Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Comcast SSL Certificates?
391 views
Skip to first unread message
Insert User Name Here
Aug 29, 2015, 10:57:39 PM8/29/15
to
Hello,
Avast doesn't like Comcast's SSL/TLS Certificate and so replaces it with
it's own. OE plays very nice with it, Thunderbird asks if it's OK to replace
it and Eudora yacks up a bone on it. I keep getting messages to OK it, but
even after clicking 'yes', it chokes before it ever downloads a single
email. I do not know what it is about the Comcast certificate that Avast
doesn't like, but then, I really don't know much about certificates.
Avast has a button to save a certificate file to import into Eudora or
whatever (a copy of the one Eudora already doesn't like).
Is there a place to download such a file from Comcast that I might try to
force in Eudora?
Thanks
Avast doesn't like Comcast's SSL/TLS Certificate and so replaces it with
it's own. OE plays very nice with it, Thunderbird asks if it's OK to replace
it and Eudora yacks up a bone on it. I keep getting messages to OK it, but
even after clicking 'yes', it chokes before it ever downloads a single
email. I do not know what it is about the Comcast certificate that Avast
doesn't like, but then, I really don't know much about certificates.
Avast has a button to save a certificate file to import into Eudora or
whatever (a copy of the one Eudora already doesn't like).
Is there a place to download such a file from Comcast that I might try to
force in Eudora?
Thanks
VanguardLH
Aug 30, 2015, 2:09:42 AM8/30/15
to
troglodyte wrote:
<Hey, you said "Insert User Name Here" so I picked one.>
> Avast doesn't like Comcast's SSL/TLS Certificate and so replaces it
> with it's own.
You have enabled Avast's HTTP scanning feature. That interrogates your
secure web traffic (like it does with insecure web traffic). A MITM
(man-in-the-middle) attack method is needed to look inside encrypted
traffic. So Avast's installer adds Avast's certificate to your local
certificate store. Avast's proxy intercepts your web traffic. For
HTTPS, to your client Avast's proxy pretends it is the target site and
to the target site it pretends it is your client. Encrypted traffic can
only be decrypted at the endpoints of the secure connection. So Avast
sits in the middle between client and target site by creating an
endpoint to allow decryption. If Avast's cert is not in the local cert
store then you won't be able to reach HTTPS sites (unless you disable
Avast's HTTP scanning feature).
Avast is not replacing Comcast's or any other site's certificate. Avast
still has to use the site's cert to re-encrypt the intercepted web
traffic to make a secure connection to the target HTTPS site.
Read up on HTTPS. Then research how MITM attacks using locally
installed certs are used to intercept and reveal otherwise secure
traffic. This is also done at companies on their workstations. Their
sysprep image they put on their workstations includes the company's own
cert. They can then use their own proxy to intercept traffic on your
workstation so they can see what is inside. Their property, their
resources, and you're supposed to be working at work plus they need to
protect their assets from deliberate or accidental disclosure.
> OE plays very nice with it, Thunderbird asks if it's OK to replace it
> and Eudora yacks up a bone on it. I keep getting messages to OK it,
> but even after clicking 'yes', it chokes before it ever downloads a
> single email. I do not know what it is about the Comcast certificate
> that Avast doesn't like, but then, I really don't know much about
> certificates.
No, the client knows the domain to which it intended to connect. That
will NOT match the domain in Avast's local certificate. So the client
SHOULD warn you that the endpoint your client reached is not the one
specified by the client. OE doesn't burp because it probably doesn't
have any code to alert users when a server connection is not to the
specified domain. It will burp when an encrypted e-mail (which is NOT
the same as a secure connection) has been corrupted (it's hash doesn't
match the public key used in the encryption). Thunderbird notices the
domain for the server to which it intended to connect is not the domain
in the cert it got back from Avast's proxy.
> Avast has a button to save a certificate file to import into Eudora or
> whatever (a copy of the one Eudora already doesn't like).
All that means is Eudora has its own internal cert store to add more
certs than what are already available in the OS cert store. If you want
to see the cert store in Windows, run:
certmgr.exe
You'll find Avast's cert under the "Trusted Root Certificates ->
Certificates" node in the tree. Eudora should be able to use certs in
the OS cert store. Maybe that client is deficient and can't use the
local cert store which means you have to add it to Eudora's cert store.
