I don’t understand why SSL is used by EMC with Gmail. EMC states it has Oauth 2.0 with v8. By using it, EMC would bypass the SSL issue with Avast.
Regarding if Avast can be trusted for SSL, there is no easy answer as states can easily crack the IT supply chain as has been demonstrated with the SolarWinds and the Microsoft Exchange Server attacks. REvil is a recent front to hide Russia’s attacks. A trick it has used in the past to deny plausibly that the GRU, and SVR are not behind attacks on our Internet infrastructures.
SSL is the transport layer that the connection between the client and server uses. So like a motorway.
oAuth is the way the account is authenticated when it connects, so you have either username/password or oAuth. Think of that as they method you use to pay at the toll booth when using the motorway.
Avast is blocking the SLL, so like they have dug up the motorway. The car still works, just the road is missing. You can complain to the manufacturer of your car, but in the end, if someone has closed the road, they are not responsible.
Most AV scanners try to intercept the email as it is transmitted / to the computer to the server as the connection to Gmail is SSL the AV must interceprt the SSL communication. This is why the AV must install its certificate into the Windows System or into the email programs certificate store so that it can decrypt the communication and then scan the email.
Security as all about layers. The SSL scanning of emails is just another layer.
It does require the AV company to be “trusted” or “Trus-able” though and I would debate if any of them are truly 100% trust-able. About as trustable as emClient and of Google themselves (in whom you have entrusted all of your communincations).
For the average user who has noting really to hide this is fine - it is the world we live in. Either live with it or go “off-grid” and don’t use email. If you are working for the security services or are a paedo or a drug barren then you may want to steer clear of Google/Gmail and also steer clear of Windows 10 and steer clear of emClient and any other program If you are the average “person” then you have to trust someone at some point and AVG/Avast are “fairly” well respected just like Kaspersky is Fairly well respected (but they had a scare a year or so back) and just like Microsoft and Google are fairly well respected (but the USA spooks will have backdoor’s for sure).
I was always told that I should never put anything in an email that I would not want anyone else to be able to read. That is as true today as it always was.
What we want to be able to do though is to try and filter out all of the “chancers” with their virus laden / phishing emails to filter out 99.9% of the junk. this is where Avast OR Kaspersky or Esset or Norton etc. can help. Just be comforatble the at some point someone else is going to be looking at the email apart from the intended recipient.
Gary. I am not sure your analagy is quite right. AVG/Avast need to supply the certificate to emClient which they have done and then em client needs to honor that and allow that SSL certificate unfettered access to the email communincation. To my mind it looks like an emClient issue not an Avast/AVG issue. After all it works just fine with Outlook (the program) and also with Thunderbird. It’s only with eM client that it is not working.
but… the microsoft certificate store seems to be working well with Avg and Avast as does the Thunderbird certificate store.
I help my customers get emClient or Thunderbird or Outlook installed with the hope that they might purchase emClient if they like it. At the moment I can’t (won’t) even entertain installing it for them if they have AVG or Avast - it’s just not stable enough and I would end up with a ton of free rework. Previous to this it worked very well and I was getting a lot of customers purchasing emClient so it really is losing emClient money - I am certain of that.
TLS, which is the successor to SSL, is a transport layer.
oAuth is not a transport layer. It means to authenticate without sending a username/password and was introduced in 2006, years after TLS was introduced.
If you are the average “person” then you have to trust someone at some point and AVG/Avast are “fairly” well respected just like Kaspersky is Fairly well respected (but they had a scare a year or so back) and just like Microsoft and Google are fairly well respected (but the USA spooks will have backdoor’s for sure).