3

I would like to block some websites from their HTTPS version and allow them on HTTP. The main websites involved are Youtube and Google Images/Videos. I am using K9 Web Protection on each computer, and it has a limitation on its ability to enforce SafeSearch on HTTPS sites.

For me, this is a very serious issue which spoils many great things about the Safesearch features Google offers.

Is there any software/config that can do that?

P.S.: I'm not sure this is the right place to post this question in, maybe you could redirect me to some other SE platform?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Ismael Lemhadri
  • 31
  • 1
  • 1
  • 4
  • I assume you are the network administrator? – schroeder Jun 27 '12 at 23:27
  • Well, yes I am, but I would need to implement that at the computer level (because it is too easy to bypass router filtering, at least when it comes to DNS). At the current time, I am using a filtering program called K9 Web Protection. I do not know a bit of programmation but am really interested in implementing this. – Ismael Lemhadri Jun 27 '12 at 23:34
  • 1
    I don't have time to research this product fully so leaving this as a comment, but using ISAPI_Rewrite 2[link](http://www.isapirewrite.com/) someone was able to rewrite cookies to force safe search on Bing, Google and YouTube. [link](http://www.helicontech.com/forum/15893-Youtube_Safe_Search_force_Cookie.html) – SomethingSmithe Jun 28 '12 at 10:20
  • 1
    Wouldn't you know if that method can work with Youtube SSL as well ? Thanks ! (in fact the program I use -K9- does force Safesearch on Bing, Google and Youtube, but is unable to do that on the secure versions of those platforms) – Ismael Lemhadri Jun 28 '12 at 11:41
  • @momo1729 Using that software or a similar method it should be possible to append Google and Youtube in their SSL version. Looking at the comment at the bottom of the forum post I placed up it doesn't specify the protocol so should potentially apply it. I tried adding &safe=strict to a https://encrypted.google.com search result URL and it forced me into safe search mode. – SomethingSmithe Jun 28 '12 at 12:59
  • @SomethingSmithe This is an HTTP proxy, right? So it wouldn't work with HTTPS! – curiousguy Jun 28 '12 at 14:56

3 Answers3

5

Google has your answer: http://support.google.com/websearch/bin/answer.py?hl=en&answer=186669

You can use Lock SafeSearch or use the NoSSLSearch option.

*Edit*

I think your best option after reading your comments is a proxy on the firewalls to re-direct the requests to HTTP. Squid can do this, but it might be more advanced than you want. Here is a tutorial to do what you want.

Tinyproxy is a simpler alternative, although I have never used it.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 1
    Well, that's a good point for you ! However, Google has still not implemented the noSSLSearch option on Youtube as well as on various international domains of the search engine (it works on google.com/fr and some others, but doesn't work on google.co.ma for example)... And just forget about the Lock Safesearch feature, you can bypass it just by clearing the cookies... – Ismael Lemhadri Jun 27 '12 at 23:54
  • Maybe can this help you ? http://serverfault.com/questions/402885/block-a-website-on-https-and-allow-it-on-http-to-enforce-safesearch – Ismael Lemhadri Jun 28 '12 at 11:35
  • 1
    Please do not cross post, and if you do, make sure you include the same information on both sites. – schroeder Jun 29 '12 at 15:39
4

If your filtering software is implemented as a (possibly transparent) HTTP proxy, then the only way you can filter HTTPS connections is to do Man-in-the-Middle SSL inspection. This is a somewhat tricky and intrusive technique, but some filtering proxies do support it. The way it basically works is this:

  1. Whenever the proxy intercepts an SSL handshake, it doesn't forward it to the target site but responds to it directly, using its own self-signed certificate that claims to be valid for the target site.

  2. Once the SSL connection is established between the proxy and the browser (which thinks it's talking to the target site), the proxy creates its own SSL connection to the target site.

  3. The proxy then receives the HTTP request over SSL from the browser, filters it and forwards it to the target site. It then does the same with the response from the target site to the browser.

Of course, since the certificate sent by the proxy to the browser in step 1 is not actually valid for the target site, and in particular hasn't been signed by a trusted CA, the browser would normally abort the connection and show the user a big alert about an untrusted certificate.

The trick, however, is that you, as the network administrator, need to add the proxy's signing certificate into the browser's list of trusted root certificates. That way, the browser will, in fact, trust the fake certificates returned by the proxy.

Of course, the user could remove the proxy's cert from the browser's trusted list, or just use their own browser that is not configured to trust the proxy. But this just means that they'll get a security alert and be unable to connect to HTTPS sites; it won't help them actually bypass the proxy.

