITM attack and how does it differ from what Avast is doing?

The SSL protocol is imperfect, so hackers can take advantage of it. A man-in-the-middle (MITM) attack takes place when a hacker intercepts the communication between two systems by impersonating the two parties. This clever ruse makes them think that they are talking to each other when they are both actually talking to the attacker. The attacker can read, insert, or modify the data in the intercepted communication and no one ever knows.

The Avast WebShield must use a MITM approach in order to scan secure traffic, but the important difference is that the “middle man” we use is located in the same computer as the browser and uses the same connection. Since Avast is running with Administrator rights and elevated trust on the computer, it can create and store certificates that the browser correctly accepts and trusts for this, and only this, machine. For every original certificate, Avast makes a copy and signs it with Avast’s root certificate, located in the Windows Certificate store. This special certificate is called “Avast Web/Mail certificate root” to clearly distinguish who created it and for what purpose.

We want to emphasize that no one else has the same unique key that you have from the installation generated certificate. This certificate never leaves the computer and is never transmitted over the internet. The Windows System Certificate Store is the only place where your computer’s certificate is stored and accessed.

How do I maintain my privacy when Avast is scanning my banking connections?

Our customers’ privacy was our first concern when planning the implementation of HTTPS scanning. That’s why we created a way for whitelisting, or ignoring, the connection when Avast users access banking sites. Our current list has over 600 banks from all over the world and we are constantly adding new, verified banking sites. You can, and should, verify the bank’s security certificate when using online banking sites. Once verified, you can submit the banking or other web site to our whitelist by sending us an email: banks‑[email protected].

How to disable the HTTPS scanning feature

If you do not want Avast to scan HTTPS traffic, you have the option of disabling the feature in the Avast settings:

1. Open the Avast user interface → select Settings.
2. Select Active protection → click Customize next to Web Shield.
3. Select Main settings → check/uncheck Enable HTTPS scanning to turn this feature on/off.