[03:07] <ant> mercutio: i'm a bit late to the party, but it looks like you can use squid to transparently proxy https: http://www.squid-cache.org/Doc/config/https_port/ . sure, you will have to install your own ca certificate on the clients and make sure that they don't do public key pinning but in a controlled environment that might work
[03:13] <mercutio> ant: it's probably more complicated than doing it with dns
[03:14] <ant> mercutio: if you just want to block youtube, most probably
[03:14] <mercutio> ant: it's anisfarhana  that wanted to block youtube, but yeah.
[03:15] <ant> mercutio: yeah, i didn't actually meant _you_ with "you" ;)
[03:15] <mercutio> yeah
[03:15] <mercutio> generic you
[03:16] <brycec> heh
[03:17] <ant> at my former school i once tried to block gaming sites and other non-school-realted stuff via the web proxy. but i ended up realising that one should try to solve social problems by technical measures
[03:17] <brycec> For that matter, it's technically possible to filter https by examining the SNI in-transit and blocking the connection appropriately. (I'm not aware of any f/oss out there that does this, but I know how several firewall vendors do it)
[03:18] <mercutio> brycec: that's an interesting idea.
[03:18] <mercutio> i'm against blocking myself
[03:18] <brycec> Even if it's blocking a botnet that uses https for control?
[03:19] <mercutio> well botnets may pretend to be facebook or something :/
[03:19] <mercutio> but yeah i'm not a big fan of dpi
[03:19] <mercutio> it's too hard to keep up with
[03:19] <brycec> (or another very legit use case, eg compliance or other "government rules")
[03:19] <mercutio> and leads to too much complexity.
[03:19] <mercutio> yeah there's a little danger in government enforced access blocks coming out more
[03:20] <mercutio> already a lot of countries do dns blocking
[03:20] <mercutio> sometimes forcing isp's hands.
[03:20] <brycec> (I was referring to PCI-DSS compliance, but maybe that's not actually government-driven)
[03:20] <ant> whoops. just realised that i said the opposite of what i meant...one should _not_ try to solve social problems by technical measures
[03:20] <brycec> ^ makes more sense now
[03:20] <mercutio> ant: we knew what you meant
[03:20] <mercutio> well i knew at least :)
[03:22] <mercutio> lots of workplaces monitor usage of facebook tehse days afaik
[03:22] <mercutio> but people are shifting more and more to passive monitoring.
[03:22] <mercutio> if people know that they're being watched they'll avoid detection
[03:23] <mercutio> and someone using facebook ontheir phone at work is no beter than their office pc as far as time wasting
[03:23] <mercutio> as long as disabling flash facebook is probably "reasonably safe"
[04:24] *** qbit has quit IRC (Ping timeout: 264 seconds)
[04:25] *** qbit has joined #arpnetworks
[04:25] *** qbit is now known as Guest61504
[04:52] *** Guest61504 is now known as qbit
[05:09] *** qbit_ has joined #arpnetworks
[05:09] *** qbit_ has quit IRC (Client Quit)
[05:35] *** mnathani has quit IRC (Ping timeout: 252 seconds)
[05:46] *** mnathani has joined #arpnetworks
[06:46] *** mjp has quit IRC (*.net *.split)
[06:46] *** toeshred has quit IRC (*.net *.split)
[06:46] *** awyeah has quit IRC (*.net *.split)
[06:46] *** jcv has quit IRC (*.net *.split)
[06:46] *** anisfarhana has quit IRC (*.net *.split)
[06:46] *** jcv has joined #arpnetworks
[06:46] *** mjp has joined #arpnetworks
[06:46] *** toeshred has joined #arpnetworks
[06:46] *** awyeah has joined #arpnetworks
[06:51] *** anis has joined #arpnetworks
[07:04] *** ziyourenxiang has joined #arpnetworks
[07:09] *** ziyourenxiang has quit IRC (Client Quit)
[08:15] *** medum has quit IRC (Remote host closed the connection)
[10:33] *** anis is now known as anisfarhana
[10:33] *** anisfarhana has quit IRC (Changing host)
[10:33] *** anisfarhana has joined #arpnetworks
[12:41] <mkb> bdmail
[17:44] <mnathani_> mercutio: doesnt have to be human readable compression (for that ipv6 listings) Perhaps only calculate a /64 listed out then we can multiply
[18:07] <mercutio> weird google's just changed their dns infrastructure it seems
[18:07] <mercutio> and www.google.com isn't working properly for me, which used to be a cname from www.google.co.nz
[18:07] <mercutio> but www.google.co.nz now has a direct a record.
[18:08] <mercutio> and the ip addresses on multiple dns all seemed to change, and the reverse lookups look different.
[18:09] <mercutio> oh and now they're returning single records instead of like 8
[18:33] *** ziyourenxiang has joined #arpnetworks
[18:34] *** ziyourenxiang has quit IRC (Client Quit)
[18:39] *** medum has joined #arpnetworks
[18:53] <mkb> mercutio, not here
[18:57] <mercutio> mkb: it came right again.
[18:57] <BryceBot> That's what she said!!
[18:57] <mercutio> it was giving SERVFAIL
[18:57] <mercutio> it seems there are a whole lot of 216 addresses suddenly when there were 74.125 ones before.
[18:58] <mercutio> but i found something to do dns lookups around the world, and some people seem to have the older addresses still. i assume they're changing things around a bit
[21:10] *** dj_goku has quit IRC (Read error: Connection reset by peer)
[21:10] *** dj_goku has joined #arpnetworks
[21:10] *** dj_goku has quit IRC (Changing host)
[21:10] *** dj_goku has joined #arpnetworks