Ask Slashdot: Best Way To Block Web Content? 282
First time accepted submitter willoughby writes "Many routers today have the capability to block web content. And you all know about browser addons like noscript & adblock. But where is the 'proper' place for such content blocking? Is it best to have the router only route packets & do the content blocking on each machine? If using the content blocking feature in the router, will performance degrade if the list of blocked content grows large? Where is the best place to filter/block web content?"
Best way to filter web content: (Score:5, Funny)
Unplug your modem. Internet is now filtered. Enjoy your day!
Re:Best way to filter web content: (Score:5, Informative)
The CLOUD!
No but real. SMB, use EasyDNS.
Big shop? Z-Scaler and similar.
Actually, EasyDNS is better. It blocks specific bloggers and tumblrs, that many "Enterprise" solutions give a pass.
But for EasyDNS, you HAVE to be able to control the resolv.conf of your clients, or it is bypassed.
Re: (Score:3)
>But for EasyDNS, you HAVE to be able to control the resolv.conf of your clients, or it is bypassed.
You don't have to control the resolv.conf, you just only allow DNS traffic to the IP's of the DNS server and block the others. That doesn't top a user from going all APK on you and using a hosts file (or something similar) or a VPN if you allow it, but will stop most people.
Re:Best way to filter web content: (Score:5, Insightful)
To add on to this, it is good to block all DNS except a few trusted servers anyway. If someone gets a 'DNSChanger' style virus it will show up on the firewall pretty quick.
Re: (Score:2)
53 UDP Any Drop.
After the allow. :-)
Re: (Score:2)
Stupid! Think before typing.. ICMP.
It's pretty clear I don't do this on a daily, any more...
You had it right the first time (Score:2)
You're also behind the curve on DNS (Score:3)
DNS can use udp/53, but it also supports tcp/53 (and even requires it for longer query types.) You'll want to block both just to be sure.
Re: (Score:3)
Well, besides the fact that you would need to block TCP as well as UDP (RFC calls for support on both and longer messages, such as zone transfers, require TCP due to UDP's content length limits), you also have the benefit of the fact that this would block exploits that make use of port 53 for communication on the strong likelihood that it is completely unfiltered.
The AS article asks where is the best place to filter though. This gets tricky. The request doesn't indicate whether this is enterprise equipment
Re: (Score:2)
Of course, you are then also clever enough to TOR - or some other tunneling transport - your traffic, including recursive DNS queries.
Re:Best way to filter web content: (Score:4, Insightful)
Unplug your modem. Internet is now filtered. Enjoy your day!
This is an appropriate response given the bullshit question.
There are different approaches for blocking content, depending on if you're running an ISP, a large Enterprise, a small business, or are just a home user. There are different approaches depending on what TYPE of content you're trying to block, and WHY you're blocking it.
There is no simple, single answer to the question other than "well it all depends".
Adblock is a user-friendly plugin which is, put simply, nothing more than a blacklist of various hosts which serve advertising content. The security aspects of this approach are incidental- it's not a security program it's for avoiding ads.
If you're running an Enterprise or are a more tech-savvy user it's usually better to maintain your own blacklist, either at the edge router or via a hosts file on the local machine (depending on network size and complexity, and capability of your edge routers). If you're just a plain Joe Average, it's probably better to do it per-machine, especially if you're using a laptop which you're going to use in different locations.
NoScript is not, by design, an ad-blocker. It is a script-blocker, and is a security program- ad blocking is incidental. It has the added advantage of operating on a whitelist, so new sources of threats will be caught by default. It blocks a variety of scripting languages from any location you have not specifically allowed, in addition to several other types of browser exploit vectors. For the technical user it is vastly superior to Adblock, but for people who are not so "internet savvy" it can be confusing and frustrating to have to maintain your own whitelist.
Perhaps if the submitter would give us something more specific as to his needs, he'd get better answers.
42 (Score:2)
Being uninformed about a subject, and therefore needing help figuring out which questions to ask, I can understand. People who expect a correct answer, while obstinately refusing to decide what the question is, baffle me with their studity.
