jdow
There are commercial (Squid uses the BSD License) versions that can do
this out of the box based on squid 3, you can also do a DIY version
but it takes a considerable amount of work.

The one thing is they are somewhat controversial so you need to notify
your employees that you are doing it to avoid liability if you do it
across the board. what the do is provide a dummy cert internally
decrypt the data, pass it through an external analysis program then
re-encrypt it using the actual sites cert to forward it.
By the way this is essentially how Superfish worked except they
installed an agent to transparently redirect to their proxies on the
client device (there were Apple IOS,and android versions of the agent
too not just the windows version Lenovo was shipping out in their
computers).
The risk in this approach is that the squid proxy will need to
dynamically create SSL certs for the internal connections so unless
they are assisted by a very expensive (last I looked $10k+ each)
hardware SSL accelerator card the will need to be very weak certs
otherwise you will have connections blocked due to lack of entropy.
That said you can limit the liability by limiting the behavior to
specific domains such as microsoft.com.



On Sat, Mar 5, 2016 at 5:36 AM, jdow <[log in to unmask]> wrote:
> If squid can find usefully unique patterns in encrypted traffic I suppose
> that might work. But that's one heck of a big "if".
>
> {o.o}   Joanne
>
>
> On 2016-03-05 02:15, Karel Lang AFD wrote:
>>
>> Hmm ... yes, yes.
>> Thanks for bringing this up.
>> I force all http traffic through the squid proxy on our SL 6 gateway, this
>> could
>> be also helpful..
>>
>>
>>
>> On 03/05/2016 11:00 AM, [log in to unmask] wrote:
>>>
>>> The only way I can think of is to force all internet access through a
>>> proxy
>>> and filter it out in the proxy.
>>> Then you don't give the machines any internet access just access to the
>>> proxy.
>>> Unfortunately I do not have details for you on how to filter the snoop
>>> messages because in I haven't looked at them but it should be fairly easy
>>> using squid and an external Perl regex filter script or other filter
>>> application, but you will take a latency hit because you will have to
>>> inspect
>>> every transaction.
>>>
>>>    Original Message
>>> From: jdow
>>> Sent: Friday, March 4, 2016 23:35
>>> To: [log in to unmask]
>>> Subject: Re: snooping windows 10 - how to stop it on a linux gateway?
>>>
>>> That windows update server is a relay for the "snoop" messages. About the
>>> only
>>> way to totally stop the snoop messages is to totally isolate the network
>>> containing Windows machines from the network. Any windows machine can
>>> serve as a
>>> relay point for any others.
>>>
>>> {o.o}
>>>
>>> On 2016-03-04 20:16, Karel Lang AFD wrote:
>>>>
>>>> Hi guys,
>>>>
>>>> firstly, sorry Todd, i don't know how it happened i got attached to your
>>>> thread.
>>>>
>>>> secondly, thank you all for your thoughtful posts.
>>>>
>>>> I know it is not easy to block the selected traffic from windows 10 and
>>>> you are
>>>> right, it is being backported to windows 7 as well. Horrible and
>>>> disgusting.
>>>>
>>>> I already have windows server in LAN dedicated as a update server (work
>>>> of my
>>>> windows colleagues), so the PC don't have to access windows update
>>>> servers
>>>> outside LAN - this should simplify things.
>>>>
>>>> Also the PCs must have internet access to email, http, https, ftp, sftp
>>>> - simply
>>>> the 'usual' stuff.
>>>> I think, yet, there should be a way. I'll try to consult mikrotik
>>>> experts (the
>>>> router brand we use) and guys from our ISP.
>>>> If i have something, i'll let you know :-)
>>>>
>>>> thank you, bb
>>>>
>>>> Karel
>>>>
>>>> On 03/05/2016 12:40 AM, Steven Haigh wrote:
>>>>>
>>>>> On 05/03/16 07:24, Karel Lang AFD wrote:
>>>>>>
>>>>>> Hi all,
>>>>>>
>>>>>> guys, i think everyone heard already about how windows 10 badly treat
>>>>>> its users privacy.
>>>>>
>>>>>
>>>>> My solution to this was to finally rid Windows 7 off my desktop PC - as
>>>>> most of the telemetry has also been 'back ported' to Windows 7 also.
>>>>> You
>>>>> can't stop it.
>>>>>
>>>>>> I'm now thinking about a way howto stop a windows 10 sending these
>>>>>> data
>>>>>> mining results to a microsoft telemetry servers and filter it on our
>>>>>> SL
>>>>>> 6 linux gateway.
>>>>>
>>>>>
>>>>> Nope. There are no specific servers in use - just general - so whatever
>>>>> you block will end up killing other services.
>>>>>
>>>>>> I think it could be (maybe?) done via DPI (deep packet inspection). I
>>>>>> similarly filter torrent streams on our gateway - i patched standard
>>>>>> SL
>>>>>> 6 kernel with 'xtables' (iptables enhancement) and it is working
>>>>>> extremely well.
>>>>>
>>>>>
>>>>> I would be interested to see if you could identify telemetry packets in
>>>>> the flow - but I'm not predicting much success. If you do get it, make
>>>>> sure you let the world know though!
>>>>>
>>>>>> I read (not sure if true) that some DNS resolutions to M$ servers are
>>>>>> even 'hardwired' via some .dll library, so it makes it even harder.
>>>>>
>>>>>
>>>>> Correct.
>>>>>
>>>>>> I'm no windows expert, but i'm and unix administrator concerned about
>>>>>> privacy of windows desktop/laptop users sitting inside my LAN.
>>>>>>
>>>>>> What i'd like to come up is some more general iptables rules, than
>>>>>> blocking specific IP addresses or names, because, apparently they may
>>>>>> change in any incoming windows update ...
>>>>>>
>>>>>> Anyone gave this thought already? Anyone else's concerned the way i
>>>>>> am?
>>>>>
>>>>>
>>>>> Yup - and as I said, I'm now running Fedora 23 on my desktop (EL lags
>>>>> on
>>>>> a few things that I like - so Fedora is a happy medium for me - as I
>>>>> still have the fedora-updates-testing repo enabled. My work laptop as
>>>>> well as my personal laptop - and now my home desktop all run Fedora 23
>>>>> (KDE Spin if you hate Gnome 3 - like me).
>>>>>
>>>>
>>>
>>
>