Re: [squid-users] Block uncategorized HTTPS traffic

From: Marcus Kool <marcus.kool_at_urlfilterdb.com>
Date: Wed, 09 Mar 2011 21:29:19 -0300

ufdbGuard is a free URL filter that can block Ultrasurf.
You need to use the option enforce-https-with-hostname.
ufdbGuard can be used with your own whitelist/blacklist,
a free URL database, and a commercial URL database.

Marcus

Amos Jeffries wrote:
> On Wed, 9 Mar 2011 12:12:53 -0800, Luis Veana wrote:
>> Hi
>>
>> Can SQUID 2.7 block HTTPS uncategorized traffic in any way?
>
> Define "uncategorized" and there is the answer.
> Failing to define it clearly is an automatic "no".
>
>> I'm trying to block ULTRASURF usage in my callcenter.
>> These guys are freely browsing now, since one of them brought this
>> file to
>> my network.
>> This software is exceptional by the way, there is no installation
>> required,
>> it requires NO admin priviledges.
>> And it auto-configures the system to become a proxy using the
>> 127.0.0.1:9666
>> address pushing the traffic through a SSL 443 conecction.
>> At least this is what I could see until now.
>>
>> Any suggestions?
>
> I think you will find it uses various methods including random
> connection ports to ensure it "always" works.
>
> In a callcenter you have known software with know ports etc which are
> needed. Firewalls can be set to restrict or block other access.
>
> For the stuff relayed through Squid-2 you need a whitelist of
> destinations which are acceptible or a pattern of destinations which are
> not. It comes done to defining uncategorized and discovering how
> ULTRASURF passes requests through Squid. Its been a while since I faced
> it, IIRC it operated like TOR.
>
> On the non-technical side, network blocks do not work without company
> policy and support. You have contracts outlining (in)appropriate
> behaviour in the workplace which covers network usage, right? if not
> *you* are in the wrong for blocking them against their contract
> agreement, that needs fixing. If you do, enforce it, firings are in order.
>
> The (somewhat unusual) path I follow with my sub-contractors is to
> charge for non-work related network usage of business resources. Just
> like any other ISP at slightly less than our market rates, deducting
> time wasted from paid hours on top of the charge. They find it fair and
> completely under their own control whether they get paid or not.
>
> Amos
>
>
>
Received on Thu Mar 10 2011 - 00:29:23 MST

This archive was generated by hypermail 2.2.0 : Thu Mar 10 2011 - 12:00:02 MST