1. Field of the Invention
This invention relates generally to the field of network transactions. More particularly, the invention relates to an apparatus and method for controlling access to encrypted network communication channels.
2. Description of the Related Art
A variety of techniques have been developed for filtering undesirable Internet content including simple techniques such as blacklisting undesirable Websites and more complex techniques such as performing a semantic analysis of Web page content. As illustrated in FIG. 1, a content filtering application 102 is typically configured between browser application 101 on a computer system 190 and Web servers 110-111 on the Internet 105. Content filtering data 103 specifies the manner in which the content filtering application 102 should block content from the Internet. The content filtering data 103 may include, for example, a blacklist of undesirable Websites. Requests from the browser application 101 directed to the blacklisted websites are then blocked by the content filtering application 102. In more complex implementations, the content filtering data 103 may specify certain words, word combinations, or other types of data signatures which the content filtering application 102 may use to perform a semantic analysis of requested Internet content. The content filtering application 102 will then block requests for content which fail the semantic analysis (e.g., blocking any requested content containing the words “sex”, “porn”, “XXX”, “Viagra”, or any specified combination thereof).
Current content filtering applications, however, are incapable of performing an analysis of encrypted Internet transactions where the data channel between the browser application 101 and Web servers 110-111 is encrypted. For example, because HTTPS (Hypertext Transport Protocol Secure) transactions use public/private keys to encrypt data, and these keys are not made available to the content filtering application 102, there is no way for the content filtering application to evaluate the Web pages being requested, or even the Website URL from which the Web pages are requested (because all of this information is encrypted between the browser application and the Web server). Consequently, current content filtering applications often block all HTTPS traffic rather than risking the receipt of undesirable content over an HTTPS communication channel.
More advanced content filtering applications may attempt to perform a “reverse DNS lookup” to attempt to determine the Website to which an HTTPS request is directed. Using reverse DNS, the content filtering application 102 requests the domain name associated with a particular IP address to which the HTTPS request is directed (the IP address one piece of information which is not encrypted in an HTTPS connection). The problem with this technique is that a 1:1 mapping often does not exist between an IP address and domain name. For example, domain names often map to a series of IP addresses. Conversely, a single IP address may be used for multiple different domain names. Consequently, reverse DNS lookups provide unpredictable results.
Consequently, new techniques are needed for performing content filtering of encrypted Internet transactions.