Youtube SSL

[AdamB]

I want to confirm my findings because the idea of not being able to block HTTPS youtube is killing me.

When working with Untangle support we saw that youtube is not passing its protochain in SSL, it is simply just "/IP/TCP/SSL" 80% of the time, the other 20% it seems to be passing "/IP/TCP/SSL/YOUTUBE" Are others seeing this also?

I did discover that webfilter will prevent video playback on youtube https by blocking "youtube.com/videoplayback".

Im hoping one of you guys have a solution to this but its not looking good. I appreciate the input!

[dmorris]

If you have a lot of sessions at less than 100% confidence in application control, I would make sure you upgrade to 9.3.2.
It has a much larger session table in the categorization engine allowing for better classification if you are a large site.

If most everything is at 100% confidence then its unlikely that is the issue.

[AdamB]

If you have a lot of sessions at less than 100% confidence in application control, I would make sure you upgrade to 9.3.2.
It has a much larger session table in the categorization engine allowing for better classification if you are a large site.

If most everything is at 100% confidence then its unlikely that is the issue.

Just upgraded last night.

"/IP/TCP/SSL" is always 50% when its youtube.

"/IP/TCP/SSL/YOUTUBE" is always 100% but I rarely see youtube pass its protochain.

Everything else I block has no issues, facebook, twitter etc, they all report a confidence of 100 all the time.

[AdamB]

I setup a completely new rack and am utilizing the custom rule to block youtube which is default in application rules list after install. In the logs it shows all my https youtube traffic being blocked but I can still hit https://youtube.com. I also tried tarpit with the same results. I can see youtube passing its protochain now. Any ideas why this is not being blocked correctly?

[yotefn]

I am having this problem too, but with a little bit different circumstances.

An attempt to access Youtube via HTTPS will pass YOUTUBE in it's protochain and get tarpitted. However, about 3 seconds after that connection is dropped, GOOGLE appears in the protochain and is passed, so Youtube SSL is accessible using a GOOGLE certificate...

Any ideas?

[jcoffin]

It's a difficult problem to solve when you are looking to block some but not all services from a large IP block owner like Google.

[hlarsen]

perhaps you can enable youtube for schools and simply not allow any videos? (just an idea, i haven't tested it)

[yotefn]

It's a difficult problem to solve when you are looking to block some but not all services from a large IP block owner like Google.

One thing suggested to stop this is to set a static DNS for youtube, and then firewall port 443 to stop HTTPS traffic. It's not a bad idea, but using windows DNS it's complicated.

perhaps you can enable youtube for schools and simply not allow any videos? (just an idea, i haven't tested it)\

Youtube for schools seems to be the biggest joke right now, since the injection into the URL string can only happen over unencrypted HTTP connections. But once you allow connections to the youtube domain, all it takes is for the user to add an "S" into the address bar and they don't have the Youtube for Schools restrictions.

Even though youtube is accessible, videos still stream over http, so the videos don't seem to play. I haven't tested this well, because it's not ideal for me that students can access the page at all.

I'm not trying to make problems at Untangle, but I was talking this over with another IT guy who knows filters, and when I told him I can't filter SSL Youtube connections, he laughed at me. He's using a competitor's filtering device. I tried it: when I attempt to access Youtube over HTTPS, I get a Youtube branded page, that reads something like:

"The app is not available"

I'm not sure what the trick is, but it seems other companies have figured out a way to do this effectively.

[AdamB]

One thing suggested to stop this is to set a static DNS for youtube, and then firewall port 443 to stop HTTPS traffic. It's not a bad idea, but using windows DNS it's complicated.



Youtube for schools seems to be the biggest joke right now, since the injection into the URL string can only happen over unencrypted HTTP connections. But once you allow connections to the youtube domain, all it takes is for the user to add an "S" into the address bar and they don't have the Youtube for Schools restrictions.

Even though youtube is accessible, videos still stream over http, so the videos don't seem to play. I haven't tested this well, because it's not ideal for me that students can access the page at all.

I'm not trying to make problems at Untangle, but I was talking this over with another IT guy who knows filters, and when I told him I can't filter SSL Youtube connections, he laughed at me. He's using a competitor's filtering device. I tried it: when I attempt to access Youtube over HTTPS, I get a Youtube branded page, that reads something like:

"The app is not available"

I'm not sure what the trick is, but it seems other companies have figured out a way to do this effectively.

Working with Untangle support we found that youtube/google is not injecting its protochain into all requests. I've yet to see anyone find a way around this. Sure would love to pin it down.

[dmorris]

Whenever I just turn on tarpit for youtube it seems to work fine. All youtube is blocked and I can't access the site.

Note: if you are using IPv6 its not gonna matter what you do. IPv6 is not yet scanned by the apps.

There is no way google could use a non-youtube cert because then the browser would not accept it.
I would just use tcpdump and see whats going on.