← Back to context

Comment by fc417fc802

3 days ago

The obvious solution would be TLS interception and protocol whitelisting. Same as corporate IT. Stick the kids' devices on a separate vLAN if you don't want to catch all the other devices in the crossfire.

Still, there's an awful lot of excellent educational content on YouTube. It seems unfortunate to block access to that. Have you considered self hosting an alternative frontend for it?

2 comments

fc417fc802

Reply
mikestorrent  2 days ago

> TLS interception and protocol whitelisting

Well, that means directly doing things on the endpoint, which I don't want to do. One could work around that with a Linux USB; I could block USB boot, but then I'm just giving him an iPad, right? What's the point?

The goal is the learning exercise that puts Youtube as a reward mechanism for getting around my blocks. I just hoped to not run out of options so quickly.

  • fc417fc802  2 days ago

    No? A firewall at the edge of the network performs a MitM attack against all TLS connections, substituting in your own (ie self signed) root certificate for the connection on the local side. It also performs protocol filtering because the only realistic way to prevent leaks is a whitelist approach.

    The end user is faced with a choice. Either add the local root certificate or else all TLS connections will be rejected. Booting off a USB won't get around it.

    At this point this is a bog standard approach taken by any corporate IT department that takes network security even half seriously.

    Granted, certain types of proxy will still work since automated approaches to filtering page content itself are not particularly robust. You could always write a custom heuristic to detect the YouTube frontend though. Would probably be quite easy since the elements have predictable names.

    That said it doesn't really seem like blocking is what you're actually after. It's unfortunate the cat and mouse game being used as a learning activity concluded so quickly but maybe just have a chat with him about the psychological issues posed by algorithmic feeds and user generated content in general?

    I'll mention again, a self hosted alternative frontend for YouTube might address most of the objections you have to it in the first place.