Nice Try China! (Score:5, Insightful)
Or, perhaps, sitting down with your users and discussing with them how to surf intelligently and safely.
And you all know about browser addons like noscript & adblock. But where is the 'proper' place for such content blocking?
If you're talking about adblocking, the 'proper' place is at your visual cortex where images are processed -- and I know I'm alone in that unpopular view. Blocking ads is like throwing a soda can out a car window in that if one person does it, it's not a problem and it appears to benefit them modestly. But if everyone does it, it ruins the very thing you're enjoying [slashdot.org]. I can understand why you'd do it if the ad was a massive flash blob but many ads by Google or just images aren't resource intensive.
I've clicked on ads and purchased something twice in my life from ads on a site. Once it was cheap shirts with funny designs on them (I needed new gym shirts) and the other was an eBay auction with a Buy It Now price lower than what I was looking at on that site (not sure how that works). I consider myself a pretty sophisticated person who is "above" advertising but anecdote-wise it's worked on me twice that I can think of. Removing that rare occurrence completely ruins the revenue model.
Re:Nice Try China! (Score:5, Insightful)
I can understand why you'd do it if the ad was a massive flash blob but many ads by Google or just images aren't resource intensive.
I agree with you that the standard Google adsense ads are ok, blocking them is counterproductive (because websites need income). However, Youtube ads (also operated by Google) have gone way over the line and are way too intrusive; also far too many websites still shove floating divs and the like in your face (in fact, thats something that seems to be increasing), and manually blocking only the intrusive ads becomes far too much effort so invariably all ads get blocked.
Re:Nice Try China! (Score:4, Insightful)
and that's exactly why I use noscript and not block ads. Of course I follow the "DENY ALL" policy and only add those few sites to the whitelist that I actually use and guess what, this blocks 95+ percent of the stinking ads online while still allowing me to use the net. Otherwise it's to the point that I'll simply drop my ISP/Cable and Phone services since I don't use them and 911 calls are paid for by the 911 taxe/surcharge by everyone (mandantory service). Only thing I even use the phone for anymore as I simply don't give a damn about talking to anyone when I'm home.
Re:Nice Try China! (Score:5, Insightful)
On the other hand, you have:
ads that track you
annoying popups
popups masquerading as windows messages that have faux buttons to close them, cancel them, or remove viruses that the popup supposedly just detected
ads that flash, flicker, or have a lot of motion/activity in them (which I find to be particularly distracting)
ads that play sound
I'm not saying I wouldn't adblock if you got rid of the above ads, but currently there are too many reasons for me to even consider getting rid of adblock.
Re:Nice Try China! (Score:5, Informative)
This is one of the things the internet was built upon.
This is patently false. The internet, and before it the countless BBS services, was built on freedom and idealism. A server operator would pay out of pocket for their hobby and users would either access it for free, pay membership fees, or pay 900-number dial-in fees. The early internet had no ads because it was a hobbyist driven system. Not until the mid 90's did the internet monetize.
Re: (Score:2, Informative)
Lol! Silly romantic. You think the Internet infrastructure was paid for by dial-up users?
Most of it, including the high-speed backbones, was paid for by universities, the military, and telecoms. But it's cute that you think it was "hobbyists."
Re:Nice Try China! (Score:4, Funny)
Well, if someone would actually build a browser with a popup blocker that actually worked, the popup issue would be solved.
One shouldn't have to turn off scripts to stop popups. All they have to do is insert into the code:
if (going to open a new window from this web site and
user doesn't want these popups)
then
tough shit
Re:Nice Try China! (Score:5, Funny)
What computer language is this? I think I want to try it.
Re: (Score:2, Funny)
Looks like Applescript to me.
So which divs are "these pop-ups"? (Score:2)
Navigate away from most pages (Score:2)
That kind of element should not be blocked. A popup-like div does a fine job of alerting the user to something
Something in this case being a "special offer".
Even if it's modal to the window it still dies when you navigate away from the spawning page.
If the majority of ad-supported web sites switched to using a pop-up-like div for advertisement, and you were to navigate away from pages that use a pop-up-like div for advertisement, you'd be navigating away from most pages that that aren't amateur or subscription. So what would the web be for?
