Comment by mikestorrent
2 days ago
> TLS interception and protocol whitelisting
Well, that means directly doing things on the endpoint, which I don't want to do. One could work around that with a Linux USB; I could block USB boot, but then I'm just giving him an iPad, right? What's the point?
The goal is the learning exercise that puts Youtube as a reward mechanism for getting around my blocks. I just hoped to not run out of options so quickly.
No? A firewall at the edge of the network performs a MitM attack against all TLS connections, substituting in your own (ie self signed) root certificate for the connection on the local side. It also performs protocol filtering because the only realistic way to prevent leaks is a whitelist approach.
The end user is faced with a choice. Either add the local root certificate or else all TLS connections will be rejected. Booting off a USB won't get around it.
At this point this is a bog standard approach taken by any corporate IT department that takes network security even half seriously.
Granted, certain types of proxy will still work since automated approaches to filtering page content itself are not particularly robust. You could always write a custom heuristic to detect the YouTube frontend though. Would probably be quite easy since the elements have predictable names.
That said it doesn't really seem like blocking is what you're actually after. It's unfortunate the cat and mouse game being used as a learning activity concluded so quickly but maybe just have a chat with him about the psychological issues posed by algorithmic feeds and user generated content in general?
I'll mention again, a self hosted alternative frontend for YouTube might address most of the objections you have to it in the first place.