Menu
▾
▴
Re: [IPCop-user] IPCOP SafeSearch fundamentally broken by https?
|
From: David S. <dp...@dp...> - 2015-05-09 14:41:49
|
Hi, I think that you might want to have a look here: <http://wiki.squid-cache.org/Features/HTTPS> https is a secure encrypted point-to-point protocol.... The idea behind it is to prevent man-in-the-middle interception or tinkering.... Hence, not "broken"... Just working as it was designed.... Dave *********************************************************************** On Sat, 9 May 2015, Dave Evans wrote: > I've been looking at SafeSearch which seems to be broken now that search engines are going over to https, I've been researching this for google only, though I expect the results are similar (in probably many differently broken ways) for other search engines. > I note that in: /var/ipcop/proxy/squidGuard.confwhich is written whenever you save the URLfilter page by /home/httpd/cgi-bin/urlfilter.cgithere is code like: # rewrite safesearchs@(.*\\Wgoogle\\.\\w+/(webhp|search|imghp|images|grphp|groups|frghp|froogle)\\?)(.*)(\\bsafe=\\w+)(.*)\@\\1\\3safe=strict\\5\@is@(.*\\Wgoogle\\.\\w+/(webhp|search|imghp|images|grphp|groups|frghp|froogle)\\?)(.*)\@\\1safe=strict\\\&\\3\@i > which is obviously trying to rewrite URLs submitted to google (as an example).leaving aside the fact that safe=strict is the bing syntax & for google we should be using safe=active, then as far as I can see it's not working, and I think this is now because google is now using https: > We can force (or encourage) the browsers to use the proxy using a wpad.dat file (http://home.earthlink.net/~copplus/httpsproxy.html) so that all browser traffic goes through the proxy, but my understanding is that the proxy as implemented inherently does not see the part of the URL after the .com (or whatever) and that's the bit we're trying to rewrite with the rule above. This is why the proxy logs no longer show long search strings any more. > Google now suggests setting up an alias to www.google.com --> forcesafesearch.google.com"To force SafeSearch for your network, you’ll need to update your DNS configuration. Set the DNS entry for www.google.com (and any other Google ccTLD country subdomains your users may use) to be a CNAME for forcesafesearch.google.com"https://support.google.com/websearch/answer/186669?hl=en, see the advanced section > however as far as I can see, the DNS implementation we're using on IPCOP (dnsmasq) only allows us to use CNAME to be an alias for entries explicitly in the hosts file, and thus NOT to an externally defined item like www.google.com or www.google.co.uk. Therefore we cannot use dnsmasq to translate www.google.com to forcesafesearch.google.com > If you try to do it with your query it doesn't work, if you put this in your browserhttps://www.google.co.uk/search?q=flowers <-- workshttps://forcesafesearch.google.com/search?q=flowers <-- fails 404so it has to be done at the DNS level for that to work, rewrite rules won't cut it. > Am I right?Are we doomed? > Dave > ------------------------------------------------------------------------------One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applicationsPerformance metrics, stats and reports that give you Actionable InsightsDeep dive visibility with transaction tracing using APM Insight.http://ad.doubleclick.net/ddm/clk/290420510;117567292;y_______________________________________________IPCop-user mailing lis...@li...Manage your subscription or unsubscribehttps://lists.sourceforge.net/lists/listinfo/ipcop-user > |