[cryptography] really sub-CAs for MitM deep packet inspectors? (Re: Auditable CAs)
pgut001 at cs.auckland.ac.nz
Tue Dec 6 04:45:26 EST 2011
Earlier in the discussion there were questions about why a service provider
would want to MITM their customers. This has now been answered by a service
provider: It's to protect the chiiiiildren. From
Three's policy with regards to filtering is intended to ensure that children
are protected from inappropriate content when using the internet on their
phones [...] This is not about intercepting customer communications but is
about the safety of children who use our network.
Note that while they're using Bluecoat hardware to do it, there's no mention
of SSL MITM'ing.
Another interesting point in the post:
In addition I asked Three why they were wasting money on Bluecoat's services
when any webmaster worth his salt knows how to tailor the webpage provided
based on the IP address of the PC making the request. They could produce a
page full of innocent images for Bluecoat when they come calling, but save
all the unsavoury material for the .real. visitor.
This is already standard practice for malware-laden sites, to the extent that
it's severely affecting things like Google Safe Browsing and Facebook's link
scanner, because Google and Facebook always get to see benign content and only
the end user gets the malware.
More information about the cryptography