Re: (Score:2, Interesting)
Re: (Score:2)
Re: (Score:2)
they still have those?
I guess I've used adblock plus for too long.
Re:Nice Try China! (Score:4, Insightful)
Lets not forget:
ads from compromised servers shoving malware/payloads down your throat
I could live without adblocking... but that last one there is a no-go. If that's not fixed, I am not willing.
Re: (Score:3)
Blocking ads is like throwing a soda can out a car window in that if one person does it, it's not a problem and it appears to benefit them modestly. But if everyone does it, it ruins the very thing you're enjoying.
It's the ads themselves that ruin the very thing I'm trying to enjoy. If ads weren't so intrusive and resource-intensive, nobody would block ads. The web sites that need ads for revenue are their own worst enemies.
Re: (Score:2)
Yes, blocking ads is like throwing a soda can out the window. We need to just line up all the admen and shoot them.
I mean, has the ENTIRE slashdot community become 'web developers' and their ilk, sucking on the adman's teat?
Re:Nice Try China! (Score:5, Insightful)
If you're talking about adblocking, the 'proper' place is at your visual cortex where images are processed -- and I know I'm alone in that unpopular view. Blocking ads is like throwing a soda can out a car window in that if one person does it, it's not a problem and it appears to benefit them modestly.
You are certainly in the minority. Most people's view of that analogy would be that the can being thrown out of the window is the advert, and that the spoiled environment that is the result is like the spoiled web that is a result of heavy advertising.
I do not accept that the internet needs third party advertising. Nor that the internet without it (and thus a loss of revenue for some site operators) would be worse.
There was an internet before widespread advertising. Some people run a site as a hobby. Some organisations run sites because they want to spread an idea, or need to get information out there. Commercial organisations will still want to run their own web-sites, whether they sell from them, or just as a communications tool. There are lots of reasons why the internet won't die without advertising.
A lot of sites with heavy advertising don't even have good content. They are only there to make money from adverts, so they steal content, or just link to what other sites have put out, or publish PR verbatim.
There's absolutely nothing to stop people trying to make money with third party advertising, and I wouldn't want any official body trying to outlaw them. But equally I see nothing wrong with blocking them so that I don't have to see them, or waste bandwidth on them. If the result is that there are less people that can make a profit from selling advertising, then I say "hurray!"
Re:Nice Try China! (Score:5, Interesting)
I am continually surprised that it is still legal to block ads, and that there is no visible movement to make blocking illegal. Not even any pervasive "The websites must be able to make money on what they do!", "Blocking ads is like stealing from the websites!" or "You wouldn't watch a movie/TV-show without watching the commercials" campaigns.
Google and their customers must not have as good lobbyists as Hollywood.
Re: (Score:3)
More likely they realize what a particularly nasty fire-ant hill they would be kicking over by doing so.
Re: (Score:3)
Re:Nice Try China! (Score:5, Insightful)
Now I am thinking what if an ad-blocker would download the ads - so that the websites can sell all eyeballs to their advertisers - but then silently threw them away instead of showing them to the user, who is not interested anyway?
Re:Nice Try China! (Score:4, Informative)
Adblock used to have an option to do just that. It disappeared many versions ago.
Pity, because it was a good idea if you really wanted to stick it to the advertisers. You'd lose the bandwidth savings as the ad content would still download, but if you're unmetered and sporting a vendetta against marketroids it was a great option to use.
Re: (Score:2)
I don't need advertisements. When I want something, I research it, then I buy it. When I want to know something, I google it. When I want to buy random stuff, I go to a bargain site where people can humanely tell me what I should buy. If advertisers were responsible and didn't try to scheme for my attention, I might give it to them. I don't find it helpful if I go to work, look something up and them come home and find a recommendation for the same product. But for some reason, somebody somewhere thinks that
Re:Nice Try China! (Score:5, Insightful)
Removing that rare occurrence completely ruins the revenue model.
GOOD! That revenue model is the single largest driver of the internet surveillance state. [slashdot.org] It is difficult to imagine an funding model for the internet with worse social costs. The sooner it dies, opening the door to replacement systems that are less invasive the better off we all are.
