←back to thread

Just want simple TLS for your .internal network?

(github.com)
246 points nh2 | 1 comments | 18 Oct 24 06:10 UTC | HN request time: 0s | source
Show context
bluGill ◴[22 Oct 24 12:51 UTC] No.41913725[source]
Looks good, but I want to MitM my network. I want youtube.com to redirect to my internal server that only has a few approved videos. My kids do some nice piano lessons from youtube, but every time I let them they wait until I'm out of the room and then switch to something else. There are lots of other great educational videos on youtube, but also plenty to waste their time on. (I want this myself as well since I won't have ads on my internal youtube server - plus it will add an extra step and thus keep me from getting distracted to something that isn't a good use of my time to watch))
replies(3): >>41914060 #>>41914606 #>>41916523 #
EvanAnderson ◴[22 Oct 24 13:29 UTC] No.41914060[source]
> Looks good, but I want to MitM my network.

Increasingly that kind of requirement puts you in the same camp as oppressive nation states. Being a network operator and wanting to MitM your DNS makes you a political actor. Devices you paid for, but don't actually own, will end-run your efforts by using their own hard-coded DNS servers. (See https://pc.nanog.org/static/published/meetings/NANOG77/2033/...)

replies(4): >>41914284 #>>41915594 #>>41916597 #>>41919020 #
bluGill ◴[22 Oct 24 13:53 UTC] No.41914284[source]
Fortunately I own my firewall. Though mostly I'm talking about linux machines that I own and control the software on.

Though I fully understand I'm in the same camp as oppressive nation states. But until my kids get older I'm in charge, I need to set them up for success in life, which is a complex balance of letting them have freedom without allowing them to make too many bad decisions. Not getting their homework done because they are watching videos is on bad decisions I'm trying to prevent.

replies(2): >>41915926 #>>41916070 #
1. EvanAnderson ◴[22 Oct 24 16:38 UTC] No.41916070[source]
> Fortunately I own my firewall.

I was thinking more about embedded devices that people buy but don't own (Chromecast devices, "Smart" home doodads, etc). You can stick them in a VLAN and filter their access to the Internet but they're inscrutable inside and have opaque, encrypted communication with their "mother ship".

I think your goal with your kids is laudable. I do the same thing. It limits the ability to use off-the-shelf devices and software, and I'll get more flak about it as my daughter gets older and is excluded from the "social" applications that I can't allow her to use because they're closed-source and not able to be effectively filtered. I'll burn that bridge when I get there, I suppose...