> Is there a place to download such a file from Comcast that I might try
> to force in Eudora?
I don't know that Avast provides a separate .cer file to allow
independent installation of their certificate into the local cert store
for the OS or to an app (e.g., Eudora). Avast's installer should take
care of installing Avast's cert in the local store but it obviously
won't go around to each app to find out if that app has its own cert
store to add Avast's cert there.
If you don't see Avast's cert were mentioned in the Certificate Manager
applet then reinstall Avast to see if the installer succeeds on the next
install. If you do see Avast's cert in the local store then there is
something defective or deficient in Eudora that it cannot use the local
cert store.
https://blog.avast.com/tag/security-certificate/
You can always disable the HTTPS scanning feature in Avast. It will
slow down retrieving the content of a secure web page along with all the
external resources (links) to other secure content. Having to decrypt
web traffic, interrogate the traffic, and re-encrypt that traffic to
pass it along takes time and that incurs lag. Whether you see the lag
depends on how fast is your hardware, what software you add that will
slow your OS, client, or network, and how many secured sources have to
be intercepted that are referenced in a web page. The moment I
installed the major version of Avast that introduced their HTTPS
scanning feature was when I noticed there was a lag in responsiveness in
getting web pages to paint. Took me awhile to realize it was just the
HTTPS web pages that got slowed and then I discovered the addition of
the new HTTP scanning feature. Disabled it and all web pages, including
HTTPS ones, popped immediately on the screen in the web browser.
Until Avast improves their HTTPS scan engine (make it faster, make it
work in parallel with multiple HTTPS sources in a web page, or whatever
it takes), I will leave disabled their HTTPS scanning feature. Besides
the slowdown, and as you have experienced, the MITM attach to intercept
and interrogate HTTPS traffic can cause problems in some software.
The folks in Avast's own forums might know where you can get a .cer file
with Avast's certificate inside; else, you could contact Avast support
to ask for a .cer file so you can import it into some app's private cert
store, like Eudora, because it won't use the local cert store in the OS.
<Hey, you said "Insert User Name Here" so I picked one.>
> Avast doesn't like Comcast's SSL/TLS Certificate and so replaces it
> with it's own.
secure web traffic (like it does with insecure web traffic). A MITM
(man-in-the-middle) attack method is needed to look inside encrypted
traffic. So Avast's installer adds Avast's certificate to your local
certificate store. Avast's proxy intercepts your web traffic. For
HTTPS, to your client Avast's proxy pretends it is the target site and
to the target site it pretends it is your client. Encrypted traffic can
only be decrypted at the endpoints of the secure connection. So Avast
sits in the middle between client and target site by creating an
endpoint to allow decryption. If Avast's cert is not in the local cert
store then you won't be able to reach HTTPS sites (unless you disable
Avast's HTTP scanning feature).
Avast is not replacing Comcast's or any other site's certificate. Avast
still has to use the site's cert to re-encrypt the intercepted web
traffic to make a secure connection to the target HTTPS site.
Read up on HTTPS. Then research how MITM attacks using locally
installed certs are used to intercept and reveal otherwise secure
traffic. This is also done at companies on their workstations. Their
sysprep image they put on their workstations includes the company's own
cert. They can then use their own proxy to intercept traffic on your
workstation so they can see what is inside. Their property, their
resources, and you're supposed to be working at work plus they need to
protect their assets from deliberate or accidental disclosure.
> OE plays very nice with it, Thunderbird asks if it's OK to replace it
> and Eudora yacks up a bone on it. I keep getting messages to OK it,
> but even after clicking 'yes', it chokes before it ever downloads a
> single email. I do not know what it is about the Comcast certificate
> that Avast doesn't like, but then, I really don't know much about
> certificates.
will NOT match the domain in Avast's local certificate. So the client
SHOULD warn you that the endpoint your client reached is not the one
specified by the client. OE doesn't burp because it probably doesn't
have any code to alert users when a server connection is not to the
specified domain. It will burp when an encrypted e-mail (which is NOT
the same as a secure connection) has been corrupted (it's hash doesn't
match the public key used in the encryption). Thunderbird notices the
domain for the server to which it intended to connect is not the domain
in the cert it got back from Avast's proxy.
