[LINK] Filter to cause World Wide Wait
Stephen Wilson
swilson at lockstep.com.au
Thu Oct 30 15:12:56 AEDT 2008
There's an odd line about breaking open security that I don't understand
in this report ...
Bernard Robertson-Dunn wrote:
> Filter to cause World Wide Wait
> Jennifer Dudley-Nicholson
> October 30, 2008
> The Australian
> http://www.australianit.news.com.au/story/0,24897,24575125-15306,00.html
<snip>
> Electronic Frontiers Australia board member Colin Jacobs warned the web
> filter could also unwittingly make the internet unsafe for financial
> transactions by breaking the secure encryption used by banks online.
>
> Five of the six web filters tested by the Australian Media and
> Communications Authority this year were able to filter websites using
> the secure protocol HTTPS, which would leave financial details exposed
> to the internet service provider in charge of operating the filter.
>
> "If they sit in the middle and get between your web browser and the
> bank's server it really breaks open the security and leaves the details
> open to attack," he said.
But the filter cannot break into the HTTPS stream without knowing the
session key. That would require an extra arrangement for keys to be
relayed to the filter from the *server*. Yikes!? Not even the ISPs
would have these keys would they?
What the ACMA report actually says is that "five of the six products are
capable of filtering HTTPS traffic" which to me sounds like they were
reading from a product spec, rather than reporting an actual test
result. That is, the ACMA test didn't seem to actually run any filters
in a mode where they really filtered HTTPS content.
Does anyone know of a set-up where filters are getting HTTPS keys from
somewhere? Or is it just a cute theoretical capability in these
products' brochures, never actually put into practice?
Cheers,
Steve Wilson
Lockstep
www.lockstep.com.au.
More information about the Link
mailing list