[cryptography] really sub-CAs for MitM deep packet inspectors? (Re: Auditable CAs)

Peter Gutmann pgut001 at cs.auckland.ac.nz
Tue Dec 6 04:45:26 EST 2011


Earlier in the discussion there were questions about why a service provider
would want to MITM their customers.  This has now been answered by a service
provider: It's to protect the chiiiiildren.  From
http://patrick.seurre.com/?p=42

  Three's policy with regards to filtering is intended to ensure that children
  are protected from inappropriate content when using the internet on their
  phones [...] This is not about intercepting customer communications but is
  about the safety of children who use our network.

Note that while they're using Bluecoat hardware to do it, there's no mention
of SSL MITM'ing.

Another interesting point in the post:

  In addition I asked Three why they were wasting money on Bluecoat's services
  when any webmaster worth his salt knows how to tailor the webpage provided
  based on the IP address of the PC making the request. They could produce a
  page full of innocent images for Bluecoat when they come calling, but save
  all the unsavoury material for the .real. visitor.

This is already standard practice for malware-laden sites, to the extent that
it's severely affecting things like Google Safe Browsing and Facebook's link
scanner, because Google and Facebook always get to see benign content and only
the end user gets the malware.

Peter.



More information about the cryptography mailing list