Re: (Score:2)
The aesthetics and annoyances of ads are only part of the issue, and not even the most important. Ads are also vectors for information gathering and tracking across the web, which is why it is perfectly justifiable to cut them off at the ankles, right in your hosts file.
Re: (Score:3)
Re: (Score:2)
If you're talking about adblocking, the 'proper' place is at your visual cortex where images are processed
Exactly right. None of my computers have adblockers installed. I know ads drive most of Slashdot absolutely batshit crazy, causing them to invest hours and dollars blocking them, but I'm just 'meh' - I tune them out.
Re: (Score:2)
I don't really give a flying fuck. Most of it is crap anyway
If you don't care about the sites that run ads to support themselves, why run an ad blocker? Since those sites are all 'crap' you're not visiting them, because they apparently have nothing to offer you, so what do you need to block?
Re: (Score:2)
Re: (Score:3)
sites that rely on advertising revenue only by 3rd party companies shouldn't be around anyhow, it's a waste of space.
all 3rd party ad streams should be blocked, people get enough spam in their life, from driving to and from work massive amounts of billboard spam, postal mail massive amounts of snail mail spam, television 15-30 minutes of content padded out to 30-1 hour shows with spam.
all spam is blocked in emails
i
Re: (Score:2)
Or, perhaps, sitting down with your users and discussing with them how to surf intelligently and safely.
It's time people stopped giving this answer. The problem is worse than "be safe" (or "pull out" to use a car backseat analogy).
A few months ago in a known developer forum a known dev gave a link to his legit project on github. I knew what github was having seen it referenced by many devs to their projects also in other forums but I had never visited. I clicked on his link and github opened and my A/V immediately stopped a blackhole exploit attempt. I verified his link wasn't funky and because my A/V was tri
Re: (Score:2)
There's plenty of unsafe behvior possible, but there's no such thing as safe behavior. Until the latest fix, enabling Java was unsafe behavior. Is it safe now? We won't know until its proven unsafe. Same for any sufficiently complex plug-in.
Re: (Score:2)
> Blocking ads is like throwing a soda can out a car window in that if one person does it, it's not a problem and it appears to benefit them modestly
It is STILL littering no matter how many justifications you try to use.
ads = visual littering (and now audio littering.)
> I can understand why you'd do it if the ad was a massive flash blob but many ads by Google or just images aren't resource intensive.
1. Ah, the old "bandwidth usage is imaginary" argument. Do you understand network _latency_ ? Blockin
I only block moving ads (Score:2)
I have no need to block static ads. I get annoyed at ads with motion though, but they're easy to block. Animated gifs, just hit ESC in Firefox, they stop.
Then I use flashblock which disables all flash-based content. I can selectively choose any content to view it, such as youtube videos and the rest of the flash ads are still blocked.
Ads still get through, and I'm not annoyed at all the flashing/blinking and bandwidth-hogging ads as they are blocked or stopped. Easy.
Re:Nice Try China! (Score:4, Funny)
You took the words exactly out of my mouth.
- then shouldn't you be angry with him for copyright infringement?
You don't click a TV or sports stadium. Branding (Score:2)
The internet allows you to track clicks, but still most
Ever bought Coke or Pepsi? (Score:2)
At the proxy. (Score:5, Informative)
Re:At the proxy. (Score:5, Insightful)
This is the right answer. There's nothing wrong with ad blocking on the client, but if you want to block content for a whole bunch of users, a proxy is the answer. squid really is easy to set up.
Re:At the proxy. (Score:5, Insightful)
Why do you want to block content for a whole bunch of users? Do you run a dictatorship?
The most obvious example which does not support your jerking knee or twisted panties is keeping known malware off of a corporate network.
Content blocking should be done on the client because it's the only place where the user has control over the blocking.
If it's your computer, sure. (That includes those which are owned by the state but which you have access to, e.g. at the library.) If it's not your computer, fuck off. It's not your computer.
