On Fri, Apr 5, 2013 at 10:51 AM, Jessie A. Morris <[email protected]> wrote: > On Friday, April 05, 2013 10:43:09 Merrill Oveson wrote: >> Another vote for OpenDNS. > > One nice part about OpenDNS filtering is that it will filter SSL too, seeing > as it's at the DNS level. Dansguardian (in transparent mode) cannot do this, > as intercepting content is specifically what SSL was designed to prevent.
Squid can intercept SSL content by presenting it's own certificate to the user, and making a second SSL connection back to the server, becoming a MITM. Some corporation's firewalls use this technique to filter SSL traffic as well. Yes it requires adding a new private CA to the clients computers to prevent SSL warnings, but that's cake in a corporate or home environment. Not that I am advocating the use of filtering SSL traffic, it's creepy and possibly dangerous. I'm just saying it's possible. And as far as OpenDNS filtering is concerned, it's only very basic filtering, and is extremely easy to defeat, even more so than a transparent Squid/DansGuardian setup. OpenDNS is only useful for filtering accidental traffic like porn sites on typo'd domains and the like. Anyone that wants to see unfiltered stuff can easily change the DNS servers to 8.8.8.8. Not even hard to remember the address. :) /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
