Single internet gateway… Your thoughts?

[Konaboy1]

I left last October for a variety of reasons, all of which have been repeatedly posted here.

12 years and I am back in beautiful, sane Honolulu.

Good luck to all you Expats and the newbies with the shine in their eyes.

I have been going to Thailand since 1972. Even remember the Klong downtown. Since filled in.

Watched the Thais build an entire city in one generation. Remarkable!

Sky train-remarkable!

What I do not see discussed on this site is the coming inundation of it all. Sooner rather than later.

Korat should be planned for the next capital.

bye bye Bangkok and Pattaya.

All the Blah Blah here misses the big picture. Stop the crazy building and get ready for major floods!!

[SpaceKadet]

Here's how the government are doing it.

https://www.bluecoat.com/products/proxysg-secure-web-gateway

Since that's an SSL proxy, the browser will prompt you to add a trusted certificate when you connect. DO NOT ACCEPT! If you do, all your encrypted HTTPS traffic will be visible as plain http traffic to that proxy.

Can be bypassed by using a VPN.

That is totally false. Their new shiny appliance will come with a certificate signed by a verified CA that is already in the browser... nothing will be prompted.

Mind telling which CA?

In Firefox type "about:preferences#advanced" then click "View Certificates" and click on "Authorities" tab to view installed root CA (Certificate Authority). A valid certificate signed by any of these root CAs will be accepted by the browser as correct and will not be prompted.

You can read more on how it all works here: https://en.wikipedia.org/wiki/Root_certificate

Don't use IE so don't know how to display it there.

[SpaceKadet]

[DrTuner]

If the CA's included as standard in the browsers start issuing certificates valid to be used in man-in-the-middle attacks, that CA is going to be toast very soon. Bluecoat's own installation instructions also indicate a new CA has to be manually added to the trust store in the browser.

Even if they somehow do manage to get a proxy cert signed by, say Verisign, you can still see that the issuer of the SSL certificate being used in a connection is generated by the transparent proxy by clicking on the green lock and checking.

Here's a video showing how to setup one of those proxies, the CA cert installation prompts are visible: https://youtu.be/vFYmYw6t9EM

A VPN bypasses transparent proxies as long as it's not behind one itself. In order to force all traffic to go through a spying proxy, they would have to block all encrypted traffic. It would cause an exodus of companies needing to transfer confidential data over the net.

But since shooting yourself in the foot is a Thai national sport, who knows how far they are willing to go.