On 05/03/16 11:36, jdow wrote: > If squid can find usefully unique patterns in encrypted traffic I suppose that > might work. But that's one heck of a big "if". A quick google search on "transparent https proxy" gave me these: <http://docs.mitmproxy.org/en/stable/howmitmproxy.html> <http://rahulpahade.com/content/squid-transparent-proxy-over-ssl-https> I probably have more "faith" in the mitmproxy approach, as that seems generally more designed with https in mind. -- kind regards, David Sommerseth > On 2016-03-05 02:15, Karel Lang AFD wrote: >> Hmm ... yes, yes. >> Thanks for bringing this up. >> I force all http traffic through the squid proxy on our SL 6 gateway, this >> could >> be also helpful.. >> >> >> >> On 03/05/2016 11:00 AM, [log in to unmask] wrote: >>> The only way I can think of is to force all internet access through a proxy >>> and filter it out in the proxy. >>> Then you don't give the machines any internet access just access to the proxy. >>> Unfortunately I do not have details for you on how to filter the snoop >>> messages because in I haven't looked at them but it should be fairly easy >>> using squid and an external Perl regex filter script or other filter >>> application, but you will take a latency hit because you will have to inspect >>> every transaction. >>> >>> Original Message >>> From: jdow >>> Sent: Friday, March 4, 2016 23:35 >>> To: [log in to unmask] >>> Subject: Re: snooping windows 10 - how to stop it on a linux gateway? >>> >>> That windows update server is a relay for the "snoop" messages. About the only >>> way to totally stop the snoop messages is to totally isolate the network >>> containing Windows machines from the network. Any windows machine can serve >>> as a >>> relay point for any others. >>> >>> {o.o} >>> >>> On 2016-03-04 20:16, Karel Lang AFD wrote: >>>> Hi guys, >>>> >>>> firstly, sorry Todd, i don't know how it happened i got attached to your >>>> thread. >>>> >>>> secondly, thank you all for your thoughtful posts. >>>> >>>> I know it is not easy to block the selected traffic from windows 10 and >>>> you are >>>> right, it is being backported to windows 7 as well. Horrible and disgusting. >>>> >>>> I already have windows server in LAN dedicated as a update server (work of my >>>> windows colleagues), so the PC don't have to access windows update servers >>>> outside LAN - this should simplify things. >>>> >>>> Also the PCs must have internet access to email, http, https, ftp, sftp - >>>> simply >>>> the 'usual' stuff. >>>> I think, yet, there should be a way. I'll try to consult mikrotik experts >>>> (the >>>> router brand we use) and guys from our ISP. >>>> If i have something, i'll let you know :-) >>>> >>>> thank you, bb >>>> >>>> Karel >>>> >>>> On 03/05/2016 12:40 AM, Steven Haigh wrote: >>>>> On 05/03/16 07:24, Karel Lang AFD wrote: >>>>>> Hi all, >>>>>> >>>>>> guys, i think everyone heard already about how windows 10 badly treat >>>>>> its users privacy. >>>>> >>>>> My solution to this was to finally rid Windows 7 off my desktop PC - as >>>>> most of the telemetry has also been 'back ported' to Windows 7 also. You >>>>> can't stop it. >>>>> >>>>>> I'm now thinking about a way howto stop a windows 10 sending these data >>>>>> mining results to a microsoft telemetry servers and filter it on our SL >>>>>> 6 linux gateway. >>>>> >>>>> Nope. There are no specific servers in use - just general - so whatever >>>>> you block will end up killing other services. >>>>> >>>>>> I think it could be (maybe?) done via DPI (deep packet inspection). I >>>>>> similarly filter torrent streams on our gateway - i patched standard SL >>>>>> 6 kernel with 'xtables' (iptables enhancement) and it is working >>>>>> extremely well. >>>>> >>>>> I would be interested to see if you could identify telemetry packets in >>>>> the flow - but I'm not predicting much success. If you do get it, make >>>>> sure you let the world know though! >>>>> >>>>>> I read (not sure if true) that some DNS resolutions to M$ servers are >>>>>> even 'hardwired' via some .dll library, so it makes it even harder. >>>>> >>>>> Correct. >>>>> >>>>>> I'm no windows expert, but i'm and unix administrator concerned about >>>>>> privacy of windows desktop/laptop users sitting inside my LAN. >>>>>> >>>>>> What i'd like to come up is some more general iptables rules, than >>>>>> blocking specific IP addresses or names, because, apparently they may >>>>>> change in any incoming windows update ... >>>>>> >>>>>> Anyone gave this thought already? Anyone else's concerned the way i am? >>>>> >>>>> Yup - and as I said, I'm now running Fedora 23 on my desktop (EL lags on >>>>> a few things that I like - so Fedora is a happy medium for me - as I >>>>> still have the fedora-updates-testing repo enabled. My work laptop as >>>>> well as my personal laptop - and now my home desktop all run Fedora 23 >>>>> (KDE Spin if you hate Gnome 3 - like me). >>>>> >>>> >>> >>