RE: blocking https

[Mike Fetherston <mike_sha () shaw ca>]

Yes, thank you Jim!

I seemed to have "filtered" out (pun intended) that the OP had mentioned
Squid.  I just naturally fell into thinking about this at the
packet/firewall level.

I totally agree that a proxy would be better suited to handle restricting
https access to specific websites.  I believe the latest version of Squid
(3.0) can filter on HTTPS requests.

Mike Fetherston


> -----Original Message-----
> From: jim () openanswers co uk [mailto:jim () openanswers co uk]
> Sent: Thursday, December 08, 2005 10:16 AM
> To: Mike Fetherston
> Cc: muruganandam_c () sifycorp com; security-basics () securityfocus com
> Subject: RE: blocking https
>
> > Blocking all would be a simple matter of closing outbound connections to
> > port 443.  If you want to block specific https sites you would have to
> > pair
> > up port 443 with that site's ip address.  The tricky part comes in when
> > sites use caching (Akamai) or round robin dns..
> >
> > Mike Fetherston
>
> A better solution would be to pass all outgoing requests through a web
> proxy. Most decent web proxies will allow rules to be set up based on
> hostnames, avoiding the issue of matching IP addresses to the sites in
> question.
>
> Regards,
> Jim Halfpenny