> Avast has a button to save a certificate file to import into Eudora or
> whatever (a copy of the one Eudora already doesn't like).
certs than what are already available in the OS cert store. If you want
to see the cert store in Windows, run:
certmgr.exe
You'll find Avast's cert under the "Trusted Root Certificates ->
Certificates" node in the tree. Eudora should be able to use certs in
the OS cert store. Maybe that client is deficient and can't use the
local cert store which means you have to add it to Eudora's cert store.
> Is there a place to download such a file from Comcast that I might try
> to force in Eudora?
independent installation of their certificate into the local cert store
for the OS or to an app (e.g., Eudora). Avast's installer should take
care of installing Avast's cert in the local store but it obviously
won't go around to each app to find out if that app has its own cert
store to add Avast's cert there.
If you don't see Avast's cert were mentioned in the Certificate Manager
applet then reinstall Avast to see if the installer succeeds on the next
install. If you do see Avast's cert in the local store then there is
something defective or deficient in Eudora that it cannot use the local
cert store.
https://blog.avast.com/tag/security-certificate/
You can always disable the HTTPS scanning feature in Avast. It will
slow down retrieving the content of a secure web page along with all the
external resources (links) to other secure content. Having to decrypt
web traffic, interrogate the traffic, and re-encrypt that traffic to
pass it along takes time and that incurs lag. Whether you see the lag
depends on how fast is your hardware, what software you add that will
slow your OS, client, or network, and how many secured sources have to
be intercepted that are referenced in a web page. The moment I
installed the major version of Avast that introduced their HTTPS
scanning feature was when I noticed there was a lag in responsiveness in
getting web pages to paint. Took me awhile to realize it was just the
HTTPS web pages that got slowed and then I discovered the addition of
the new HTTP scanning feature. Disabled it and all web pages, including
HTTPS ones, popped immediately on the screen in the web browser.
Until Avast improves their HTTPS scan engine (make it faster, make it
work in parallel with multiple HTTPS sources in a web page, or whatever
it takes), I will leave disabled their HTTPS scanning feature. Besides
the slowdown, and as you have experienced, the MITM attach to intercept
and interrogate HTTPS traffic can cause problems in some software.
The folks in Avast's own forums might know where you can get a .cer file
with Avast's certificate inside; else, you could contact Avast support
to ask for a .cer file so you can import it into some app's private cert
store, like Eudora, because it won't use the local cert store in the OS.
Insert User Name Here
Aug 30, 2015, 9:19:48 AM8/30/15
to
"VanguardLH" <V...@nguard.LH> wrote in message
news:d4fl14...@mid.individual.net...
Go to Avast settings
Active protections
Mail Shield
Mail Shield Settings
SSL Scanning
Export Certificate
Save to Desktop or wherever you want to import it from.
In Eudora's Server Certificates tree it expands to
Avast SSL/TLS certificate (marked with a smiley)
then to:
Avast Server Certificate (appears to be the same cert as previous also with
a smiley)
then to:
Comcast certificate (marked with skull and crossbones)
This is what lead me to believe that Comcast has it's own certificate and
that Avast didn't like it.
In the previously mentioned Avast Settings, is the SSL scanning what I would
disable for the HTTPS issues you cited? I do not see something directly
related to that. How much real-life risk am I assuming? Can I just delete
all but the
Comcast cert in the Eudora Server Certificates store?
I have important mail that I cannot get to because of this seemingly 3-way
tug of war between Eudora, Avast and Comcast.
Thanks for the reply.
Insert User Name Here
Aug 30, 2015, 7:00:13 PM8/30/15
to
<g...@rr.com> wrote in message
news:3tu5uadqjpg21hd4k...@4ax.com...
> Subject: Re: SSL certificate issue - cannot get into the certificate
> manager
>
> there is a length discussion in the above gropu about issues with
> Eudora and Gmail's now putting out new "certificates", sometime more
> than once a month.
>
> There are several tips and steps in this discussion that work to get
> Eudora to "trust" the new certificates.
>
> The problem I have is the fact I check 2 gmail accounts and I have to
> go through these steps for both, sometime every couple of weeks.
>
> The real issue is Eudora is no longer supported.
>
> Is there some way to turn off Certification checking in Eudora
> completely, especially when using it with Gmail?
