Some ad-removing proxies (basically the exact opposite of Superfish?) and antivirus need to do MITM on SSL as otherwise they would be completely ineffective against ads or malware served via SSL.
> otherwise they would be completely ineffective against ads or malware served via SSL.
That's certainly false. HTTPS does not encode the routing headers, so it's still possible to block all traffic foreign to the host (or coming from a list of suspected malaware/add domains) without decoding the packets.
a) You block post and get requests that go to external domain's which are either blacklisted or non-whitelisted.
a) services hosted on AWS still have specific ips or ip ranges tied to domain names, so even if doubleclick is hosted on AWS there should be no problem ban-listing it.
example:
HTTPSwitchboard works quite well with some tuning without any MiTM proxying - as a matter of fact, I'm not sure what you would even gain from MiTM proxying, if an authenticated host wants to serve you malicious content they don't need to cross-domain reference, and you won't be able to distinguish it from non-malicious content.
Proxying and decoding content at some point prior to final destination may be useful in certain very specific cases, but generally it's unnecessary and leads to more dangerous failure modes. So far I haven't seen a typical use-case for it explained, which cannot be achieved with other methods.
if an authenticated host wants to serve you malicious content they don't need to cross-domain reference, and you won't be able to distinguish it from non-malicious content.
The point is that the MITM proxy can scan the traffic for malicious content and block it before e.g. it reaches a browser. HTTPSwitchboard works only in the browser, but that might be too late if it's a browser exploit on a new domain... or a browser that you cannot modify easily, like the embedded ones in various "smart" devices.
> The point is that the MITM proxy can scan the traffic for malicious content and block it before e.g. it reaches a browser.
The difficulty is identifying the malicious traffic in an automated way, your own machine can scan it to - but most likely your browser is already patched for known vulnerabilities (maybe if someone is still running old IE versions in your office this could be beneficial).
Secondly, you don't need to proxy to scan malicious sites, if you have a dedicated machine (or third-party service) that sees an outgoing request and if the address is not in it's safe-list, it tests that request by duplicating it (you can have a netfilter hook in your firewall blocking packets from 'non-safe' sites or delaying for validation from the dedicated device/service). This doesn't require a MiTM proxy in the SSL connection.
The SSL connection MiTM as far as I understand is only necessary if you want to check for malicious data being injected into an authenticated, non-publicly accessible site or form. Having one dedicated device which is re-routing office traffic through it's own SSL cert means that if that single device is compromised, so is the entire network.
Is it true that an antivirus program like Microsoft Security Essentials installs a cert into the system cert store in order to MITM all network traffic?
