Web Filtering

Lonnie Olson lists at kittypee.com
Fri Apr 5 11:02:00 MDT 2013


On Fri, Apr 5, 2013 at 10:51 AM, Jessie A. Morris
<jessie at jessieamorris.com> wrote:
> On Friday, April 05, 2013 10:43:09 Merrill Oveson wrote:
>> Another vote for OpenDNS.
>
> One nice part about OpenDNS filtering is that it will filter SSL too, seeing as it's at the DNS level. Dansguardian (in transparent mode) cannot do this, as intercepting content is specifically what SSL was designed to prevent.

Squid can intercept SSL content by presenting it's own certificate to
the user, and making a second SSL connection back to the server,
becoming a MITM.  Some corporation's firewalls use this technique to
filter SSL traffic as well.  Yes it requires adding a new private CA
to the clients computers to prevent SSL warnings, but that's cake in a
corporate or home environment.

Not that I am advocating the use of filtering SSL traffic, it's creepy
and possibly dangerous.  I'm just saying it's possible.

And as far as OpenDNS filtering is concerned, it's only very basic
filtering, and is extremely easy to defeat, even more so than a
transparent Squid/DansGuardian setup.  OpenDNS is only useful for
filtering accidental traffic like porn sites on typo'd domains and the
like.  Anyone that wants to see unfiltered stuff can easily change the
DNS servers to 8.8.8.8.  Not even hard to remember the address.  :)


More information about the PLUG mailing list