[noir-york]

Er... yes. That's how nearly all web security products work. The only way for them to monitor (and filter) HTTPs content is the MITM + fake cert. This is done everywhere: from that websense or bluecoat proxy appliance at the office, to the boxes by someone like a Sandvine doing DPI on telco core networks.

Of course, this is unacceptable - but there are very few alternatives. For the record, we - rawstream - don't do this as its crazy to compromise security like this. So we had to find other means.

[justinschuh]

> Of course, this is unacceptable - but there are very few alternatives. For the record, we - rawstream - don't do this as its crazy to compromise security like this. So we had to find other means.

So, then you're using extensions, BHOs, API hooking, or some combination thereof depending on platform?

[noir-york]

Yes - any method that allows us access to HTTPs page content without compromising security.

Setting up MITM + certs is a PITA for most admins so we've tried (and I believe succeeded) in making deployment faster/simpler.

[noir-york]

I see that you work on Chrome security - you guys do great work! You have to; one helluva of an attack surface + billion deployments.