4

I'm configuring a rb750. I would like to drop YouTube access and redirect to a friendly page located in our local webserver. I can drop using l7 firewall but I'm not able to redirect user because https. Specifically you tube uses some kind of technology that blocks this "interceptation". I tried by dnat and DNS too but both didn't work :(. I've read about hsts ( https strict transport security) that works on chrome, Firefox and others and allow full https during a site navigation and that's why I'm not able to do this. Have you guys some idea?

JefersonLemos
  • 41
  • 1
  • 2
  • 4
    You can't - this is _exactly_ what SSL/TLS + HSTS is designed to bypass. It's possible that you could hijack the youtube.com DNS entry on your network though and point that to a server under your control - but you'd need to hijack all of the different variations and regional TLDs for YouTube – Mark Henderson May 10 '17 at 12:52
  • Hi guys, sorry for delay. I'm working a lot. I tried to do it via simple DNS. Just creating a static entrie and redirecting to a local server but it didn't work too. I can't understand when you say hijack and I'm afraid cause I have no time to learn it :( – JefersonLemos May 15 '17 at 17:02

1 Answers1

6

If you don't have administrative rights on the client, you can't. (because it's considered as an attack)

If you have administrative rights on the clients, you can install there your own certificate authority, and use a certificate signed by that certificate authority to redirect users using https (So you will comply with HSTS, and HPKP/PKP is bypassed for locally imported root).

If it's a hotspot with a welcome page, you can explain on that page why some websites are blocked. (See https://www.chromium.org/chromium-os/chromiumos-design-docs/network-portal-detection )

Tom
  • 511
  • 3
  • 15
  • I haven't because it is a public infrastructure. It is a hotspot and my clients can't access YouTube because our data plan is limited. – JefersonLemos May 15 '17 at 17:04
  • I've completed the answer with a link for captive portal: You can have a welcome page that explains why youtube is blocked. What you can do too is limit the bandwith of youtube instead of blocking it. – Tom May 15 '17 at 18:29