Blocking HTTPS

[Sirrush]

Hey guys,

I'll be moving within a month. Now, one of my stepdad's kids likes ordering stuff online, even though he obviously shouldn't (he's 14). And since I'll be managing the network, I've been asked to get his pc setup so that he can't access websites where he can buy stuff. My first thought was to just block every incoming https connection (iirc, most online stores use https when ordering stuff).

I stumbled upon 'IPSec' via Google, will this be able to block JUST https? (The PC in question will be running Win XP)

Thanks in advance,
-Sirrush

PS: Merry Hexmas.

[pipTheGeek]

IPSec isn't really designed for blocking traffic like this. I think you could use IP Filtering to block all tcp traffic on port 443 (which is the default for https). You could also setup IE to use a non-existant proxy for https traffic. I am not convinced that either of these choices will work well. They will be easy to bypass if the user has Admin access and you will also block logging into almost all websites, including web mail and forums.
Windows Live family safety might be worth a look. I used it at home for quite a while. I only stopped because it doesn't work well on a domain.
The other way to investigate would be to run your own transparent proxy and use that to filter sites.

[arthurleung]

Just block any port 443 connection on the router? My school did that back then and it worked pretty good.

Why would the kid able to order online? If he is "stealing" credit card detail from parents then education should be a more appropriate solution.

[Sirrush]

Just block any port 443 connection on the router? My school did that back then and it worked pretty good.

Why would the kid able to order online? If he is "stealing" credit card detail from parents then education should be a more appropriate solution.

Blocking every port 443 connection would become quite a hassle. My mum and I legitimately order stuff online frequently.

Not entirely sure about the kid situation, from what I've heard he doesn't actually steal the credit card details but instead ticks the "I'll pay via money transfer" box. I'd talk to the little guy but that wouldn't really get through to him. |:

Anyway, I'll look into Windows Live Family Safety, should work just fine from what I've read so far.

[peterb]

Depending on the capabilities of your router, assign his PC a static IP address, and then block port 443 from that IP address.

Ensure that his account on his windows machine doesn't have admin priviliges so that he can't change the IP address (although you could lock the MAC address of his computer to a specific blocked IP address).

You will need to ensure that he can't use any other computer that does have 443 access, (passwords) and of course ensure that he can't access the admin facilities on the router.

If there is a risk that he might bring in anothe computer you may need to assign static IP addresses to all the machines on the bnetwork, link them to specific MAC addresses, and disable a ny DHCP server.

Alternatively, education, talk, or supervision.

[pre]

You can try unchecking "Use SSL2.0/3.0/TLS 1.0" in Internet Options/Advanced. This tends to break https connection negotiation with most common secure websites in IE and gets around the whole having to block individual IPs.

[Output]

Even then it might not stop them - they could end up ordering on a site that doesn't use HTTPS (which would obviously be more likely to be a dodgy one).

[watercooled]

One other option would be to check which website he normally orders from and add them to the HOSTS file assigned to 127.0.0.1 so it blocks access to them. Obviously this wouldn't be ideal because he'd probably find more websites and if he knows a bit about computers it wouldn't be hard to change back. Another option would be to try some parental control software, I'm not exactly sure how it works as I've never used it but I know Kaspersky Internet Security has some included and you might be able to block known shopping sites with that or something?