Re: (Score:2)
If it's not your computer, but The Boss appears to have hired you as the junkyard dog in charge of bossing people around on it... well, in your own words, fuck off. (and die)
If you have a job where you work with a computer, you can almost certainly afford to carry your own personal computer in your pocket so that you do not need to expose your work network to malware because you wanted to do some personal surfing.
It's easy to create a proxy with a simple workaround which you can give to users who need it. You put a non-transforming proxy on a second port, you do transparent proxying, and then you can let some users use the non-transforming proxy. For bonus points, create a sepa
Malware on pocket computer (Score:2)
If you have a job where you work with a computer, you can almost certainly afford to carry your own personal computer in your pocket so that you do not need to expose your work network to malware
Someone who brings in a computer would be exposing his work network to whatever malware is installed on the personal computer in his pocket.
Re: (Score:2)
Hundreds of dollars per year (Score:2)
drinkypoo wrote: "If you have a job where you work with a computer, you can almost certainly afford to carry your own..."
JazzLad wrote: "...smartphone, typically with dedicated internet."
That's still at least a $420 per year expense (source: virginmobileusa.com), especially for someone who's currently paying about one-fifth of that. Have circumstances finally changed such that a smartphone with a data plan, in addition to what one is already paying for Internet at home, is no longer a luxury but now a
Re: (Score:2)
Have circumstances finally changed such that a smartphone with a data plan, in addition to what one is already paying for Internet at home, is no longer a luxury but now a necessity?
I'm missing the part where it's a necessity to have unfiltered browsing for your own pleasure at work. If you really need that, you are most likely in a position to afford it. I think that most would agree that most people only really need a cellphone, if that, in order to keep in touch with the things they must keep in touch with. For everyone else, there's your own phone.
Re: (Score:2)
It's the boss's prerogative to delegate deciding what restrictions to put on company computers. Don't like it? Don't work there.
How to relocate away from a policy like this? (Score:2)
Don't like it? Don't work there.
If you grew up in a town with one dominant employer [wikipedia.org], and this employer had a policy with which you did not agree, where would you find the money to relocate to another town?
Re: (Score:3)
"At what level should I block content for several machines on your network?"
"Why would you want to block content for several machines on your network?"
"To keep malware off work machines."
"People hired to block content as part of an effort to keep malware off work machines should quit their jobs."
"So if the only available jobs in one's location and area of expertise are with companies that block content as part of an effort to keep malware off work machines, where should one work instead?"
"Off top
Re: (Score:2)
Or do you trust people to be responsible and deal with it interpersonally if it starts to interfere with work?
I will certainly block known scam numbers from a phone system, just like I will block known malware delivery networks from a business network. I do not trust people to make intelligent decisions, especially when there are people trying to scam them into making unintelligent ones who may be more intelligent and/or savvy than they are.
Re: (Score:3)
Upstream (Score:3)
I envisage an HTML feature where you can click on something and have it labelled spam at the ISP.
Allowing this info back to the scum that served it would be a privacy invasion of the worst kind.
Perhaps some enlightened ISPs could charge charge people double for serving shit. They would get my business for sure!
I truely believe that if the ads were not so horribly intrusive and bandwith hogging, they could/would be ignored or even watched. Just last night, I watched a really great advert on TV yesterday - way better than the program it was embedded in - watched the ad to the end, and then ditched the actual program! However, I have stopped visiting certain websites because the amount of flash they serve makes it impossible to actually scroll though the content!
Please feel welcome give me the standard spam prevention review form ;-)
Re:Upstream (Score:5, Informative)
Filtered DNS does this already if you choose to use it.
http://www.opendns.com/ [opendns.com]
http://www.scrubit.com/ [scrubit.com]
Re: (Score:2)
Re: (Score:2)
Just catch all outgoing DNS at your router and redirect them to your own DNS server or OpenDNS if you wish. Much easier and especially much more fail safe.
Re: (Score:2)
But isn't it mostly the case that you know you don't want something even before you look at the content? So you can block the request before
it even goes out to the ISP.
Re: (Score:2)
ISPs should offer a service to block it for you so you dont have to pay for the bandwidth...
I truely believe that if the ads were not so horribly intrusive and bandwith hogging, ..
