WebSafety is subscription based and it configures a squid proxy for you. I have it, it doesn't work well and it's just sitting there unused.
NetAngel is a routing appliance that purportedly doesn't care what the client is and that filters all clients going through it and thensome. Does NetAngel work? Here is my use case for a proxy. A local area network has multiple clients that potentially want to browse some of the same web sites where a proxy can cache certain sites if it keeps up with the changes saving bandwidth when multiple clients ask for the same site. Another use case is filtering of sites through WebSafety or NetAngel. A site can be fetched into a proxy and classified before it is passed on to the clients. This is the most difficult form of filtering in the case of HSTS and https accesses. The problem is, HSTS says that the client has to be directly connected to the remote server via an encrypted link. A proxy in the middle is considered a man in the middle unfortunately. The scheme that WebSafety uses to reencrypt is not effective at allowing you to access most sites that are secure if google is involved. Google encrypts most of the time and employs HSTS a lot. Another approach to filtering is make the direct connection but look up special content classification info via DNS. If a site is classified as inappropriate via the DNS you get sent an IP that takes you to a page that says so. This bypasses the problem of HSTS and man in the middle. Problem here is that you have to classify all sites where not all sites are classified in DNS necessarily. There's no enforcement of classification of sites on the Net and keeping up is technologically difficult. The less intrusive DNS approach is desirable, but hard to maintain for all sites that you potentially want to classify day in/day out. The more expensive WebSafety approach doesn't work most of the time especially on sites accessed via google where HSTS is employed. HSTS stands for hypertext strict transport security I believe. I think the WebSafety approach needs to be modified. Identify as the proxy and who is reponsible for that proxy making the appropriate secure connection. Make a secure connection with a root authority that is local to your lan and allow access to the cached site in the proxy. So instead of saying the site is the remote site, say that you are accessing a local site which you are. This may sound easier to do than it is, maybe I'm not fleshing this out enough to see all the problems. Another approach to dealing with HSTS is allowing on a case by case basis direct connections instead of forcing people to use the proxy. Perhaps when you look the site up in DNS there could be a TXT record that indicates bypass is allowed for a secure connection. Question is, how do you get the browser to bypass on a case by case basis and avoid bypassing for random sites that may be inappropriate? Any thoughts on how NetAngel does or doesn't work are appreciated from anyone who has used it. Thoughts on how to improve WebSafety and make it work better are also appreciated. -- Michael C. Robinson _______________________________________________ PLUG: https://pdxlinux.org PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
