"docs.nextcloud.com" certificate revoke error with Avast Antivirus

I face the following error on docs.nextcloud.com with the Avast Antivirus web secure module activated:

You attempted to reach docs.nextcloud.com, but the certificate that the server presented has been revoked by its issuer. This means that the security credentials the server presented absolutely should not be trusted. You may be communicating with an attacker.

nextcloud.com and help.nextcloud.com work fine. All browsers on the related system are effected.

Avast web secure module has some HTTPS scanning setting that switches the error.

I don’t know if this should be handled as nextcloud webpage error or as Avast Antivirus error, but at least there seems to be a difference in the docs subdomain that Avast blocks it while allowing the others. Maybe someone could have a look inside to prevent future support requests from Avast users :wink: . I can provide logs and stuff if it helps.

The test on ssllabs.com does not show any error with the certificate itself.
https://www.ssllabs.com/ssltest/analyze.html?d=docs.nextcloud.com
https://certificate.revocationcheck.com/docs.nextcloud.com

My browsers accept the certificate but the revocation stuff is a bit tricky. Unfortunately, anti-virus solutions have not the best reputation in handling ssl connections, latest news:
https://bugs.chromium.org/p/project-zero/issues/detail?id=978

However I found another problem with several HSTS-headers:

Thanks for the hints.

I just tested “help.nextcloud.com” which does not show the error on test. But it does indeed also give a hint about HSTS: https://www.ssllabs.com/ssltest/analyze.html?d=help.nextcloud.com

Strict Transport Security (HSTS)	Yes   TOO SHORT (less than 180 days) 
max-age=6912000

nextcloud.com at last does not show any error or hint on test: https://www.ssllabs.com/ssltest/analyze.html?d=nextcloud.com

So as the “invalid HSTS policy” error just show up on “docs.nextcloud.com” the chance is high that it is indeed the reason for Avast to block it, if it’s HTTPS scanning is enabled. I will test it as soon as there is some solution according to your github issue.

No progress here so far? I guess it’s not a big problem, but if people with avast or some similar web page checking/blocking feature can’t access the docs without further information on that, it might look unprofessional or something to them :stuck_out_tongue: .

@MorrisJobke for Infrastructure :grin:

I fixed it.

2 Likes

BTW, regarding your avast problem, see http://www.securityweek.com/antivirus-software-has-negative-impact-https-security-researcher or for the source https://zakird.com/papers/https_interception.pdf

Might look unprofessional to still use something like that ;D

HAH!, actually the SSL warning and website block is NOT solved, even that ssllabs does not show an HSTS issue anymore. I already tried to clean cookies and cache.

@BernhardPosselt do not understand me wrong, I do not call nextcloud unprofessional nor the docs website insecure ;). I just say how things could look like, if some random user want’s to get some information on the well linked docs pages and finds no access and warnings instead, because of some stupid antivirus feature. As if you say/the links show, it does not even enhance security but decreases it, the antivirus publishers should be blamed and called unprofessional for that :stuck_out_tongue:. But as an average user you will most likely not find this connection. The feature is quite hidden in the settings of the web security component.
But yeah, I will drop avast, already the annoying attempt to install several other software together with it looks absolutely unprofessional to me… I just switched from Avira, because I though that some mouse click problem was connected with it, but in the end it’s just a broken micro switch :frowning:. Avira also comes with this (for me) totally useless Launcher that is now nearly not removable anymore… Arrr does someone has a good solution for JUST antivirus in one single slim program without ads, launchers and ssl checking? :smile:

Read http://robert.ocallahan.org/2017/01/disable-your-antivirus-software-except.html :wink:

When your product crashes on startup due to AV interference, users blame your product, not AV. Worse still, if they make your product incredibly slow and bloated, users just think that’s how your product is.

That hits the nail :smiley:.

But on the recommendation of disabling 3rd party av and enable microsoft defender:
According to https://www.av-test.org/de/antivirus/privat-windows/windows-10/ and https://www.av-comparatives.org/ the microsoft av is way behind most 3rd party av products in security and also in performance. And there has been no change in this for several years.
For several years I also do not remember any av alarm on my system besides false ones here and there. This is the reason why I in between had no av (also disabled microsoft SE/defender). No I am just thinking: As long as it is not disturbing too much, it is worth to have it, even if it will never find some real virus. Even if it just happens ones a lifetime, the damage to have a total system loss/data loss/system hijack or whatever is just too high to drop av just because once a year you have some minor issue like this one with docs.nextcloud.com.
And IF it is worth to use any av solution, then it’s definitely NOT microsoft, then better just use nothing :stuck_out_tongue:.

In the end maybe I will just switch the linux… But there is several software I need, that still does not exist for it.

Fixed by either changes on docs.nextcloud.com or avast update.