Jump to content

Recommended Posts

I've got parental controls setup on 4 Mac books. I'm having really inconsistent results, and it doesn't block HTTPS. In fact, I see a post saying this back in 2016. Is there really any point to this feature at all!?

Link to post
Share on other sites
  • Administrators

SSL filtering is not supported on Mac yet. However, blocking https sites either by the url blacklist or parental control categories work for domains as long as you have port 443 listed in the list of ports to scan.

Link to post
Share on other sites
  • 5 weeks later...
  • Administrators

Please collect logs as per https://support.eset.com/en/kb3404 and open a support ticket with your local ESET distributor.

In order for website categorization by Parental Control to work, ESET must be able to communicate with certain ESET's servers on UDP port 53535 in order to retrieve categorization.

Link to post
Share on other sites
  • Administrators
7 hours ago, DawnMarie said:

My son said he disabled the software by doing something with the VPN.  Is there a way to prevent this? Otherwise, I can see no point in trying to use this software. 

Please collect logs as per https://support.eset.com/en/kb3404 and open a support ticket with your local ESET distributor.

In order for website categorization by Parental Control to work, ESET must be able to communicate with certain ESET's servers on UDP port 53535 in order to retrieve categorization.

Link to post
Share on other sites
On 1/18/2021 at 5:55 PM, Marcos said:

SSL filtering is not supported on Mac yet. However, blocking https sites either by the url blacklist or parental control categories work for domains as long as you have port 443 listed in the list of ports to scan.

This isn‘t the case any longer, isn‘t it? Referring to other posts, port 443 should not be listet....are we thus loosing the capabilities of blocking https phishing sites?

Link to post
Share on other sites
  • Administrators
4 minutes ago, bEeReE said:

This isn‘t the case any longer, isn‘t it? Referring to other posts, port 443 should not be listet....are we thus loosing the capabilities of blocking https phishing sites?

Port 443 can be listed if you have Big Sur 11.2. It used to cause issues in v11.0 and 11.1.

Link to post
Share on other sites
31 minutes ago, Marcos said:

Port 443 can be listed if you have Big Sur 11.2. It used to cause issues in v11.0 and 11.1.

Thanks a lot! Added to the web protection and now much more phishing sites are detected.... great.

Link to post
Share on other sites

As far as bypassing parental controls, there are numerous apps to do so. Here's one for Chrome; https://chrome.google.com/webstore/detail/gom-vpn-app-to-bypass-blo/eelphgpfmjhndihoopgadghfonahifel .

Any device a child has access to needs to be locked down. That includes installation of browser extensions.

Link to post
Share on other sites
13 hours ago, DawnMarie said:

My son said he disabled the software by doing something with the VPN.  Is there a way to prevent this? Otherwise, I can see no point in trying to use this software. 

I don't use parental control. But depending on what you mean with "something with the vpn" I guess he deactivated the Eset Proxy in macOS's network settings or he installed a vpn service etc. If you want to fully control his machine, you should probably create an administrator account and downgrade his account to a standard account. Then, you can ensure that administrative tasks require administrator password (e.g. macOS settings/security/additional options"). Changing the network settings or installation of applications etc. could be restricted this way. Further, Eset can be configured to restrict "performing changes" only to administrator users (Eset settings related to privileges).

 

Edited by bEeReE
Link to post
Share on other sites

I guess someone will have to run a test to determine if these browser based VPN's; here's another one; https://chrome.google.com/webstore/detail/stay-secure-with-cybergho/ffbkglfijbcbgblgflchnbphjdllaogb , can bypass Eset parental control blocking. Technically speaking, Eset's SSL/TLS protocol scanning is being performed on all ports. I guess it would depend on what VPN protocol is being used in these browser based VPN's. Appears Eset is only filtering TCP traffic.

Edited by itman
Link to post
Share on other sites
2 hours ago, bEeReE said:

Can‘t eset block a related category? E.g. proxies, vpns or uncategorized sites? Depends on categorization, not?

 

No. Those categories don't exist in Parental Control. Only content related categories; e.g. 12+, can be selected.

