Hi,
Can anyone please suggest the best method to Block the URL in Router OS.
We are ISP in India and We are instructed by Govt to Block Certain Apps and URLs Like some Mentioned Below:
Any help to block the above urls in ROS?
There is no way to block a particular https urls on a router which doesn’t support DPI (deep packet inspection) with https decryption (man-in-the-middle attacking of all https connections). In the https communication, you’ll see only play.google.com in plaintext, the rest of the url is encrypted.
Some anti-virus solutions and enterprise security applicances do man-in-the-middle attacks on https, pretending to be the user towards the server, and forging server certificates towards the user, signed by their own certificate authority which is set as trusted at the user devices. This is the only way to block selectively a https session to a particular url. Doing this at nation-wide level would void https security.
But Is there any way to Block URLS in ROS. If Yes then How?
One more time. There is no way in RouterOS, or in any other router/firewall that doesn’t do DPI, for https urls. For plain http, it is possible, but nobody uses plain http these days, definitely not google.
To block certain mobile apps for Indian users, your government has to talk to Google directly, not to ISPs. Blocking at ISP level would cost them a lot of money for the appliances, and would have international consequences too. One of the middle-Asian governments apparently attempted to spawn a certificate authority to be included into trusted root CAs of operating systems and browsers and use it for the https man-in-the-middle attack I’ve described above, but it resulted in this CA not being removed from these trusted certificate stores by OS and browser vendors.
Can Anyone here Explain Me what is the Use of TLS Host Option in IP/Firewall/Filter
And when the TLS Host Is used? and How dose it work?
That’s what I wrote above. It matches on the only part of the url you can see in plaintext for https connections - the fqdn. So you can use it to block https connections to the the whole play.google.com. I don’t think that’s what you want.
Ok Thank You so Much… Will Installing Dedicated Firewall or Pfsense can Solve this Requirement???
Pfsense probably has the same issue.
I think you really need “the big guns” to do truly what you want in-depth & in-detail.
We have designed, build & operate such environments (1000-40000 users) build on Palo Alto hardware which recognizes A LOT of application and can act upon (AppID). Offcourse not everything is in there, some don’t work and this is something under constant evolution.
AppID database : https://applipedia.paloaltonetworks.com/
Read again what I wrote above. It would have to be a firewall which is capable of doing DPI, and the end devices would have to accept the root CA used by that firewall to forge server certificates as a trusted one. So Google would have to update all the Android devices with that CA certificate. And if Google would agree on such a move, it would be much easier for them to ban the applications at their level rather than doing it this way.
If you are a small ISP, you can’t do that. The government would have to agree with Google and with the ISPs which provide international connectivity to India. Asking this from a small local ISPs is a nonsense.
Could you block the DNS entries that those apps depend on? So people could download and install the apps, but they wouldn’t work.
Thank You so much for Quick and Active Response
DoH is a thing and even the hostname in SNI will become unreadable once TLS 1.3 is in broader use.
Stop trying to block certain URLs on network level, it is impossible without full control over all end user devices without risking huge collateral damage.