On Fri, Jul 2, 2010 at 8:03 AM, Luke Jaeger <[email protected]> wrote: > I can't block tcp 443 on a wholesale basis; we need it for lots of stuff. > If I can do it for a single domain, I'm there. > > The idea is to set up a non-transparent proxy for all traffic and block any traffic not using the proxy. The whole purpose of https is to prevent a third party (in this case your firewall) from seeing anything above the minimum routing information (source and destination IP address). I think WPAD is the way to go for this one.
(Where I went to high school, they somehow blocked certain https sites, but I think it was by IP and the subscription service they used for the block list actually listed all the IPs for facebook and other blocked sites.)
