HTTPS redirects to HTTP for monitoring
John Levine
johnl at iecc.com
Mon Jan 19 21:56:04 UTC 2015
>We use Fortinet firewalls and SSL (HTTPS, FTPS, IMAPS, POP3S, SMTPS,
>SSH) inspection is a standard feature. It works by rolling out a custom
>CA certificate from the device to all of the desktops and whenever you
>hit a SSL site, a cert signed with the CA is generated and presented to
>the user. If you look at the cert your browser has, you can tell the CA
>is different but most users aren't looking at that.
By the way, I hope that all of the people who have been ranting about
this have read this note. The only way this filtering works is if the
client computers have a special CA cert installed into their browsers.
That means it's a private organizational network that manages all its
client computers, or it's a service where the users specifically do
something on their own computers to enable it.
It may not be a very good idea, but it's definitely not evil people
secretly spying on traffic of innocent victims.
R's,
John
More information about the NANOG
mailing list