nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: HTTPS redirects to HTTP for monitoring

From: "John Levine" <johnl () iecc com>
Date: 19 Jan 2015 21:56:04 -0000
We use Fortinet firewalls and SSL (HTTPS, FTPS, IMAPS, POP3S, SMTPS, 
SSH) inspection is a standard feature.  It works by rolling out a custom 
CA certificate from the device to all of the desktops and whenever you 
hit a SSL site, a cert signed with the CA is generated and presented to 
the user. If you look at the cert your browser has, you can tell the CA 
is different but most users aren't looking at that.


By the way, I hope that all of the people who have been ranting about
this have read this note.  The only way this filtering works is if the
client computers have a special CA cert installed into their browsers.
That means it's a private organizational network that manages all its
client computers, or it's a service where the users specifically do
something on their own computers to enable it.

It may not be a very good idea, but it's definitely not evil people
secretly spying on traffic of innocent victims.

R's,
John
Previous By Date Next
Previous By Thread Next

Current thread: