Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Zenarmor (Sensei)
»
Blacklisting youtube.com for Google Chrome
« previous
next »
Print
Pages: [
1
]
Author
Topic: Blacklisting youtube.com for Google Chrome (Read 3777 times)
cac04
Newbie
Posts: 18
Karma: 0
Blacklisting youtube.com for Google Chrome
«
on:
June 04, 2022, 12:56:33 am »
I have added youtube.com to a Web Control blacklist. When I try to visit youtube.com with Apple Safari, it is blocked as expected. But when I use Google Chrome, it still loads youtube.com. How is Chrome getting around the blacklist?
I would prefer to use the App Control to block Youtube - that works with all browsers, as far as I can tell - but unfortunately that blocks Youtube Kids too. I would like to allow my children to use Youtube Kids, just not the general Youtube website.
The only thing I could think of was to blacklist youtube.com - but that doesn't seem to work in Chrome
Logged
cac04
Newbie
Posts: 18
Karma: 0
Re: Blacklisting youtube.com for Google Chrome
«
Reply #1 on:
June 04, 2022, 12:01:25 pm »
To answer my own question, the problem is that Chrome uses the QUIC protocol to talk to Google Apps such as YouTube (and apparently some other websites too). Zenarmor does not recognize QUIC connections as web traffic, so it does not apply Web Controls to them. (Update: this turned out not to be the only problem.)
There's a decent explanation of this here:
https://www.fastvue.co/fastvue/blog/googles-quic-protocols-security-and-reporting-implications/
So the only solution is to block QUIC, which means to block UDP traffic on ports 80 and 443.
I tried to do this using the normal OPNsense firewall, but it didn't seem to work. Then I noticed that there's a "Quic UDP Connection" category under "Media Streaming" in App Controls... but that didn't seem to stop it either.
How is Chrome still loading youtube.com?! I guess I'll have to get Wireshark running on this machine later
«
Last Edit: June 05, 2022, 02:09:26 pm by cac04
»
Logged
fabian
Hero Member
Posts: 2769
Karma: 200
OPNsense Contributor (Language, VPN, Proxy, etc.)
Re: Blacklisting youtube.com for Google Chrome
«
Reply #2 on:
June 04, 2022, 06:33:08 pm »
QUIC is only available via HTTPS, not with HTTP so only UDP/443.
Logged
cac04
Newbie
Posts: 18
Karma: 0
Re: Blacklisting youtube.com for Google Chrome
«
Reply #3 on:
June 04, 2022, 07:03:13 pm »
I don't claim any expertise in these matters, but RFC 9000 seems to indicate that QUIC can use any port:
https://datatracker.ietf.org/doc/html/rfc9000
Maybe it's only used for websites at the moment though, so people only use it on ports associated with HTTP and HTTPS, perhaps?
Ian Swett, one of the Google engineers responsible for QUIC, claims that Chrome uses both port 80 and port 443, see
https://groups.google.com/a/chromium.org/g/proto-quic/c/ksokVdwXfQ0
However, blocking both UDP/80 and UDP/443 doesn't stop Chrome from loading youtube.com anyway.
«
Last Edit: June 04, 2022, 08:30:31 pm by cac04
»
Logged
fabian
Hero Member
Posts: 2769
Karma: 200
OPNsense Contributor (Language, VPN, Proxy, etc.)
Re: Blacklisting youtube.com for Google Chrome
«
Reply #4 on:
June 04, 2022, 08:43:23 pm »
Sure you can use any port but QUIC is only used by HTTP 3 in the HTTP context which forces encryption using QUIC so it is HTTPS by default. Other ports for HTTPS than 443 are uncommon.
Logged
cac04
Newbie
Posts: 18
Karma: 0
Re: Blacklisting youtube.com for Google Chrome
«
Reply #5 on:
June 05, 2022, 01:53:01 am »
I finally worked it out. I took a look with Wireshark and found that even when I cleared the cache and hard refreshed Youtube, the initial packet to youtube.com was TLS "Application Data" - Chrome never sent a "Client Hello" message to begin a new TLS session.
This really confused me, until I realized that the same IP addresses are used for multiple Google services. For example:
www.youtube.com
. 71094 IN CNAME youtube-ui.l.google.com.
youtube-ui.l.google.com. 89 IN A 142.250.178.14
And also:
contacts.google.com. 3032 IN CNAME plus.l.google.com.
plus.l.google.com. 66 IN A 142.250.178.14
So if you've already connected to one Google service - for example, Gmail, or maybe you've just logged into your Google account - then Chrome already has a TCP connection open to a youtube.com IP address. Since it's using HTTP/2, it is allowed to re-use an existing TCP connection, provided that the TLS certificate is valid. Google uses a wildcard certificate that matches all their services, so the cert will be valid, so Chrome can re-use the existing TLS session. It doesn't send a new Client Hello message, so it doesn't ever send an SNI field containing the hostname, so Zenarmor can't tell that this TLS data is web traffic for youtube.com.
Logged
sy
Hero Member
Posts: 595
Karma: 44
Re: Blacklisting youtube.com for Google Chrome
«
Reply #6 on:
June 06, 2022, 09:56:25 am »
Hi,
Thanks for the detailed explanation. AS you said that Google uses some IPs for different apps. Zenarmor will achieve to classify this kind of traffic with the TLS inspection feature and most probably will be shipped end of July.
Logged
cac04
Newbie
Posts: 18
Karma: 0
Re: Blacklisting youtube.com for Google Chrome
«
Reply #7 on:
June 06, 2022, 10:10:18 am »
When you say "TLS inspection feature", do you mean that Zenarmor will support man-in-the-middle for HTTPS filtering?
That would be cool.
Logged
sy
Hero Member
Posts: 595
Karma: 44
Re: Blacklisting youtube.com for Google Chrome
«
Reply #8 on:
June 06, 2022, 03:52:55 pm »
Hi,
Yes, the 2.1 release will be shipped with TLS Inspection.
Logged
Vilmalith
Newbie
Posts: 18
Karma: 0
Re: Blacklisting youtube.com for Google Chrome
«
Reply #9 on:
July 08, 2022, 11:39:14 am »
Quote from: sy on June 06, 2022, 03:52:55 pm
Hi,
Yes, the 2.1 release will be shipped with TLS Inspection.
And it will do this without something like ssl inspector in Untangle and having to install certificates on all devices?
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Zenarmor (Sensei)
»
Blacklisting youtube.com for Google Chrome