OPNsense Forum
English Forums => Zenarmor (Sensei) => Topic started by: cac04 on June 04, 2022, 12:56:33 am
-
I have added youtube.com to a Web Control blacklist. When I try to visit youtube.com with Apple Safari, it is blocked as expected. But when I use Google Chrome, it still loads youtube.com. How is Chrome getting around the blacklist?
I would prefer to use the App Control to block Youtube - that works with all browsers, as far as I can tell - but unfortunately that blocks Youtube Kids too. I would like to allow my children to use Youtube Kids, just not the general Youtube website.
The only thing I could think of was to blacklist youtube.com - but that doesn't seem to work in Chrome :(
-
To answer my own question, the problem is that Chrome uses the QUIC protocol to talk to Google Apps such as YouTube (and apparently some other websites too). Zenarmor does not recognize QUIC connections as web traffic, so it does not apply Web Controls to them. (Update: this turned out not to be the only problem.)
There's a decent explanation of this here: https://www.fastvue.co/fastvue/blog/googles-quic-protocols-security-and-reporting-implications/ (https://www.fastvue.co/fastvue/blog/googles-quic-protocols-security-and-reporting-implications/)
So the only solution is to block QUIC, which means to block UDP traffic on ports 80 and 443.
I tried to do this using the normal OPNsense firewall, but it didn't seem to work. Then I noticed that there's a "Quic UDP Connection" category under "Media Streaming" in App Controls... but that didn't seem to stop it either.
How is Chrome still loading youtube.com?! I guess I'll have to get Wireshark running on this machine later >:(
-
QUIC is only available via HTTPS, not with HTTP so only UDP/443.
-
I don't claim any expertise in these matters, but RFC 9000 seems to indicate that QUIC can use any port: https://datatracker.ietf.org/doc/html/rfc9000 (https://datatracker.ietf.org/doc/html/rfc9000)
Maybe it's only used for websites at the moment though, so people only use it on ports associated with HTTP and HTTPS, perhaps?
Ian Swett, one of the Google engineers responsible for QUIC, claims that Chrome uses both port 80 and port 443, see https://groups.google.com/a/chromium.org/g/proto-quic/c/ksokVdwXfQ0 (https://groups.google.com/a/chromium.org/g/proto-quic/c/ksokVdwXfQ0)
However, blocking both UDP/80 and UDP/443 doesn't stop Chrome from loading youtube.com anyway.
-
Sure you can use any port but QUIC is only used by HTTP 3 in the HTTP context which forces encryption using QUIC so it is HTTPS by default. Other ports for HTTPS than 443 are uncommon.
-
I finally worked it out. I took a look with Wireshark and found that even when I cleared the cache and hard refreshed Youtube, the initial packet to youtube.com was TLS "Application Data" - Chrome never sent a "Client Hello" message to begin a new TLS session.
This really confused me, until I realized that the same IP addresses are used for multiple Google services. For example:
www.youtube.com. 71094 IN CNAME youtube-ui.l.google.com.
youtube-ui.l.google.com. 89 IN A 142.250.178.14
And also:
contacts.google.com. 3032 IN CNAME plus.l.google.com.
plus.l.google.com. 66 IN A 142.250.178.14
So if you've already connected to one Google service - for example, Gmail, or maybe you've just logged into your Google account - then Chrome already has a TCP connection open to a youtube.com IP address. Since it's using HTTP/2, it is allowed to re-use an existing TCP connection, provided that the TLS certificate is valid. Google uses a wildcard certificate that matches all their services, so the cert will be valid, so Chrome can re-use the existing TLS session. It doesn't send a new Client Hello message, so it doesn't ever send an SNI field containing the hostname, so Zenarmor can't tell that this TLS data is web traffic for youtube.com.
-
Hi,
Thanks for the detailed explanation. AS you said that Google uses some IPs for different apps. Zenarmor will achieve to classify this kind of traffic with the TLS inspection feature and most probably will be shipped end of July.
-
When you say "TLS inspection feature", do you mean that Zenarmor will support man-in-the-middle for HTTPS filtering?
That would be cool.
-
Hi,
Yes, the 2.1 release will be shipped with TLS Inspection.
-
Hi,
Yes, the 2.1 release will be shipped with TLS Inspection.
And it will do this without something like ssl inspector in Untangle and having to install certificates on all devices?