Parental Controls

[dski 0]

I've got parental controls setup on 4 Mac books. I'm having really inconsistent results, and it doesn't block HTTPS. In fact, I see a post saying this back in 2016. Is there really any point to this feature at all!?

[Marcos 5,074]

SSL filtering is not supported on Mac yet. However, blocking https sites either by the url blacklist or parental control categories work for domains as long as you have port 443 listed in the list of ports to scan.

[dski 0]

Great alternative Marcos. Thanks.

[DawnMarie 0]

My son said he disabled the software by doing something with the VPN.  Is there a way to prevent this? Otherwise, I can see no point in trying to use this software. 

[Marcos 5,074]

Please collect logs as per https://support.eset.com/en/kb3404 and open a support ticket with your local ESET distributor.

In order for website categorization by Parental Control to work, ESET must be able to communicate with certain ESET's servers on UDP port 53535 in order to retrieve categorization.

[Marcos 5,074]

7 hours ago, DawnMarie said:

My son said he disabled the software by doing something with the VPN.  Is there a way to prevent this? Otherwise, I can see no point in trying to use this software. 

Please collect logs as per https://support.eset.com/en/kb3404 and open a support ticket with your local ESET distributor.

In order for website categorization by Parental Control to work, ESET must be able to communicate with certain ESET's servers on UDP port 53535 in order to retrieve categorization.

[bEeReE 4]

On 1/18/2021 at 5:55 PM, Marcos said:

SSL filtering is not supported on Mac yet. However, blocking https sites either by the url blacklist or parental control categories work for domains as long as you have port 443 listed in the list of ports to scan.

This isn‘t the case any longer, isn‘t it? Referring to other posts, port 443 should not be listet....are we thus loosing the capabilities of blocking https phishing sites?

[Marcos 5,074]

4 minutes ago, bEeReE said:

This isn‘t the case any longer, isn‘t it? Referring to other posts, port 443 should not be listet....are we thus loosing the capabilities of blocking https phishing sites?

Port 443 can be listed if you have Big Sur 11.2. It used to cause issues in v11.0 and 11.1.

[bEeReE 4]

31 minutes ago, Marcos said:

Port 443 can be listed if you have Big Sur 11.2. It used to cause issues in v11.0 and 11.1.

Thanks a lot! Added to the web protection and now much more phishing sites are detected.... great.

[itman 1,659]

As far as bypassing parental controls, there are numerous apps to do so. Here's one for Chrome; https://chrome.google.com/webstore/detail/gom-vpn-app-to-bypass-blo/eelphgpfmjhndihoopgadghfonahifel .

Any device a child has access to needs to be locked down. That includes installation of browser extensions.

[bEeReE 4]

13 hours ago, DawnMarie said:

My son said he disabled the software by doing something with the VPN.  Is there a way to prevent this? Otherwise, I can see no point in trying to use this software. 

I don't use parental control. But depending on what you mean with "something with the vpn" I guess he deactivated the Eset Proxy in macOS's network settings or he installed a vpn service etc. If you want to fully control his machine, you should probably create an administrator account and downgrade his account to a standard account. Then, you can ensure that administrative tasks require administrator password (e.g. macOS settings/security/additional options"). Changing the network settings or installation of applications etc. could be restricted this way. Further, Eset can be configured to restrict "performing changes" only to administrator users (Eset settings related to privileges).

 

Edited February 19, 2021 by bEeReE

[itman 1,659]

I guess someone will have to run a test to determine if these browser based VPN's; here's another one; https://chrome.google.com/webstore/detail/stay-secure-with-cybergho/ffbkglfijbcbgblgflchnbphjdllaogb , can bypass Eset parental control blocking. Technically speaking, Eset's SSL/TLS protocol scanning is being performed on all ports. I guess it would depend on what VPN protocol is being used in these browser based VPN's. Appears Eset is only filtering TCP traffic.

Edited February 19, 2021 by itman

[bEeReE 4]

Can‘t eset block a related category? E.g. proxies, vpns or uncategorized sites? Depends on categorization, not?

 

[itman 1,659]

2 hours ago, bEeReE said:

Can‘t eset block a related category? E.g. proxies, vpns or uncategorized sites? Depends on categorization, not?

 

No. Those categories don't exist in Parental Control. Only content related categories; e.g. 12+, can be selected.

