5

I would like to block some websites on their HTTPS version and allow them on HTTP. The main websites involved are Youtube and Google Images/Videos. This is because on the HTTP version, I can enforce the Safesearch filter on those platforms, whereas I cannot on the HTTPS version. For me, this is a very serious issue which spoils many great things about the Safesearch features Google offers.

Is there any software/config that can do that?

I'm using a filtering software (K9 Web Protection) which enforces Safesearch on the HTTP version of the websites I mentioned, but is unable to do it on the HTTPS version.

I would need to implement that at the computer level, I guess, because it is very easy to bypass filtering solutions from the router, especially when they rely on DNS configuration.

Mark Henderson
  • 68,316
  • 31
  • 175
  • 255

1 Answers1

4

There are two ways to do this:

1) Block it at the firewall, based on the destination IP address and port. For example, when I look up YouTube from my location I get:

C:\Users\mark.henderson>nslookup
Default Server:  enetsdc2.enets.local
Address:  192.168.161.2

> youtube.com
Server:  enetsdc2.enets.local
Address:  192.168.161.2

Name:    youtube.com
Addresses:  2404:6800:800b::88
          74.125.237.135
          74.125.237.136
          74.125.237.142
          74.125.237.128
          74.125.237.134
          74.125.237.129
          74.125.237.131
          74.125.237.130
          74.125.237.133
          74.125.237.132
          74.125.237.137

>

Which gives you a fairly clear list of what to block, and obviously HTTPS is port 443. So if you were to block outbound to those IP addresses on 443 then that's a start. Repeat and rinse for each domain.

The catch with this is that this will only block the initial access. There may be other ways to get to the videos, such as on a subdomain that uses a different IP address. For example, Google Maps is served from dozens and dozens of subdomains, and each one could have a different IP address. Trial and error is pretty much the simplest way of going about this.

2) Man In The Middle SSL inspection. I believe that the Microsoft TMG Firewall can do this (although I haven't actually checked). Basically, the SSL connection between YouTube and your network terminates at your firewall. The firewall then decrypts the session, inspects the traffic, applies its filters, and then re-encrypts it with its own, trusted certificate, copying the details from the original certificate.

For this to work, the firewall basically acts as its own CA, issuing certificates for the domains that it does not own. For this to be seamless, each browser/client must trust the firewalls CA, as the certificates will be issued by it, instead of the actual certificate. This is easily detected by anyone with a bit of knowledge (by inspecting the certificate chain). And if set up incorrectly, will give every single user a certificate error.

All in all, I suggest the first method, for the simple reason that it means you're not going to accidentally decrypt the accountants online banking sessions, so you can't be blamed if $100,000 goes missing from the bank account that the CEO keeps for his mistress.


Further to your comments below, there is a third option, that only Google provides as far as I know. This will only work if you are on a network that runs its own DNS servers and you know how to override the public DNS entries for certain sites.

According to Google SafeSearch and SSL Search for Schools , you can override the A record for www.google.com with a cname for nosslsearch.google.com. This will perform an initial SSL handshake, but will then immediately redirect the user back to non-SSL for searching.

This won't work for YouTube or other services, unless they also offer this service.


Other notes: You are correct that DNS blocking is a bit of a crap method of blocking access, as it can be bypassed. However, if you're on a corporate network, it's likely you're running your own DNS internally, so you could always block DNS traffic headed outside your network, except from your explicitly permitted internal DNS servers. But on the other hand, you can only use DNS for blocking domains, not protocols. So you could block youtube.com, but not permit it on HTTP and block it on HTTPS.

You are incorrect in thinking that the router is the wrong place to be doing this though. In fact, it's the only place you can do it if you want the highest chance of success. Because routers (and the firewalls behind them) are the only ways in and out of your network, you can be 99% that any traffic flowing to the internet is going out through your controls. (the other 1% are people who tether their PCs to their smartphones to get internet access, but this is a management/social issue, not a technical one).

Mark Henderson
  • 68,316
  • 31
  • 175
  • 255
  • Could you please show me how to block those IP addresses (the Youtube ones) with the port 443 ? Thank you very much. – Ismael Lemhadri Jun 28 '12 at 00:09
  • @momo1729 - no. For the simple reason that every network is different, and your firewall will be different, and you don't mention which one you've got, so there's no way that anyone can do this except for you. You will need to consult your firewalls documentation to learn how to do this. – Mark Henderson Jun 28 '12 at 00:10
  • What firewall exactly ? I have a firewall on my DSL-2640U D-link router, plus the Windows firewall... Which one could I best implement those features on ? Also, I think there probably is a need for the HTTPS version when logging to the websites in question (like Youtube) ? Is there a compromise ? And could I use the features here : http://support.google.com/websearch/bin/answer.py?hl=en&answer=186669 ? I'm talking about the "Update the router configuration" part. Thanks ! – Ismael Lemhadri Jun 28 '12 at 00:15
  • @momo1729 - you want to block it at your perimeter firewall, which is your `DSL-2640U` most likely. But you have a good point, logging in is generally done over HTTPS and you may be blocking this functionality. You won't know unless you try, but if this causes you problems then the short answer is that what you're asking for can't be done without a *lot* of work. – Mark Henderson Jun 28 '12 at 00:17
  • @momo1729 - that update the router config, that's for networks that run proxy servers. I thought you were asking about a work network (as this is the site for working with professional networks, not home networks), and a proxy server is certainly a good one for corporate networks, but not small/home networks as you most likely don't have a proxy server. – Mark Henderson Jun 28 '12 at 00:19
  • Oh, wow. Well, for starters, you should invest in a business class firewall and/or router. If you want business-grade filtering options, you're not gonna get it on consumer-grade equipment. If the Safesearch filter over SSL is worth a few grand to your shop, buy gear worth having, if it's not worth a few grand for the gear t do it with, then you'll have to live without. – HopelessN00b Jun 28 '12 at 00:20
  • @Mark Henderson : Is your last remark valid also about this : " To utilize the no SSL option for your network, configure the DNS entry for www.google.com to be a CNAME for nosslsearch.google.com. " ? Thanks – Ismael Lemhadri Jun 28 '12 at 00:23
  • @momo1729 - that last option is only valid if you have a network that is built and configured to allow that sort of internet access. I'm going to go out on a limb here and assume that there's a 99.9% chance that your network isn't, so it won't be able to use that option. If you have an Active Directory network, then you do. But it sounds like you're doing this somewhere that this isn't the case. – Mark Henderson Jun 28 '12 at 00:31
  • Actually the software I use (K9 Web Protection) does implement this, but it seems like it just doesn't include all of Google domains (for instane : google.co.ma and google.cz )... I'm looking for a way to add those domains into the noSSL script provided by Google which my software uses... And I'm also interested in applying this to Youtube, though Google does not offer a noSSL script for that. Can I 'create' it myself like they have done it for Google Search ? Are you interested in having a look at the javascript file (.js) of the program I use (which I believe is its core) ? Thanks again – Ismael Lemhadri Jun 28 '12 at 11:32
  • Redirecting HTTPS to HTTP for YouTube at a proxy is the better way. – schroeder Jun 29 '12 at 16:03