All that said, I would seriously advise you to think carefully before using such tricks to undermine the SSL trust infrastructure, and to only do it if you feel that it's absolutely necessary. Even then, I'd recommend only applying it to a few specific sites that you want to filter, and to leave HTTPS connections to other sites alone. Your users might not care that you're snooping their Google searches — but they will not want you snooping their online banking, for example.

On the other hand, if your filtering software runs on the user's computer, e.g. as a browser extension, then it should have no trouble filtering HTTPS requests just as easily as plain HTTP; by inserting itself between the browser UI and the network backend, it can rewrite HTTPS requests before they are encrypted.

(This is, for example, how the HTTPS Everywhere plugin for Firefox works: it intercepts HTTP requests and rewrites them into HTTPS requests, sometimes modifying the URLs in other ways also. There's no reason why this wouldn't work just as well in the other direction too.)

However, there are two issues with this approach. The first is that different browsers have different extension APIs, and not all of them are equally convenient for such request rewriting. (For example, Chrome's extension API is apparently particularly badly suited for it, due to its asynchronous design.)

The second issue is simply that there's an easy way to get around a filter implemented like this: just install a browser that the filter doesn't support. Thus, such filtering won't be very effective unless coupled with other restrictions to prevent such workarounds.

Ilmari Karonen
  • 4,386
  • 18
  • 28
  • I think the filtering is being forced on the client-side, not the proxy, in the OP's case. – schroeder Jun 29 '12 at 14:27
  • @schroeder: The fact that HTTPS bypasses the filter does strongly suggest that there's some kind of proxying involved, even if the proxy runs on the same computer as the browser. That said, I did just amend my answer to discuss browser-level filtering techniques too. – Ilmari Karonen Jun 29 '12 at 14:53
  • He's using K9, which is client-side, and has a limitation with its ability to enforce SafeSearch features on SSL sites. – schroeder Jun 29 '12 at 15:42
  • Well, then, I guess the short answer boils down to "get a better filter". I did document two ways in which such a filter may be implemented, and I'm pretty sure that web filters using those methods do exist on the market. The reasons I haven't tried to give any specific product recommendations are twofold: first, I'm not familiar enough with such software to recommend any particular product, nor interested in becoming that familiar with it; and second, I personally find such software at best a necessary evil, and at worst an _unnecessary_ one, and have no wish to publicly endorse any of it. – Ilmari Karonen Jun 29 '12 at 15:54
  • Thanks to all ! Actually I think that K9 is by far the best filter ; from one side, it uses a rating database which is that of Blue Coat's big corporate clients, so it's pretty well-done (though you sometimes you need to submit new websites for evaluation), and secondly, it's pretty difficult to bypass it with no administrator rights (that implies to set up some additional protections, I agree...). Most of the other filtering software available on the market don't combine these two features. – Ismael Lemhadri Jun 30 '12 at 12:45
  • @schroeder : Do you think the technic that uses Squid is easy to bypass on Windows without admin rights ? Also, I think that right now, a good decision would be to contact the Google teams and ask them to implement the noSSLsearch script on all of Google's search domains, as well as on Youtube. Would you know a way of contacting them ? I have tried asking on the Google Product Forums but only got supporting answers from other users and no official reply. Thanks – Ismael Lemhadri Jun 30 '12 at 13:01
  • @momo1729 Squid does not get installed on the clients but on the perimeter. You have a lot of reading to do about proxies and firewalls ... – schroeder Jun 30 '12 at 17:23
  • @schroeder: It is perfectly possible for a proxy to run on the same computer as the client, and indeed that's a common configuration for many filtering proxies. The main advantage over running, say, as a browser extension is that, by hooking into the OS TCP/IP networking layer, those proxies can filter all HTTP traffic to and from the computer, regardless of the browser used. The disadvantage, of course, is that the TCP/IP layer is too low for HTTPS interception and filtering, unless tricks like MITM inspection are used. – Ilmari Karonen Jun 30 '12 at 18:13
1

You can block HTTPS traffic using any simple firewall, but you can't force the site to work without HTTPS. Many sites, such as Paypal etc. will simply not operate over an insecure network.

tylerl
  • 82,225
  • 25
  • 148
  • 226
  • tylerl is right, you can't stop the sites from working without https. You could try aobo filter, it can block sites by URL or keywords. – Moonlightshadow Jun 23 '14 at 08:56