What kind of bandwidth are you talking about?
He wants to block web content, not email spam. When you block a web site with squid, hosts file, firewall etc., you use zero bandwidth to connect to the site.
Actually, you may end up using more bandwidth blocking web content at the ISP level because your HTTP requests could still get to the ISP along with a HTTP response.
Comment removed (Score:4, Insightful)
Well, the first shot has already been fired... (Score:3)
Some Good OSS Based Options (Score:2)
Blocking content at the router/firewall is the best place to block it inside your network. Otherwise you're dealing with keeping several machines up to date. As IT infrastructure becomes more diverse (Mac, Windows Flavors, Guests etc) keeping individual machines updated will be harder than a centralize point. Another option is to force users to utilize a specifc DNS server (ie http://www.opendns.com/business-security/ [opendns.com]). Then all you do is block DNS traffic destined for any other DNS servers.
I'd avoid the $
Re: (Score:2)
Then all you do is block DNS traffic destined for any other DNS servers.
I find it more convenient to redirect DNS queries to the server you like instead of blocking them.
Service that filters domains and IPs? (Score:2)
One solution is a service that filters domains at the DNS level, such as OpenDNS.
But does anyone know of a similar service on the IP level? Malware attackers may not cooperate by using domain names; IP addresses are less hassle for them, less attention-getting from the average end-user (who knows somewebsite.ru is wrong, but not 134.14.215.12), and they bypass DNS-level security. The IP-level filter would have to be either,
* Something like an RBL, but for all attacks not just for spam.
* A pr
Re: (Score:2)
You can get lists there http://www.iblocklist.com/ [iblocklist.com] can use for block and also for allow. The service depend of your needs, i am using 4 lists from iblocklist and http://www.peerblock.com/ [peerblock.com] on a windows computer :)
Router level (Score:2)
Routers.... (Score:2)
In my opinion, as a network engineer, routers should never be used for security functions as it just isn't scalable from a support and management perspective (i.e. keeping settings the same across a large number of sites). If you need to block traffic then you need to buy a Firewall and/or a Proxy server. If you can just afford one device, buy a firewall. Most Firewalls can also support routing and routing protocols plus they are optimized to handle the additional overhead of security services.
Unless thi
Whitelisting, anybody? (Score:2)
[Before anybody gives a response about Internet freedom, that's well and all, but for certain applications, you only need to have employees access a few websites--like say a corp HQ information system.]
There are many routers that have a way to blacklist certain sites and keywords, though that's basically useless (a few mL vs the ocean?).
Whitelisting would be much more handy, but most routers don't support it.
Not only that, but custom Linux router firmware doesn't (easily) support it. Not DDWrt or Tomato. Op
Browser level blocking (Score:2)
I for one would not want to pay for the router powerful enough to parse every webpage that passes through it.
Also it would be a far bigger pain to update and modify.
The best way by far is (Score:2)
to live in Iran
Internet and revenue (Score:2)
Somebody has to pay for the bandwidth, the infrastructure, etc.
Then comes along content. Content can't always be 'free'. Someone has to place it on the web, someone has to maintain it, someone creates it and depending on the complexity of the content, there are 1 or more content creators and associates/affiliates getting involved and eventually people need to make a living.
Here's the point I'm making with the following example:
My wife
decent filter at the edge ... (Score:2)
Take a look at the devices from Fortinet ... decent AV/Malware as well as webfilter with "the usual" load of different categories (and the ability to filter based on groups defined e.g. by SSO info from an ADS). Add to that many additional security firewall features, IPS, security scanner, ... to top it off, it's a lot more affordable with better throughput than many (all well-known?) competitors ...
Can't answer without knowing what you're after (Score:2)
Are you a parent trying to keep your kids from porn? Are you a business trying to keep your workers on task? Are you a government trying to control the eyeballs of your citizens? Are you just trying to keep ads away from your personal eyeballs, malware from your personal devices?