>
Hi,
I used the instructions in that group from the thread:
Invalid SSI Certificate
Date: Fri, 17 Jul 2015 13:09:59 -0300
I did pay particular attention to # 4 as pointed out (first mistake I had
been making) and then clicked on the Comcast Certificate, as instructed,
even though it had the skull and crossbones (tend to not blindly click on
things with those sorta icons showing, you know). Who knew that skulls were
only to show what certificate was giving the issues and to not trust that
what it said in the error window was in fact the offender (in this case, it
blamed Avast, when it was the Comcast cert that needed accepted... doesn't
make sense, but it fixed it) but rather the fartest file in then tree
(Comcast's certificate)? I just didn't like the look of the Comcast cert as
it only has their name and address for a file name along with the error
message and menacing emoticon... now I know, I think (guess?).
The thing that really got me was that the Avast certificate said it was good
from Nov 2014 until Nov 2024 and had worked fine until just the past few
days. So... my best guess, based on what I've read there and in Vanguard's
reply, is that one of the things Avast must check and then pass along is
Comcast's certificate and then Eudora blames the wrong one
<?dumbfoundedlookingshrug?>
At any rate, I checked mail, from the dominant personality, made sure I was
in the incoming mail tab that works just like the other tab, and told it to
accept the scary Comcast certificate, OK'd my way out and retried without
closing Eudora and all seems well... at least for the time being.
Thanks for the reply.
VanguardLH
Aug 30, 2015, 9:14:30 PM8/30/15
to
Avast Free. I only install their file shield, web shield, browser
cleanup, rescue disk, home network security, and secure virtual machines
(their deepscan mode).
Several other components are lureware: they present them in the GUI but
you have to buy them to use them (e.g., firewall, anti-spam, Cleanup
renamed from Grimefighter, SecureLine). Some are superfluous, like the
e-mail/newsgroups scanner (it's the same one as their on-accessor
real-time scanner and affords no extra protection but can cause lots of
problems with e-mail, especially when using SSL/TLS). Browser
protection is a webrep module (site ranking) and is worthless as less
than 1% of all sites have been ranked and ranking is slow so a fixed
site is still listed as bad and a bad site hasn't been ranked yet).
It's no better and just as bad as using WOT (Web of Trust). SecureDNS
has them change your DNS config to point at their DNS servers. Comodo
does the same with their products that change the DNS config to point at
ComodoDNS. Both are adware DNS servers: on what should be a failed
lookup they instead take you to their "helper" search page. No thanks.
Software Updater is a nag tool and has a limited number of apps it
checks for latest version. If you want something to nag you about
having an old[er] version of an app, get Secunia PSI. Desktop Gadget is
fluffware.
>
> In Eudora's Server Certificates tree it expands to
> Avast SSL/TLS certificate (marked with a smiley)
> then to:
> Avast Server Certificate (appears to be the same cert as previous also with
> a smiley)
> then to:
> Comcast certificate (marked with skull and crossbones)
>
> This is what lead me to believe that Comcast has it's own certificate and
> that Avast didn't like it.
>
> In the previously mentioned Avast Settings, is the SSL scanning what I would
> disable for the HTTPS issues you cited? I do not see something directly
> related to that. How much real-life risk am I assuming? Can I just delete
> all but the
> Comcast cert in the Eudora Server Certificates store?
>
> I have important mail that I cannot get to because of this seemingly 3-way
> tug of war between Eudora, Avast and Comcast.
>
> Thanks for the reply.
attachments and checks those for infection. This is an on-the-fly
inspection but incurs lag between client and server (on both sends and
receives). Timeouts can occur. Since this works as a proxy, your real
client won't know if there was an error when Avast's proxy pretends it
is the client to the server. Any error from the server will be sent to
the proxy, not to your client. You have to configure your e-mail client
to NOT use SSL/TLS so Avast's proxy can receive that traffic to
interrogate on send or receive. Then Avast will use SSL/TLS with the
server to the server to encrypt your external e-mail traffic. There are
articles at Avast on how to configure your e-mail client to use Avast's
e-mail scanner and which tell you to NOT use encryption in the
connections your e-mail client makes with the server which is really to
Avast's proxy (and then from the proxy via SSL/TLS to the server).
E-mail scanning is superfluous. You get no extra protection. Their
e-mail scanner will interrogate the e-mail traffic checking for infected
attachments in an on-the-fly inspection. Well, if you ever attempt to
extract those attachments in your e-mail client, you will be creating
files that their on-access scanner will check. The same scan engine is
used for both on-the-fly and on-access inspection. You don't get a
better scanner for e-mail. Besides the problem you noted, I recommend
uninstalling their e-mail scanner (or not installing it in the first
place). Then configure your e-mail client to use SSL/TLS to connect
*directly* to the e-mail server. No going through Avast's proxy.
