[cryptography] really sub-CAs for MitM deep packet inspectors? (Re: Auditable CAs)

Adam Back adam at cypherspace.org
Tue Dec 6 06:34:37 EST 2011

Someone should re-test that Three 3g data + bluecoat content-filtering
-as-a-service with SSL and give us the cert if the answer is "interesting"

Most of the parental control and site blocking things are trivially
breakable.  For example my router can block domains ..  but its mechanism is
idiotic - it blocks based on the Host: header of HTTP so just going to the
SSL site completely bypasses its block.  My kid figured that out in 5mins
flat (facebook competing with homework for attention :)

Kids figure this stuff out getting through site restrictions on school wifi
also.  Some schools try to block popular web games.. eg runescape.


On Tue, Dec 06, 2011 at 10:45:26PM +1300, Peter Gutmann wrote:
> Note that while they're [three.co.uk 3g data] using Bluecoat hardware to do
> it, there's no mention of SSL MITM'ing.

More information about the cryptography mailing list