You cant just _do_ mitm at scale, casually, like you're suggesting in your question. At least, not efficiently against well implemented client side crypto, without state-level resources.
Looking specifically at HTTPS, as your question implies; the prevailing and most straightforward method of censorship seems to be simply using DPI to check the SNI header of HTTPS requests and using host-based rules to censor as desired.
Outside of HTTPS, DNS censorship seems to be common where you control the network.
On 3 Jun 2020 16:06, Aled Morris <[email protected]> wrote:
Hi all,Are we (the ISP community) still using the IWF URL blacklist?I would have thought with all the web being HTTPS now, very few of the blacklist would be served from port 80 unencrypted so there's little opportunity to inspect the HTTP headers.Or are we faking certificates and doing MITM "attacks" on the hosts of know bad URLs?Be interested to know what the consensus is as the CEO seems to have just found out that there are bad things on the net, read about the IWF blacklist and is keen that "something must be done".Aled
