[LINK] Filter to cause World Wide Wait

Scott Howard scott at doc.net.au
Thu Oct 30 15:47:03 EST 2008

On Wed, Oct 29, 2008 at 9:12 PM, Stephen Wilson <swilson at lockstep.com.au>wrote:

Does anyone know of a set-up where filters are getting HTTPS keys from
> somewhere?  Or is it just a cute theoretical capability in these
> products' brochures, never actually put into practice?

In the scope of ISP filtering it's someone reading the brochure - it's not a
feature which it would ever be possible to deploy in a situation like this.

In the corporate world it's a viable feature, and one used by many
companies.  The HTTPS session gets decrypted, and then re-encrypted using
the companies own SSL root certificate, which has been installed into the
clients browsers as a trusted certificate.  No errors are generated as the
session is signed by a certificate which is trusted by the client.  (Of
course that's a massive over-simplification, but hopefully you get the idea)

It's that "install the certificate on the client" part which falls down in
the ISP world (and a good thing too!)

Also, the motivation for doing this is generally different in the corporate
world - the reason for decrypting isn't to block porn (you can do that
almost equally as well without decrypting the traffic!), but to scan for
viruses/malware being transmitted over SSL.

(Yes, I do work for a company that makes products that do this).


More information about the Link mailing list