1. However, the Network Monitor sees the SSL handshake traffic (and thus content) doesn't it? ...which comes before the tunnel is set up and before the the session data content (which it cannot see). And so a self-signed certificate would be content that it could alert on wouldn't it?
I don't think the Network Monitor is going to be able to open up the SSL session and look at the certificate. The certificate is opened higher up the stack.
4. Finally, I don't think the BlueCoats are any help either. The SSLIntersect policy on the BlueCoat proxies filter on the URL, if I am not mistaken. Not on the use of SSL (or on IP addresses). So whitelisting or blacklisting of websites for SSL by the BlueCoats is enforced based upon the URL, not the use of SSL So what you are actually getting is a policy enforcement that is agnostic of whether the certificate is self-signed or public (like a VeriSign/Symantec one), or even a private/enterprise PKI SSL certificate.
Looks like you may be able to do something at the BlueCoat Proxy....check out
Deployment Guide: Deploying the SSL Proxy, Version 5.2.2 (page#5)
What the SSL Proxy Does
The SSL Proxy can be used to tunnel or intercept HTTPS traffic. The SSL
Proxy tunnels all HTTPS traffic by default unless there is an exception, such
as a certificate error or a policy denial. In such cases the SSL Proxy intercepts
the SSL connection and sends an error page to the user. The SSL Proxy
allows interception of HTTPS traffic even when there are no errors. Such
interception enables the application of various security policies to HTTPS
content.
Some HTTPS traffic, such as financial information, should not be
intercepted. The SSL proxy can do the following operations while tunneling
HTTPS traffic.
- Validate server certificates, including revocation checks using Certificate
Revocation Lists (CRLs).
- Check various SSL parameters such as cipher and version.
- Log useful information about the HTTPS connection.
When the SSL Proxy is used to intercept HTTPS traffic, it can also:
- Cache HTTPS content.
- Apply HTTP-based authentication mechanism.