
Site Blocking: What the UK Government would prefer you not to see - iuguy
http://www.tjmcintyre.com/2011/08/site-blocking-what-uk-government-would.html
======
PaulAJ
Funny, they don't mention that Deep Packet Inspection can be prevented by
Secure Socket Layer encryption (i.e. https). Or am I missing something?

~~~
d0ne
That is because Deep Packet Inspection can not be prevented with SSL:

[http://www.sonicwall.com/downloads/SonicOS_Enhanced_5.6_DPI-...](http://www.sonicwall.com/downloads/SonicOS_Enhanced_5.6_DPI-
SSL_Feature_Module.pdf)

~~~
calloc
"The Client DPI-SSL deployment scenario typically is used to inspect HTTPS
traffic when clients on the LAN browse content located on the WAN. In the
Client DPI-SSL scenario, the SonicWALL UTM appliance typically does not own
the certificates and private keys for the content it is inspecting. After the
appliance performs DPI-SSL inspection, it re-writes the certificate sent by
the remote server and signs this newly generated certificate with the
certificate specified in the Client DPI-SSL configuration. By default, this is
the SonicWALL certificate authority (CA) certificate, or a different
certificate can be specified. Users should be instructed to add the
certificate to their browser’s trusted list to avoid certificate trust
errors."

Or otherwise the SonicWALL DPI needs to sit in front of the resource being
protected and have the SSL private and public keys to do the full
encryption/decryption.

Either way, it is not transparent and can't just be deployed, especially if
the user is wary and won't just add a new CA to his browser.

