This CNET article bothered me somewhat. A company has announced a proxy network service which will "inspect" encrypted traffic for malicious content. Rationale is that because encrypted content (SSL traffic) usually bypasses uninspected through firewalls or other stateful inspection devices, it poses a great risk for an enterprise no matter how good the gateway firewall is. The company wants to plug this hole by creating a proxy which can decrypt the SSL traffic so that they can scan traffic for malicious code and other threats.

Is this a good idea? Network admins would surely say ‘Yes, anything we can do to plug holes on our system is good!’ but I am somehow bothered that an organization can easily decrypt secured traffic and monitor it in real-time. Many of us rely on the little icon in the browser indicating that there is a secure connection to send private information over the web. Knowing that my traffic is being decrypted, inspected, and potentially stored (in unencrypted form) somewhere bothers me. Or, to take this a step further - what if attackers gain control over the proxy and are able to read SSL traffic as if it were plain text while the users believe that their traffic is encrypted and out of reach?

While I understand the reasons for this type of device, I think that there are many unanswered and bothersome questions.

According to a new proposal being considered by a suburb of New York City, any business or home office with an open wireless connection but no separate server to fend off Internet attacks would be violating the law.

Politicians in Westchester County are urging adoption of the law–which
appears to be the first such legislation in the U.S.–because without
it, "somebody parked in the street or sitting in a neighboring building
could hack into the network and steal your most confidential data,"
County Executive Andy Spano said in a statement.

Under the proposed law, "public Internet access" may not be provided without a network gateway server equipped with a firewall. Second, any business or home office that stores personal information also must install such a firewall-outfitted server even if its wireless connection is encrypted and not open to the public. And the kicker - all such businesses must register with the county within 90 days.

Is this a pre-election legislative "buzz" only or a county legislator gone mad? Mandatory registration of home office network even if it is secured and not available to the public? Fines of $250 to $500? Is this a solution to the problem, or a solution looking for a problem?

While it is true that there are many unsecured wireless access points run by small offices or home users, this is nonetheless a weak excuse to create a draconian regulation such as this one. Two interests may play a role here. First, identity theft, while possible, does not often happen via unsecured wireless access points. Even though the traffic may be unprotected, many e-commerce sites where the user submits credit cards, etc. are SSL-encrypted and thus very hard to obtain. Second, commercial broadband service providers may see the emergence of a "neighborhood" wireless networks as a threat to their business. If a household can share with their neighbors the broadband bill by putting a simple wireless access point, this is one less customer to the cable/DSL company.

Comment from the county:
"It was just introduced; it’s a draft. We’re hoping it’s enacted early next year, but this can change."