[itman 1,659]

Seems the way around this issue is to use something that is router based such as Cicso's Family Shield: https://umbrella.cisco.com/blog/introducing-familyshield-parental-controls that works in conjunction with OpenDNS.

Obviously, router access needs to be locked down.

Edited February 19, 2021 by itman

[bEeReE 4]

36 minutes ago, itman said:

Seems the way around this issue is to use something that is router based such as Cicso's Family Shield: https://umbrella.cisco.com/blog/introducing-familyshield-parental-controls that works in conjunction with OpenDNS.

Obviously, router access needs to be locked down.

I use Untangle NG Firewall and I am quite happy. I can block applications like your posted cybergho based on dedicated application filter etc. 

However, router based doesn‘t work if you are on mobile network etc. Similarly, DNS filters will not work if you change the DNS settings on your client and being outside of your controlled LAN. For sure, you could force VPN connection to home via App etc., but not if there is a possibIlity to easily delete the app. Depending on the age, they can also install a rogue access point and build their own WLAN at home thus not being detected as the child’s device if you don‘t monitor onboarding of new devices and and and. I think you can‘t control much if the clients itself aren’t under control. 

And then the question is, if and up to which age you want to block everything or just focusing on monitoring and awareness/discussions. 

[itman 1,659]

I actually found a posting on this subject: https://security.stackexchange.com/questions/107105/what-do-browser-vpns-actually-do . The gist of it is:

Quote

Normally if you load http://www.example.com, your computer makes a connection to www.example.com and loads and displays the web page. If you're using a VPN, the request goes through the VPN provider's VPN server first, then on to www.example.com, back to the VPN server, and then to your computer. The link between your computer and a properly configured VPN server is encrypted, so your ISP and anyone on your network cannot see any details of what you're browsing.

I believe Eset's Parental Control monitoring is IP address based as is most of Eset's web filtering.

[Marcos 5,074]

10 hours ago, itman said:

I actually found a posting on this subject: https://security.stackexchange.com/questions/107105/what-do-browser-vpns-actually-do . The gist of it is:

I believe Eset's Parental Control monitoring is IP address based as is most of Eset's web filtering.

Parental Control is based on URLs, not on IP addresses. As for web filtering, it works with both IP addresses and domains so we can blacklist either.

[bEeReE 4]

4 hours ago, Marcos said:

IP addresses and domains so we can blacklist either.

But how to deal with such vpn an proxies? Isn‘t there a possibility of blocking a „proxy“ category? How is e.g. cyberghostvpn.com be categorized?

[Marcos 5,074]

35 minutes ago, bEeReE said:

But how to deal with such vpn an proxies? Isn‘t there a possibility of blocking a „proxy“ category? How is e.g. cyberghostvpn.com be categorized?

hxxp://cyberghostvpn.com - Category:Technology

 

 

[bEeReE 4]

1 hour ago, Marcos said:

Category:Technology

Would be beneficial to categorize such sites into a separate category so that users will be able to block those, in my point of view....I am not affected. But for others it may be great...

Categorization of Brightcloud: Proxy Avoidance and Anonymizers.

 

[itman 1,659]

Here's an interesting parental controls bypass; no proxy or VPN needed:

Quote

Google Translate Proxy

This is another bypass method I would expect some children to be aware of. If a URL is blocked, they can use Google Translate as a makeshift proxy. It is as easy as setting a language you do not speak in the text input field, entering the URL you wish to access, and waiting for Google to automatically translate it.

The "translated" URL will become a link. The site will open in full, albeit within Google Translate. This can be slightly slow, but it is unlikely to be slow enough to discourage a determined mind.

https://www.makeuseof.com/tag/7-ways-children-might-bypass-parental-control-software/

Edited February 20, 2021 by itman

[itman 1,659]

As far as Webroot's BrightCloud filtering:

Quote

58  Proxy Avoidance and Anonymizers

 Proxy servers and other methods to gain access to URLs in any way that bypasses URL filtering or monitoring. Web-based translation sites that circumvent filtering.
http://anonymouse.org
http://surfen-op-school.com

https://www.brightcloud.com/tools/change-request.php#

BrightCloud use is not free with cost based on URL lookup use.

Edited February 20, 2021 by itman

[Marcos 5,074]

I was unable to circumvent Parental block neither through anonymizers nor Google Translate (tested on Windows):