Back in 2014 I used to manage a bespoke SSL Inspection content filter, which we provided as a service to thousands of schools in the UK. The only catch? A root CA had to be deployed by the schools IT staff in advance. It was your bog-standard MITM as a service :)
For years, at subsequent jobs I've touted to many a director that filtering the content on an SSL protected website is not possible without a CA. Everytime it would just revert to me saying the same thing: "I can stop them from going to pornhub, but not searching Google images for 'Boobs', not unless we roll out a certificate". With the surge in BYOD, getting people to install this certificate, or agent or whateve, is becoming harder and harder, and guest WiFi is a whole different beast. The compromise has always been DNS filtering, or forcing safesearch etc
However, all this to say, I was having this exact same conversation with a colleague today - and he disagreed with me, having even claimed to have seen a product offering agentless, certificate-less SSL content inspection.
He didn't recall what the product was, or where he'd seen it and I can't find anything online (outside of some fringe DPI based stuff).
This violates my very understanding of how SSL works, and if true, surely the entire planet is screwed as suddenly you can just use this tech to catch people's bank pins in transmission?!
I'm not crazy right? Or is there some magical tech that appeared without me noticing?
No comments:
Post a Comment