On 5/11/10 11:29 PM, Les Mikesell wrote: > On 11/5/10 4:27 AM, Ben McGinnes wrote: >> >> I believe this is one of the methods that was looked at to enable >> ISPs to filter/censor/log SSL connections should the government >> policies become legislation here. Except for all outbound >> connections. The rest of us call it a MitM (when used for outbound >> or between third parties, not in your example). > > So if you really want privacy you need to run another layer of > encryption end to end with an uncommon cipher? In this kind of scenario, yes. The SSL/TLS filters aren't uncommon. Ironport have products that will do it, but they're usually sold to corporations that want to monitor *all* connections from their network. The difference here as that the government were looking at instituting something similar nationally. Though it was mentioned in a testing report from 2008, this part appeared to be silently dropped by the time of the live pilot in 2009. I'd have to take another look at the 2008 report, but I'm pretty sure that none of the software tested in 2007-2008 could filter SSH or VPNs. They could be blocked, though, depending on how much effort was expended. Regards, Ben -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20101105/70ffb804/attachment-0005.sig>