0

The Squid at my office is currently set up as a transparent proxy. I tried to block sites like facebook.com and twitter.com and was successful because just typing in those domains do not default to the https site. However if a user were to manually enter in https://www.facebook.com, they would bypass my filter.

I have read some suggestions on the net that say to block all SSL (443) traffic but that would block gmail (which does default to https) which is not my intention. Looking for ways around this. Thanks.

Praveen
  • 27
  • 1
  • 4
  • The above problem is just for a proof-of-concept test. However, in the future, this would be deployed on a plane where the passengers have internet access via wifi. Due to the low bandwidth of the satellite link, we have to limit their traffic (i.e. no youtube via https). New passengers will be coming and going everyday as well as having multiple devices. – Praveen Dec 06 '12 at 02:48

1 Answers1

2

Set up SSL Bump and dynamic SSL certificates, and be sure to add your new CA to your users' web browsers.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • Hi Michael, very helpful. Just wrote a bit more information in my question above. Would the SSL Bump/Squid-in-the-middle be suitable for this kind of application (i.e. new clients every day) or is this more for predetermined number of clients (e.g. office staff which don't change very often)? – Praveen Dec 06 '12 at 02:51
  • This is really only suitable for an environment where you have complete control over all the computers, e.g. a business office. Don't even think of doing this to random people on an airplane. – Michael Hampton Dec 06 '12 at 02:55
  • Sorry just to clarify, **when you say don't think of doing this, do you mean it can't be done or we shouldn't be doing this because of privacy and security concerns?** Personally I wouldn't want to do it this way but that is not my decision to make in this regard. – Praveen Dec 06 '12 at 03:08
  • 1
    Yes, the concerns are privacy, security, and _legal_. Not only will users know that something suspicious is going on (since they will get certificate warnings for every site) this is illegal in some jurisdictions. – Michael Hampton Dec 06 '12 at 03:10