[LINK] Filter to cause World Wide Wait
Marghanita da Cruz
marghanita at ramin.com.au
Thu Oct 30 16:43:12 AEDT 2008
Scott Howard wrote:
> On Wed, Oct 29, 2008 at 9:12 PM, Stephen Wilson <swilson at lockstep.com.au>wrote:
>
> Does anyone know of a set-up where filters are getting HTTPS keys from
>> somewhere? Or is it just a cute theoretical capability in these
>> products' brochures, never actually put into practice?
>>
>
> In the scope of ISP filtering it's someone reading the brochure - it's not a
> feature which it would ever be possible to deploy in a situation like this.
>
> In the corporate world it's a viable feature, and one used by many
> companies. The HTTPS session gets decrypted, and then re-encrypted using
> the companies own SSL root certificate, which has been installed into the
> clients browsers as a trusted certificate. No errors are generated as the
> session is signed by a certificate which is trusted by the client. (Of
> course that's a massive over-simplification, but hopefully you get the idea)
>
> It's that "install the certificate on the client" part which falls down in
> the ISP world (and a good thing too!)
>
> Also, the motivation for doing this is generally different in the corporate
> world - the reason for decrypting isn't to block porn (you can do that
> almost equally as well without decrypting the traffic!), but to scan for
> viruses/malware being transmitted over SSL.
>
> (Yes, I do work for a company that makes products that do this).
>
> Scott.
This raises the obvious question if you can do all these wonderful things to
protect us from the evil uses of the Internet...why can't someone fix the real
Internet blight - SPAM and viruses.
Marghanita
--
Marghanita da Cruz
http://www.ramin.com.au
Phone: (+61)0414 869202
More information about the Link
mailing list