[LINK] Filter to cause World Wide Wait

Marghanita da Cruz marghanita at ramin.com.au
Thu Oct 30 16:43:12 AEDT 2008


Scott Howard wrote:
> On Wed, Oct 29, 2008 at 9:12 PM, Stephen Wilson <swilson at lockstep.com.au>wrote:
> 
> Does anyone know of a set-up where filters are getting HTTPS keys from
>> somewhere?  Or is it just a cute theoretical capability in these
>> products' brochures, never actually put into practice?
>>
> 
> In the scope of ISP filtering it's someone reading the brochure - it's not a
> feature which it would ever be possible to deploy in a situation like this.
> 
> In the corporate world it's a viable feature, and one used by many
> companies.  The HTTPS session gets decrypted, and then re-encrypted using
> the companies own SSL root certificate, which has been installed into the
> clients browsers as a trusted certificate.  No errors are generated as the
> session is signed by a certificate which is trusted by the client.  (Of
> course that's a massive over-simplification, but hopefully you get the idea)
> 
> It's that "install the certificate on the client" part which falls down in
> the ISP world (and a good thing too!)
> 
> Also, the motivation for doing this is generally different in the corporate
> world - the reason for decrypting isn't to block porn (you can do that
> almost equally as well without decrypting the traffic!), but to scan for
> viruses/malware being transmitted over SSL.
> 
> (Yes, I do work for a company that makes products that do this).
> 
>   Scott.

This raises the obvious question if you can do all these wonderful things to 
protect us from the evil uses of the Internet...why can't someone fix the real 
Internet blight - SPAM and viruses.

Marghanita
-- 
Marghanita da Cruz
http://www.ramin.com.au
Phone: (+61)0414 869202




More information about the Link mailing list