Link to post
Share on other sites

Seems the way around this issue is to use something that is router based such as Cicso's Family Shield: https://umbrella.cisco.com/blog/introducing-familyshield-parental-controls that works in conjunction with OpenDNS.

Obviously, router access needs to be locked down.

Edited by itman
Link to post
Share on other sites
36 minutes ago, itman said:

Seems the way around this issue is to use something that is router based such as Cicso's Family Shield: https://umbrella.cisco.com/blog/introducing-familyshield-parental-controls that works in conjunction with OpenDNS.

Obviously, router access needs to be locked down.

I use Untangle NG Firewall and I am quite happy. I can block applications like your posted cybergho based on dedicated application filter etc. 

However, router based doesn‘t work if you are on mobile network etc. Similarly, DNS filters will not work if you change the DNS settings on your client and being outside of your controlled LAN. For sure, you could force VPN connection to home via App etc., but not if there is a possibIlity to easily delete the app. Depending on the age, they can also install a rogue access point and build their own WLAN at home thus not being detected as the child’s device if you don‘t monitor onboarding of new devices and and and. I think you can‘t control much if the clients itself aren’t under control. 

And then the question is, if and up to which age you want to block everything or just focusing on monitoring and awareness/discussions. 

Link to post
Share on other sites

I actually found a posting on this subject: https://security.stackexchange.com/questions/107105/what-do-browser-vpns-actually-do . The gist of it is:

Quote

Normally if you load http://www.example.com, your computer makes a connection to www.example.com and loads and displays the web page. If you're using a VPN, the request goes through the VPN provider's VPN server first, then on to www.example.com, back to the VPN server, and then to your computer. The link between your computer and a properly configured VPN server is encrypted, so your ISP and anyone on your network cannot see any details of what you're browsing.

I believe Eset's Parental Control monitoring is IP address based as is most of Eset's web filtering.

Link to post
Share on other sites
  • Administrators
10 hours ago, itman said:

I actually found a posting on this subject: https://security.stackexchange.com/questions/107105/what-do-browser-vpns-actually-do . The gist of it is:

I believe Eset's Parental Control monitoring is IP address based as is most of Eset's web filtering.

Parental Control is based on URLs, not on IP addresses. As for web filtering, it works with both IP addresses and domains so we can blacklist either.

Link to post
Share on other sites
4 hours ago, Marcos said:

IP addresses and domains so we can blacklist either.

But how to deal with such vpn an proxies? Isn‘t there a possibility of blocking a „proxy“ category? How is e.g. cyberghostvpn.com be categorized?

Link to post
Share on other sites
  • Administrators
35 minutes ago, bEeReE said:

But how to deal with such vpn an proxies? Isn‘t there a possibility of blocking a „proxy“ category? How is e.g. cyberghostvpn.com be categorized?


hxxp://cyberghostvpn.com - Category:Technology

 

 

Link to post
Share on other sites
1 hour ago, Marcos said:

Category:Technology

Would be beneficial to categorize such sites into a separate category so that users will be able to block those, in my point of view....I am not affected. But for others it may be great...

Categorization of Brightcloud: Proxy Avoidance and Anonymizers.

 

Link to post
Share on other sites

Here's an interesting parental controls bypass; no proxy or VPN needed:

Quote

Google Translate Proxy

This is another bypass method I would expect some children to be aware of. If a URL is blocked, they can use Google Translate as a makeshift proxy. It is as easy as setting a language you do not speak in the text input field, entering the URL you wish to access, and waiting for Google to automatically translate it.

The "translated" URL will become a link. The site will open in full, albeit within Google Translate. This can be slightly slow, but it is unlikely to be slow enough to discourage a determined mind.

https://www.makeuseof.com/tag/7-ways-children-might-bypass-parental-control-software/

Edited by itman
Link to post
Share on other sites

As far as Webroot's BrightCloud filtering:

Quote

58  Proxy Avoidance and Anonymizers

 Proxy servers and other methods to gain access to URLs in any way that bypasses URL filtering or monitoring. Web-based translation sites that circumvent filtering.
http://anonymouse.org
http://surfen-op-school.com

https://www.brightcloud.com/tools/change-request.php#

BrightCloud use is not free with cost based on URL lookup use.

Edited by itman
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...