Block Facebook.com

mcury · Jan 17, 2020, 3:39 PM

Browser detects MITM, that is not pfblocker's fault, it's just like https works.

NollipfSense · Jan 17, 2020, 3:49 PM

@mcury So, are you saying the browser reacts first before it gets to pfBlockerNG? That seems to make sense!

mcury · Jan 17, 2020, 3:53 PM

There is a certificate when the connection goes through https.
The site you are calling in your browser is facebook.com, your browser is expecting to receive a response from facebook.com
The certificate presented by the website, should contain the same name you called, in this case, facebook.com.

Pfblocker is trying to present you a block page, that doesn't is facebook, so your browser cuts the connection.

ps: sorry for my english

NogBadTheBad · Jan 17, 2020, 4:03 PM

Basically you need to trust the pfBlocker self signed cert.

http:-

login-to-view

https:-

login-to-view

Notice the padlock ?

login-to-view

mcury · Jan 17, 2020, 4:03 PM

I don't think that will help either, see, the pfblocker certificate doesn't contain the facebook.com as a valid dns name.

Check the facebook certificate for the part: DNS alternative names

NogBadTheBad · Jan 17, 2020, 4:19 PM

@mcury

login-to-view

mcury · Jan 17, 2020, 4:19 PM

So, it worked with safari, how about firefox, or chrome?

NogBadTheBad · Jan 19, 2020, 4:40 PM

@mcury

Don't they both do DNS over HTTPS, so they'd bypass pfBlocker ?

mcury · Jan 17, 2020, 4:21 PM

You can disable that behavior

NogBadTheBad · Jan 17, 2020, 4:22 PM

@mcury

If you have firefox or chrome installed

mcury · Jan 17, 2020, 4:24 PM

@NogBadTheBad yeah :) only in that case.

NollipfSense · Jan 17, 2020, 4:35 PM

@NogBadTheBad said in Block Facebook.com:

@mcury

Don't they both do DNS over HTTP, so they'd bypass pfBlocker ?

@mcury said in Block Facebook.com:

You can disable that behavior

Yes, I have disabled the behavior in Firefox and I mostly use Firefox and sometimes Safari. However, not in all cases I get "site had been blocked by network admin" sometimes I get a blank page...so; I just edit CN-DNSBL to trust it in Firefox.

mcury · Jan 17, 2020, 4:45 PM

@NollipfSense

My previous tests with firefox didn't work.
My best guess is that firefox was trying to compare the fqdn called with the server CN and/or dns alternatives.
Remember, I'm not a specialist, and I could be wrong, so don't take everything I said as a last word.

I was facing a lot of issues to get my LE certificate to work, and to get that, I had to add in my certificate, all my subdomains as alternative names.

If Firefox is working today, with dnsblocker webpage for https, it's good to know, maybe I'll try it later :)

NollipfSense · Jan 17, 2020, 5:12 PM

@mcury Yes, it's working with Firefox...

login-to-view

mcury · Jan 17, 2020, 5:15 PM

@NollipfSense I'll for sure try to import the DNSBL cert to my browser later in the day.
My dns over https is also disabled :)