The HTTPS scanning features is only in Avast's web shield component.
E-mail doesn't use HTTPS. Sorry about going off track. Whether you
want Avast interrogating your HTTPS (secure web) traffic is your choice.
I found it slowed rendering of HTTPS web pages so much an annoyance that
I disabled it. That won't affect your e-mail setup. Unless you want to
follow Avast's article on how to configure your e-mail client to *not*
use SSL/TLS (because it is actually connecting to Avast's proxy and not
to the real e-mail server), just get rid of that superfluous scanning
method by uninstalling their e-mail/newsgroups shield. Then configure
your e-mail client just how the e-mail providers tells you to.
meagain
Sep 10, 2015, 8:16:41 AM9/10/15
to
an MITM attack if they do it like Avast!
VanguardLH
Sep 10, 2015, 11:51:50 PM9/10/15
to
meagain wrote:
> That's a great explanation, but it sounds like anyone with a
> certificate could mount an MITM attack if they do it like Avast!
Yes, and many companies do just that. Whether they include the
> That's a great explanation, but it sounds like anyone with a
> certificate could mount an MITM attack if they do it like Avast!
company's cert in their sysprep image they lay onto their workstations
or push the cert using policies or login scripts, they get their cert
installed in the local cert store in Windows on THEIR computers. That
way, they can intercept your HTTPS traffic to interrogate it. Unlikely
they waste time perusing through your traffic. Instead their firewall
or network monitor will search for keywords.
Just like Avast or other security products, companies also use the MITM
scheme using their certs to interrogate the traffic you generate using
THEIR resources. Some employees are in very sensitive positions so the
company doesn't want accidental or deliberate release of sensitive data.
You're supposed to be working when on their clock and all the equipment
you use on their premises are their property and your probably signed a
bunch of docs on hire day saying you agree to their interrogation of
your traffic on their network.
Avast did not come with this MITM scheme to intercept and interrogate
HTTPS traffic. It's been a long-time security scheme employed by
companies. In a similar vein, MsgTag didn't come up with the use of web
beacons to track delivery and opening of e-mails. Spammers did that
first but MsgTag figured they could use it to monetarize tracking of
e-mails by their customers. Of course, if you configure your e-mail
client to no retrieve linked images then web beacons are useless. Avast
just caught up with what companies have done for quite a while.
When you go back to work, and if you have admin privileges to your
workstation (while logged into a domain) or have a local admin account,
go look in the local cert store (certmgr.msc) to review what certs are
there. You might find one for your employer.
meagain
Sep 12, 2015, 6:47:58 PM9/12/15
to
( they're under "third-party root certificates")
VanguardLH
Sep 14, 2015, 6:20:48 AM9/14/15
to
meagain wrote:
> I have certificates that "expired" in 1999 in my certmgr.msc - should
> I delete them? ( they're under "third-party root certificates")
You sure those certs are there to block some sites? Occasionally a
> I have certificates that "expired" in 1999 in my certmgr.msc - should
> I delete them? ( they're under "third-party root certificates")
registrar gets caught issuing a cert to someone they should not. For
example, Microsoft issues updates that insert certs into the local cert
store to deliberately FAIL on them. Someone unauthorized managed to get
a registrar to issue a cert for Microsoft but the registrant was *not*
from Microsoft.
The ones I see dated 1999 are for Microsoft and there were to kill the
Microsoft forger. Was easier to push updates that installed a cert to
kill the forger than go to court to force the registrar to void the
certs. I'd have to research deeper what thumbprint was used with those
certs Microsoft pushed via updates to kill the forger.
I forget the size of certs. When you export a cert, it only occupies
around 714 bytes for the .cer file (that is its file size versus the
minimum file allocation size of 4096 bytes since a cluster is the
minimum allocation unit for a file). Even if there were a dozen of
expired certs that occupied 8,568 to 49,152 bytes, and because I can't
be sure what is the intention for having them in my local cert store,
I would leave them. I'm not worried about 48 KB on my disk.
meagain
Sep 14, 2015, 7:40:01 PM9/14/15
to
0 new messages