The approaches described in this section could be pursued but are not necessarily approaches that have previously been conceived or pursued. Therefore, unless otherwise indicated, it should not be assumed that any of the approaches described in this section qualify as prior art merely by virtue of their inclusion in this section.
Many service providers and corporates have policies to govern use of digital computers and data networks, particularly policies governing data security. It is not uncommon for these entities to inspect data communications used by a client device or a server device within their data networks. Recent security network technologies and products can even allow businesses to inspect data communication sessions that are encrypted. For example, an employee can be browsing a secure website using a Secure Sockets Layer (SSL) session using his or her office computer. The employer can install a SSL intercept network appliance capable of intercepting the SSL session between the employee office computer and the secure website. The SSL intercept network appliance can provide a security session gateway between the secure website and the office computer. When the security network appliance receives a security certificate from the secure website, the security network appliance can generate a corporate issued certificate for the office computer such that the security network appliance is able to conduct a secure communication session with the office computer using the corporate issued certificate while the security network appliance conducts a separate secure communication session with the secure website using the website's security certificate. The security network appliance can use the two secure sessions to relay secure content exchanged between the office computer and the secure website, with the secure content being decrypted and inspected by the security network appliance in order to apply appropriate policies of the business entity. In the above scenario, the security network appliance is able to apply the necessary policies on behalf of the business entity.
It is, however, not uncommon for a user of a client device to access a secure website using an untrusted security certificate (not issued by a public trusted certificate authority (CA)) or issued privately by the secure website. In this scenario, the client device can ask the user interactively if the user wishes to continue with the secure session. The user may choose to proceed. Alternatively, the user may become suspicious of the website and choose not to proceed. Unfortunately, not all users are able determine whether a particular website is suspicious, thereby making the office computer and corporate data network vulnerable to malicious activities involving untrusted security certificates. Accordingly, existing technologies may not adequately protect corporate data and computer environment.