[LINK] Filter to cause World Wide Wait
scott at doc.net.au
Thu Oct 30 15:47:03 EST 2008
On Wed, Oct 29, 2008 at 9:12 PM, Stephen Wilson <swilson at lockstep.com.au>wrote:
Does anyone know of a set-up where filters are getting HTTPS keys from
> somewhere? Or is it just a cute theoretical capability in these
> products' brochures, never actually put into practice?
In the scope of ISP filtering it's someone reading the brochure - it's not a
feature which it would ever be possible to deploy in a situation like this.
In the corporate world it's a viable feature, and one used by many
companies. The HTTPS session gets decrypted, and then re-encrypted using
the companies own SSL root certificate, which has been installed into the
clients browsers as a trusted certificate. No errors are generated as the
session is signed by a certificate which is trusted by the client. (Of
course that's a massive over-simplification, but hopefully you get the idea)
It's that "install the certificate on the client" part which falls down in
the ISP world (and a good thing too!)
Also, the motivation for doing this is generally different in the corporate
world - the reason for decrypting isn't to block porn (you can do that
almost equally as well without decrypting the traffic!), but to scan for
viruses/malware being transmitted over SSL.
(Yes, I do work for a company that makes products that do this).
More information about the Link