Adding httpS-filtering "of the box"



  • After the speeches, the notorious Edward Snowden worldwide hysteria began to improve protection of everything from the all-pervading eye of Big Brother US NSA (and it is clear - no nice when without his knowledge, clarify color and model, such as wearing boxers someone of us to work today).
          My observations on the development and promotion of the unpleasant, do not be afraid to say, the general migration services in HTTPS - such as VKontakte, FaceBook (last thrust, not only in https, but already in the tor - for greater demonstration of "reliability" of communication channels for access to their servers on which annoying people with his own hands fills the daily dossier on themselves as themselves), search engines google and yandex and attention, so all (non-) favorite Skype. I am confident that the list can be continued, and that it will increasingly expand. Just this is what I came to mind without thinking of what prevents me personally to live in me under control networks. If any of your beneficiaries users will climb to watch videos over https, you can see only its connection to the 443rd port in pftop and clicky on eyes megabytes (for which you will realize that there is a video stream goes inside), but anything about it can not without electoral https-filtration (unless manually throw it states).
          http://www.theregister.co.uk/2014/11/06/nsa_share_bugs/
          Attempts to block https (443) at all for selected workstations lead to complete blockage of Skype, which apparently is authorized only by https.
          https://support.skype.com/en/faq/FA148/which-ports-need-to-be-open-to-use-skype-for-windows-desktop
          And personally, I have the task of slaughter in LAN VK, FB with their endless videos and audio music calculations-eaters traffic over HTTPS, while ensuring job Skype.
          It's really needed - the introduction of a standard out of the box possibility https-filtering.
          By type of adding extra "daw" when installing with a squid-ssl-filtration for pulling additional packets for "Diladele Web Safety 3.4" and prescribing additional entries in the config file, or another way to solve this.
          Because Installation of "Diladele Web Safety 3.4" by self-made methodologies (http://sichent.wordpress.com/2014/02/22/filtering-https-traffic-with-squid-on-pfsense-2-1/ and https://forum.pfsense.org/index.php?topic=72528.0) (almost the same) with selfmade "crutches" loses the opportunity to update pfSense versions trouble free.
          As in the case of 2.0, then 2.1 subversions, and etc since forms a non-default configuration, no known to the standard, universal engine of pfSense.



  • Hey, please, can anyone write this question to developers?
    May be this technology can be realised in the future versions.



  • HTTPS' default port is 443, which makes it easy to filter. But unfortunately, a lot of other stuff that happens through a web browser also send their traffic through that port as well, which makes it harder to correctly filter just secure web browsing on that port.

    What you are asking for is unfortunately next to impossible without blocking everything else that would send their traffic through port 443.



  • What you're asking for is not practical. If you want to block HTTPS, simply add a rule to block port 443. The problem is that you'll also block most major services that your users use (Google, Yahoo, Gmail, Microsoft, etc.). If you're concern over what your users are doing behind the HTTPS layer, simply setup an SSL proxy in pfSense. That way, the connection between the client and gateway will be secured, as well as the connection between the gateway and the website. However, the proxy will still allow you to see what's happening inside the HTTPS tunnel and thus block anything that you don't want the user to have access to.