mercutio: i'm a bit late to the party, but it looks like you can use squid to transparently proxy https: http://www.squid-cache.org/Doc/config/https_port/ . sure, you will have to install your own ca certificate on the clients and make sure that they don't do public key pinning but in a controlled environment that might work
ant: it's probably more complicated than doing it with dns
mercutio: if you just want to block youtube, most probably
ant: it's anisfarhana  that wanted to block youtube, but yeah.
mercutio: yeah, i didn't actually meant _you_ with "you" ;)
yeah
generic you
heh
at my former school i once tried to block gaming sites and other non-school-realted stuff via the web proxy. but i ended up realising that one should try to solve social problems by technical measures
For that matter, it's technically possible to filter https by examining the SNI in-transit and blocking the connection appropriately. (I'm not aware of any f/oss out there that does this, but I know how several firewall vendors do it)
brycec: that's an interesting idea.
i'm against blocking myself
Even if it's blocking a botnet that uses https for control?
well botnets may pretend to be facebook or something :/
but yeah i'm not a big fan of dpi
it's too hard to keep up with
(or another very legit use case, eg compliance or other "government rules")
and leads to too much complexity.
yeah there's a little danger in government enforced access blocks coming out more
already a lot of countries do dns blocking
sometimes forcing isp's hands.
(I was referring to PCI-DSS compliance, but maybe that's not actually government-driven)
whoops. just realised that i said the opposite of what i meant...one should _not_ try to solve social problems by technical measures
^ makes more sense now
ant: we knew what you meant
well i knew at least :)
lots of workplaces monitor usage of facebook tehse days afaik
but people are shifting more and more to passive monitoring.
if people know that they're being watched they'll avoid detection
and someone using facebook ontheir phone at work is no beter than their office pc as far as time wasting
as long as disabling flash facebook is probably "reasonably safe"
bdmail
mercutio: doesnt have to be human readable compression (for that ipv6 listings) Perhaps only calculate a /64 listed out then we can multiply
weird google's just changed their dns infrastructure it seems
and www.google.com isn't working properly for me, which used to be a cname from www.google.co.nz
but www.google.co.nz now has a direct a record.
and the ip addresses on multiple dns all seemed to change, and the reverse lookups look different.
oh and now they're returning single records instead of like 8
mercutio, not here
mkb: it came right again.
That's what she said!!
it was giving SERVFAIL
it seems there are a whole lot of 216 addresses suddenly when there were 74.125 ones before.
but i found something to do dns lookups around the world, and some people seem to have the older addresses still. i assume they're changing things around a bit