Hit the nail on the head with this one. This is the bit where the Cisco "better together" argument actually makes sense. It's also the part of the puzzle many of Cisco's biggest customers (ISPs, Fortune 500, Governments) really care about - Slashdotterss may be able to keep their ten-node home networks clean easily but these guys really struggle to keep their 10,000 node networks clean.

It's not just Malware - it's Spam, Phishing, Spyware, Botnet C&C traffic - basically anything bad on the net. The amount of data Cisco has on this stuff as a result of telemetry from their routing and switching business and the more importantly the previous Ironport, SourceFire, TheatGrid and ScanSafe acquisitions is huge - arguably the richest set of security related data in the business. Simply adding the WebRep domain levels blocks from Ironport's data to OpenDNS would improve the overall protection massively.

Of course, Cisco's ability to successfully integrate all of this stuff without falling over themselves is another story - one of the reasons why I left.

This is exactly how it is done on many commercial services (including the one I work for). It works pretty well apart from a few gotchas:

- Blocking of elements within a page (such as images hosted on 3rd party servers, Javascript, AJAX calls). In this case, the end user doesn't get to see a block page because it's incredibly difficult to get the browser to display anything sensible. This is particularly true in the example of AJAX calls for 3rd party websites. For example, if the censor blocked a post on Facebook by altering the returned javascript they could put up a message, but then they're in a constant race to keep up with every subsequent change that Facebook make to how those messages are sent.

- Blocking HTTPS requests. Some browsers follow the redirect, some don't. This also seems to change from version to version.

- Blocking HTTP calls when the end client isn't a real Web browser.

- Blocking of files where the censor has already started to send the content. This is typically done for large files and streaming media. For example, if an ISO image is blocked for containing malware, the scan can't be done until well into the download. However, if a pure store-and-forward model is applied, the browser will have given up and timed out long before the censor has finished downloading and scanning.

A censorship code might help the first three cases in that the browsers could display (sort-of) sensible messages. I don't think anyone has a good answer for the last case.