

Why Is 'avast Web/Mail Shield Root' Listed as CA for Google.com? (2014) - bm98
http://security.stackexchange.com/questions/73476/why-is-avast-web-mail-shield-root-listed-as-ca-for-google-com

======
aburan28
Do you have a Chrome extension called something along the lines "Avast Online
Security"?

~~~
bm98
My experience is that the Avast installation process will install its Trusted
Root certificate if the "web scanning" option is enabled (which is the
default) during installation. Even if Avast browser extensions are disallowed,
and even if the web scanning feature is later turned off, the Trusted Root
Certificate will still be there and will still be utilized.

As noted in the comments of the accepted answer on SE, this is not necessarily
a security problem as long as the certificate is unique on each PC. But to me,
in order for this whole Antivirus-MITM scheme to be secure, the AV vendor has
to get a lot of things right. If the certificate generation during AV
installation is flawed (say, with a weak RNG), then it could easily be
exploited to perform MITM on anyone with the flawed certificate in their
trusted root store.

