8

The URL filtering can block the HTTP traffic but not the HTTPS traffic in Internet Explorer. For example, the website http://www.facebook.com is blocked by the URL filtering while the https://www.facebook.com cannot be blocked. You cannot also block the HTTPS traffic during InPrivate browsing in Internet Explorer.

Is there any solution for block the HTTPS traffic using URL filtering?

shibinlal
  • 297
  • 2
  • 3
  • 5
  • 1
    Sounds like a typical Microsoft "feature". First advice, don't use Internet Explorer. Advice to Microsoft: Call this feature "anti SSL jammer". – Bob Ortiz Jul 22 '16 at 12:29

6 Answers6

21

From the outside of SSL, you can only see the server name (client sends it as part of the Server Name Indication extension in the early stages of the SSL handshake; and it also appears in the certificate sent by the server); this may be sufficient to filter out some "URL". E.g. in your example, you can see that the connection is SSL and for www.facebook.com; if you want to block the whole of Facebook, this is sufficient information; the actual URL is not needed.

If you want something more fine-grained, then you need to read the URL itself, which is protected by SSL. For that, you have to break SSL in some way. There are tools which run a Man-in-the-Middle attack on SSL (they rely on the installation of a rogue, filter-controlled root CA in the client system). A well-known commercial tool for that is Blue Coat's ProxySG. There also are open source solutions. In any case, these systems require some sort of privilege access to the client system (extra root CA installation); computer-savvy users will know about it. It can also be said that such tools "break user expectations of privacy" and while they technically work, they may also trigger a toxic climate of defiance on a workplace. Use with care.

Jonathon Reinhart
  • 802
  • 7
  • 13
Tom Leek
  • 168,808
  • 28
  • 337
  • 475
3

I'm aware of some products on the market which are able to do this or similar.

Approaches they use are:

  • For URL matching, it is necessary be man in the middle. Some firewalls and intrusion prevention systems support this for administrative (control) purposes. In this case they are able to filter traffic just like usual http (with significant performance penalty).
  • If you want to just match the site instead of matching exact URL, it is possible to use the certificate within SSL/TLS connection establishment for filtering purposes. This'll effectively allow to filter e.g. entire Facebook.
user4982
  • 682
  • 3
  • 5
  • Incidentally, deliberately introducing a MitM into an SSL connection for firewall purposes kind of makes the whole thing sort of meaningless. – Shadur Jan 04 '14 at 16:49
  • 2
    @Shadur: Not really. It just means: you need to trust the administrator of the firewall (i.e. security policy). Because on many organizations, those same people (IT department) are responsible for security of the local network, they could do all kinds of nasty things. In fact, on many organizations, the same people are also responsible for the OS of your desktop system (i.e. they install+admin it). But if large organization does it for [all their customers](http://gigaom.com/2013/01/10/nokia-yes-we-decrypt-your-https-data-but-dont-worry-about-it/) without clearly disclosing it, that is evil. – user4982 Jan 04 '14 at 17:57
  • Yeah, I work for an ISP and the argument over this (which I won, incidentally) got kind of loud for a while... – Shadur Jan 04 '14 at 18:08
2

Usually normal content filtering will block http, but not https. There some other things that can be done to block given https-sites. 1. You can create a firewall rule for https to the given site ip-address(es). 2. Add a FQDN DNS-record in the firewall that points *.facebook.com to 0.0.0.0.

  • 1
    Certainly running a dns server to mis-represent address records is an effective solution, but this need not be on the firewall - adding an entry in the proxy's host file may suffice. But this will result in ugly errors at the client as the redirected request will not be replied to with a facebook certificate. – symcbean Apr 09 '17 at 21:00
  • You can also purchase a professional product such as dnsfilter.com. It is worth considering opendns such as https://www.opendns.com/home-internet-security/ – JohnP2 Jul 11 '18 at 11:10
0

Not the best solution, but a browser add-on like Script Blocker for Chrome can filter URLs/domains after https/SSL once web data is decrypted and ready for rendering within the browser.

Billmack
  • 1
0

We have implemented HTTPS filtering with squid cache using the SNI. It works well in transparent SSL mode. ACLs are implemented as well. We have integrated the squid box with Cisco ASA as WCCP server and it's in production.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Sko
  • 1
0

You're looking for Deep Packet Inspection (DPI).

It will decrypt, read packet contents, then re-encrypt; it will process according to the rulesets based on the decrypted output. Typically this would be a paid feature in many next-gen firewall products and some stand-alone products.

The odds of you finding this in the open source community will probably be pretty slim and you'd need beefy hardware to accommodate all of the computation necessary for decryption/re-encyption at speeds that sustain normal web traffic, video streaming, sessions, etc.

Another avenue you could take is identifying Facebook IP space and blocking large swaths of it on your edge.

URL / Content filtering just isn't going to work without DPI in terms of HTTPS.

WitheredForest
  • 1
  • 1
  • The main problem is not the lack of software support. The cause of the lack of the software support is that you have no way to find the client's private key. Such a https proxy would need to create its own server certs on the fly, however it can be done only if the client accepts it as a CA, what requires some client configuration. – peterh May 07 '19 at 21:20
  • I would say it is not really deep packet inspection. It is being done by essentially doing a man-in-the-middle attack between the browser and the remote server. – peterh May 07 '19 at 22:53