Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: Youtube SSL

  1. #1
    Master Untangler
    Join Date
    Mar 2011
    Location
    Auburn, NY
    Posts
    437

    Default Youtube SSL

    I want to confirm my findings because the idea of not being able to block HTTPS youtube is killing me.

    When working with Untangle support we saw that youtube is not passing its protochain in SSL, it is simply just "/IP/TCP/SSL" 80% of the time, the other 20% it seems to be passing "/IP/TCP/SSL/YOUTUBE" Are others seeing this also?

    I did discover that webfilter will prevent video playback on youtube https by blocking "youtube.com/videoplayback".

    Im hoping one of you guys have a solution to this but its not looking good. I appreciate the input!

  2. #2
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    If you have a lot of sessions at less than 100% confidence in application control, I would make sure you upgrade to 9.3.2.
    It has a much larger session table in the categorization engine allowing for better classification if you are a large site.

    If most everything is at 100% confidence then its unlikely that is the issue.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Master Untangler
    Join Date
    Mar 2011
    Location
    Auburn, NY
    Posts
    437

    Default

    Quote Originally Posted by dmorris View Post
    If you have a lot of sessions at less than 100% confidence in application control, I would make sure you upgrade to 9.3.2.
    It has a much larger session table in the categorization engine allowing for better classification if you are a large site.

    If most everything is at 100% confidence then its unlikely that is the issue.
    Just upgraded last night.

    "/IP/TCP/SSL" is always 50% when its youtube.

    "/IP/TCP/SSL/YOUTUBE" is always 100% but I rarely see youtube pass its protochain.

    Everything else I block has no issues, facebook, twitter etc, they all report a confidence of 100 all the time.
    Last edited by AdamB; 11-07-2012 at 05:15 PM.

  4. #4
    Master Untangler
    Join Date
    Mar 2011
    Location
    Auburn, NY
    Posts
    437

    Default

    I setup a completely new rack and am utilizing the custom rule to block youtube which is default in application rules list after install. In the logs it shows all my https youtube traffic being blocked but I can still hit https://youtube.com. I also tried tarpit with the same results. I can see youtube passing its protochain now. Any ideas why this is not being blocked correctly?

  5. #5
    Master Untangler
    Join Date
    Dec 2010
    Location
    Southfield, MI
    Posts
    181

    Default

    I am having this problem too, but with a little bit different circumstances.

    An attempt to access Youtube via HTTPS will pass YOUTUBE in it's protochain and get tarpitted. However, about 3 seconds after that connection is dropped, GOOGLE appears in the protochain and is passed, so Youtube SSL is accessible using a GOOGLE certificate...

    Any ideas?

  6. #6
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,687

    Default

    It's a difficult problem to solve when you are looking to block some but not all services from a large IP block owner like Google.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  7. #7
    some dude hlarsen's Avatar
    Join Date
    Jul 2010
    Location
    sfba
    Posts
    1,384

    Default

    perhaps you can enable youtube for schools and simply not allow any videos? (just an idea, i haven't tested it)

  8. #8
    Master Untangler
    Join Date
    Dec 2010
    Location
    Southfield, MI
    Posts
    181

    Default

    Quote Originally Posted by jcoffin View Post
    It's a difficult problem to solve when you are looking to block some but not all services from a large IP block owner like Google.
    One thing suggested to stop this is to set a static DNS for youtube, and then firewall port 443 to stop HTTPS traffic. It's not a bad idea, but using windows DNS it's complicated.

    Quote Originally Posted by hlarsen View Post
    perhaps you can enable youtube for schools and simply not allow any videos? (just an idea, i haven't tested it)\
    Youtube for schools seems to be the biggest joke right now, since the injection into the URL string can only happen over unencrypted HTTP connections. But once you allow connections to the youtube domain, all it takes is for the user to add an "S" into the address bar and they don't have the Youtube for Schools restrictions.

    Even though youtube is accessible, videos still stream over http, so the videos don't seem to play. I haven't tested this well, because it's not ideal for me that students can access the page at all.

    I'm not trying to make problems at Untangle, but I was talking this over with another IT guy who knows filters, and when I told him I can't filter SSL Youtube connections, he laughed at me. He's using a competitor's filtering device. I tried it: when I attempt to access Youtube over HTTPS, I get a Youtube branded page, that reads something like:

    "The app is not available"

    I'm not sure what the trick is, but it seems other companies have figured out a way to do this effectively.

  9. #9
    Master Untangler
    Join Date
    Mar 2011
    Location
    Auburn, NY
    Posts
    437

    Default

    Quote Originally Posted by yotefn View Post
    One thing suggested to stop this is to set a static DNS for youtube, and then firewall port 443 to stop HTTPS traffic. It's not a bad idea, but using windows DNS it's complicated.



    Youtube for schools seems to be the biggest joke right now, since the injection into the URL string can only happen over unencrypted HTTP connections. But once you allow connections to the youtube domain, all it takes is for the user to add an "S" into the address bar and they don't have the Youtube for Schools restrictions.

    Even though youtube is accessible, videos still stream over http, so the videos don't seem to play. I haven't tested this well, because it's not ideal for me that students can access the page at all.

    I'm not trying to make problems at Untangle, but I was talking this over with another IT guy who knows filters, and when I told him I can't filter SSL Youtube connections, he laughed at me. He's using a competitor's filtering device. I tried it: when I attempt to access Youtube over HTTPS, I get a Youtube branded page, that reads something like:

    "The app is not available"

    I'm not sure what the trick is, but it seems other companies have figured out a way to do this effectively.
    Working with Untangle support we found that youtube/google is not injecting its protochain into all requests. I've yet to see anyone find a way around this. Sure would love to pin it down.

  10. #10
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    Whenever I just turn on tarpit for youtube it seems to work fine. All youtube is blocked and I can't access the site.

    Note: if you are using IPv6 its not gonna matter what you do. IPv6 is not yet scanned by the apps.

    There is no way google could use a non-youtube cert because then the browser would not accept it.
    I would just use tcpdump and see whats going on.
    Last edited by dmorris; 01-15-2013 at 12:13 PM.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2