If it's for your own personal use there are two approaches:
1) Do it on the device. This has the advantage of being easy to pause if it causes a web site or service to stop working. It has the down side of not being centrally managed
Do it in the browser (Score:2)
Blocking at the web browser level, where the blocking program has an idea of what's going on, works best. Blocking at the IP level will stall out some sites. It's technically possible to block in the browser in such a way that the site can't figure out that it's being blocked. Few sites detect ad blockers yet, but more could. It may be worthwhile to delay loads of ad sites and see if this stalls the loading of the real content. For mobile, it would be amusing to have an ad-blocking proxy site which reads
Best Way To Block Web Content? (Score:2)
Close the Browser.
Gopherspace (Score:2)
Re: (Score:2)
Precisely.
There is no "proper", or "best practice" place. Your two questions are entirely dependent on your use-case scenarios. If you want to block flash scripts on your kids browsers, do it host level at the OS. If you are dealing with a gigantic 2000 employee office campus, then you'd want to probably handle that centrally on a giant honking appliance/router designed for it where you can centrally manage policy.
But ... you can flip both scenarios blocking mechanisms I just mentioned and they'd still work
Re: (Score:3)
Re: (Score:2)
I do it on the /etc/hosts level on my dns server.
What kind of DNS server software are you using?
I haven't seen yet a DNS server configured to read /etc/hosts. I am using BIND and I do not know if you can even make it read /etc/hosts.
Re: (Score:2)
Re:What about SSL? (Score:5, Informative)
How would you like to filter out SSL traffic on a intermediate device? Do you have access to fake CA certificates recognized by the majority of web browsers?
No problem if you use active directory group policies and a squid proxy with ssl-bump and dynamic generated certificates.
Simply use a group policy to push the proxies cert out to the workstations as a trusted root certificate. Problem solved.
Now you can filter out naughty HTTPS sites. Also anyone with root access to the squid proxy can extract all kinds of interesting info from the users HTTPS sessions and manipulate them in interesting ways. And the only way the users would know is by manually checking the certificate. "Whats this Google certificate doing being signed by '*'?"
When you do this using Microsoft TMG theres a big red warning "You may want to check the legal implications of what you are about to do".
Re: (Score:2)
The thing I don't like about it is that it ruins the certificate trust system. With every site signed by the same certificate, even bad ones are accepted by the browser and there is no way to tell them apart.
Counterpoint: If you're in an environment where you're using AD/Group Policy and a squid proxy, you're probably dealing with a group of users that require that sort of network control. Implicitly, they're not checking their certs anyway and wouldn't be able to meaningfully tell the good from the bad even if they had access to that information. If users were doing that, MITM SSL Cert signing wouldn't be necessary in the first place.
Re: (Score:2)
I have to ask myself; why else did MS make it possible to add trusted root certs at the OS level and why do all the browsers (I've so far tested) totally trust and respect the OS level trusted root cert list? Isn't it possible to get, say, Chrome to use its own trusted root certs instead?
In the environment where I'm doing this, totally the users require that sort of control otherwise its going to bring the business down. No kidding.
Mind you I do have to explain to the CEO/VP who asked for this, how someone
Re: (Score:2)
It lives in C:\windows\system32\drivers\etc\hosts on windows systems at least up till win7.
Here is an add-block hosts file: http://pgl.yoyo.org/as/serverlist.php?showintro=0;hostformat=hosts [yoyo.org]
This info is brough by a Linux user... :-)
Re: (Score:2)
Nice. Is this something that could be done with a Raspberry Pi?
Re: (Score:2)
Re: (Score:2)
I tend to think it's unethical to have every move I make tracked by hundreds of different companies.
Fully agree. Although that's more about datamining than advertising...but unfortunately they are often bound together these days.
Re: (Score:2)
Normal people fund their own website if they want people to see them. If you need ads, then take it offline.
This is true, but if we start to talk about large websites you obviously can't fund them from some guy's pocket.
Re: (Score:2)
It has the advantage of being extremely easy to do (just add a domain to the file), and i have noticed no slowdowns at all on my old netbook.
You should actually notice a speed up! Host file lookups are negligible compared to DNS lookups and HTTP queries...
Re: (Score:2)
Some prefer not to advertise it on the network. I guess it depends on the situation...