To quote Richard Clayton's technical article on how Phorm works;
"14. The Layer 7 switch will see that the request does not contain a Phorm “cookie†and
will direct the request to a machine located within the ISP network that will pretend to
be
www.cnn.com and will return a “307†response which says, in effect, “you want that
page over thereâ€Â. The page that will be directed to is webwise.net/bind/?<parameters>
where the parameters record the original URL that was wanted.
"
I seem to remember someone over on The Reg commenting that Apple's Safari browser doesn't accept these 307-redirects, and I think I remember reading somewhere in Phorm's own guff that if your browser isn't one the "94% of browsers in use on the web" then the intercept proceeds no further."
Presumably this is determined by inspecting your browser id string, so wouldn't it be possible to bypass the vast majority of the interception process by either using Safari or spoofing your own browser string? (I know, an interception has still taken place - that of your browser id string- but is it abandoned before any DPI takes place on your traffic content?)
Apologies if this is going over old ground.