Blocking of https sites

General discussion about WFilter ICF features, problems, configuration issues etc.

Moderators: imfirewall, gengw2000

VeeDub
Posts: 18
Joined: Tue May 01, 2012 11:42 pm

Blocking of https sites

Postby VeeDub » Wed May 02, 2012 1:35 am

Hello



Two questions:



1. When I attempt to access a blocked https site. Access to the site is blocked, however rather than getting the deny page on the user's browser, the user gets a problem loading the page (i.e. as if the Web site is down).



2. I understand that the current procedure to block https sites is to enter the individual URL's in the HTTPS black list. Would it be possible in future version of WFilter to have the Website Category Filtering to apply to both http and https URL's?



VW

VeeDub
Posts: 18
Joined: Tue May 01, 2012 11:42 pm

Blocking of https sites

Postby VeeDub » Wed May 02, 2012 1:51 am

I'm having a problem with the blocking of https sites.



While I am able to block facebook with the following: *.facebook.com*



I'm not able to block youtube



Would appreciate suggestions on how to troubleshoot.

VeeDub
Posts: 18
Joined: Tue May 01, 2012 11:42 pm

Blocking of https sites

Postby VeeDub » Wed May 02, 2012 2:06 am

Some additional info.



When I visit https://www.youtube.com which is not blocked



There is no entry in the 'Current Activities' on WFilter



The entry to block this site in the HTTPS Black list is: *.youtube.com*

gengw2000
Posts: 281
Joined: Mon Sep 07, 2009 11:11 pm

Blocking of https sites

Postby gengw2000 » Wed May 02, 2012 2:37 am

VeeDub wrote: Hello



Two questions:



1. When I attempt to access a blocked https site. Access to the site is blocked, however rather than getting the deny page on the user's browser, the user gets a problem loading the page (i.e. as if the Web site is down).



2. I understand that the current procedure to block https sites is to enter the individual URL's in the HTTPS black list. Would it be possible in future version of WFilter to have the Website Category Filtering to apply to both http and https URL's?



VW



WFilter is not able to inject a denial page into a HTTPS section because HTTPS traffic is encrypted, so it just terminate the connections. So far we have no solution to display denial pages to https access yet.



Actually, the "website category filtering" policy is also applied to https websites in current version of WFilter. If you find any questions, please let me know.

VeeDub
Posts: 18
Joined: Tue May 01, 2012 11:42 pm

Blocking of https sites

Postby VeeDub » Wed May 02, 2012 3:03 am

gengw2000 wrote: [quote=VeeDub]Hello

Actually, the "website category filtering" policy is also applied to https websites in current version of WFilter. If you find any questions, please let me know.



I am observing the following:



http://www.youtube.com always blocked

http://www.facebook.com always blocked



https://www.youtube.com never blocked

https://www.facebook.com sometimes blocked

VeeDub
Posts: 18
Joined: Tue May 01, 2012 11:42 pm

Blocking of https sites

Postby VeeDub » Wed May 02, 2012 3:08 am

gengw2000 wrote:

WFilter is not able to inject a denial page into a HTTPS section because HTTPS traffic is encrypted, so it just terminate the connections. So far we have no solution to display denial pages to https access yet.



If you can establish that you need to block a https page, could you redirect the browser to the http denial page for the content in question?

gengw2000
Posts: 281
Joined: Mon Sep 07, 2009 11:11 pm

Blocking of https sites

Postby gengw2000 » Wed May 02, 2012 3:17 am

VeeDub wrote: [quote=gengw2000]

WFilter is not able to inject a denial page into a HTTPS section because HTTPS traffic is encrypted, so it just terminate the connections. So far we have no solution to display denial pages to https access yet.



If you can establish that you need to block a https page, could you redirect the browser to the http denial page for the content in question?




Sorry, it's also can not be redirected.

VeeDub
Posts: 18
Joined: Tue May 01, 2012 11:42 pm

Blocking of https sites

Postby VeeDub » Wed May 02, 2012 3:25 am

gengw2000 wrote:

WFilter is not able to inject a denial page into a HTTPS section because HTTPS traffic is encrypted, so it just terminate the connections. So far we have no solution to display denial pages to https access yet.



Well Untangle are able to provide a denial page for both http and https traffic with their content filter, so it obviously is possible, but I'm afraid I can't help you with the 'how'.



But Untangle's reporting is nowhere near as good as WFilter.

gengw2000
Posts: 281
Joined: Mon Sep 07, 2009 11:11 pm

Blocking of https sites

Postby gengw2000 » Wed May 02, 2012 3:27 am

We'll check. Thanks for your information.

gengw2000
Posts: 281
Joined: Mon Sep 07, 2009 11:11 pm

Blocking of https sites

Postby gengw2000 » Wed May 02, 2012 6:07 am

VeeDub wrote: Some additional info.



When I visit https://www.youtube.com which is not blocked



There is no entry in the 'Current Activities' on WFilter



The entry to block this site in the HTTPS Black list is: *.youtube.com*



WFilter blocks https/tls websites by its certificate(common name). We noticed youtube websites are using google's SSL certificate "*.google.com"(youtube is a google company now.), so you need to add "*.google.com" into your https black list to block youtube. However, this will over block other google's sites, please wait for a few days for us to find a solution.


Return to “WFilter ICF”

Who is online

Users browsing this forum: No registered users and 20 guests