Self-published certificates can _not_ stop DPI
Posted Aug 28, 2008 2:49 UTC (Thu) by darwish07
Parent article: Firefox 3 SSL certificate warnings
There are other reasons to encrypt traffic, though, including evading deep packet inspection (DPI), where the risks of accepting a bogus certificate are relatively low. One might get ads injected into their web browser inappropriatelyannoying, but hardly fatal.
Deep Packet Inspection/Modification can be done easily on a self-published-certificate website traffic by making the router in the middle acts as a HTTPS proxy, where that proxy makes the SSL connection between itself and the far-away server (the website server) then maintain a sockets pipe (using select()) between the browser, itself and the real destination server.
This of-course needs routing the traffic not by destination as normal IP implementations does, but by content using new routing table entries format like 'tcp port http and https go to localhost proxy port 8000' in the compromised or government monitored gateway. And yes, I've personally seen it done using the Linux networking stack.
to post comments)