Web Filtering

Barry Roberts blr at robertsr.us
Fri Apr 5 12:28:42 MDT 2013

On Fri, Apr 5, 2013 at 11:02 AM, Lonnie Olson <lists at kittypee.com> wrote:

> Squid can intercept SSL content by presenting it's own certificate to
> the user, and making a second SSL connection back to the server,
> becoming a MITM.  Some corporation's firewalls use this technique to
> filter SSL traffic as well.  Yes it requires adding a new private CA
> to the clients computers to prevent SSL warnings, but that's cake in a
> corporate or home environment.

It's cake until you have to add that cert to your jvm keystore, and
configure git to work when ssl certs don't match, and configure your
package management, and so on, and so on.  Working for a large public
company sucks sometimes (?).  Filtering employee web access is considered
standard now.

> And as far as OpenDNS filtering is concerned, it's only very basic
filtering, and is extremely easy to defeat, even more so than a
> transparent Squid/DansGuardian setup.  OpenDNS is only useful for
> filtering accidental traffic like porn sites on typo'd domains and the
> like.  Anyone that wants to see unfiltered stuff can easily change the
> DNS servers to  Not even hard to remember the address.  :)

Only if they have root!

More information about the PLUG mailing list