[LINK] Filter to cause World Wide Wait

[Stephen Wilson]

There's an odd line about breaking open security that I don't understand 
in this report ...

Bernard Robertson-Dunn wrote:
> Filter to cause World Wide Wait
> Jennifer Dudley-Nicholson
> October 30, 2008
> The Australian
> http://www.australianit.news.com.au/story/0,24897,24575125-15306,00.html

<snip>

> Electronic Frontiers Australia board member Colin Jacobs warned the web 
> filter could also unwittingly make the internet unsafe for financial 
> transactions by breaking the secure encryption used by banks online.
> 
> Five of the six web filters tested by the Australian Media and 
> Communications Authority this year were able to filter websites using 
> the secure protocol HTTPS, which would leave financial details exposed 
> to the internet service provider in charge of operating the filter.
> 
> "If they sit in the middle and get between your web browser and the 
> bank's server it really breaks open the security and leaves the details 
> open to attack," he said.

But the filter cannot break into the HTTPS stream without knowing the 
session key.  That would require an extra arrangement for keys to be 
relayed to the filter from the *server*.  Yikes!?  Not even the ISPs 
would have these keys would they?

What the ACMA report actually says is that "five of the six products are 
capable of filtering HTTPS traffic" which to me sounds like they were 
reading from a product spec, rather than reporting an actual test 
result.  That is, the ACMA test didn't seem to actually run any filters 
in a mode where they really filtered HTTPS content.

Does anyone know of a set-up where filters are getting HTTPS keys from 
somewhere?  Or is it just a cute theoretical capability in these 
products' brochures, never actually put into practice?

Cheers,

Steve Wilson

Lockstep
www.lockstep.com.au.