0
The problem: I have good reasons to filter web browsing on my PC. These filtering should be robust. Allowing web search results to go unfiltered is unacceptable, as well as blocking search engines altogether.
The issue: Most search engines, like google.com, use https, so I can’t filter them with Dansguardian.
I thought that allowing bing.com and blocking all other search engines would be a good idea, since bing.com goes through http.
But. Unfortunately, bing.com may go through https as well. So, effectively, my problem now is how do I block https://bing.com but allow http://bing.com.
I did some Googling. And I found out that: (a) I can’t do it with Dansguardian (this was my first idea); (b) In theory I could do this with Squid, but (c) It would be the best to do it by iptables. I’m not claiming this is all true – but this is what googling made me think.
I tried playing with iptables but to no avail. So I asked a question here – How do I set iptables so that https://bing.com is blocked, but http://bing.com is not? – but I was told I should not do this with iptables anyway.
So, how should I achieve my goal? I gave the whole background here just to make sure I’m not trying to do something pointless again.
My current setting is dansguardian + privoxy, as per this guide: http://blog.bodhizazen.net/linux/web-content-filtering-made-easy/ (referenced from the Ubuntu wiki, https://help.ubuntu.com/community/ParentalControls ).
gaazkam
Posted 2016-05-15T15:26:38.140
Reputation: 583
You need something that does ssl endpoint, aka ssl termination. Instead of fighting the encryption. When you make a request it is picked up by the endpoint, and then the end point establishes a secure connection to whatever.com. Therefore, the traffic inside you network is decrypted. Now big companies use hardware devices that cost $$$$$, but you might be able to use google to find a cheap/free software equivalent. – cybernard – 2016-05-15T16:09:18.267
@cybernard OK, but given that I need all of this just on one laptop, wouldn’t this be an overkill? This is not production or whatever, I’m not striving for the best solution possible, a crude and easy solution will do as long as it meets the minimal requirements it has to meet. I’m not saying I won’t do as you say, though – gaazkam – 2016-05-15T16:24:08.413
The one of the reasons why companies have the hardware that costs $$$$ is they need the hardware to processes a bazillion connection per second. If you can find a software equivalent it should be able to handle your relatively tiny number of connections. The problem is some websites will find ways to encrypt the data, and instead of constantly working around the problem go with the flow. Your way you will always be going back and adding sites to your list. Any hardware solution would be overkill, but software would have much less maintenance than your solution. – cybernard – 2016-05-15T16:48:01.937
@cybernard I’m confused. From Dansguardian documentation: “In explicit-proxy environments, DansGuardian uses its configured lists of sites (bannedsitelist, exceptionsitelist, blacklists) to vett connections for both http: and https: traffic (provided the https: traffic goes through DansGuardian). However the URL path and the content are encrypted so they cannot be analyzed (or even logged). In other words …urllist, …regexpurllist, and weighted… do not apply to https: traffic, not even in these environments. ” – gaazkam – 2016-05-19T11:59:03.060
@cybernard And furthermore: "(Inability to look inside encrypted traffic is a generic restriction, not something specific to DansGuardian. After all, if some man-in-the-middle could intercept and analyze the traffic [and see your credit card number], it wouldn't really be “secure”, would it? Currently although there are a few commercial products that begin to address this issue, no open source software can scan encrypted content.) " (emphasis original) Source of the quotations: http://contentfilter.futuragts.com/wiki/doku.php?id=faq
– gaazkam – 2016-05-19T12:00:00.990