[squid-users] Youtube "challenges"
Eliezer Croitoru
eliezer at ngtech.co.il
Thu Feb 25 14:54:21 UTC 2016
OK so I think that you are just on-top of YouTube\Google.
I would like to clear out couple things so you would have a better view
of couple things from my knowledge and understanding of YouTube way of
action.
From what I and couple others analyzed it seems that YouTube\Google are
using a nice technique that is not really new in the web world in order
to achieve almost the same goal as you want.
Every request to YouTube and probably also Google systems is somehow
being stamped or marked for identification. If they do have so many
storage and CPU resources they might be able to also save these for
historical analysis.(somebody said something about "everything you do is
written in the book"?)
For the temporary side of the picture it would give YouTube systems the
option to generate a somehow unique enough links that only this specific
IP+UA+Other properties(maybe) can use. The user can access these special
videos links only if the request matches the protocol the source ip and
the other properties.
If you are able to predict or produce these links you are in a good
enough state and you can somehow allow or deny access based on something
solid rather then plain YouTube domains splice.
It is a bit hard for me to understand what application will be run on
the local server and it could also be some reverse proxy to YouTube systems.
Since you where mentioning links in a local page then it is much simpler
to choose the desired link.. plain HTTP can be good enough to easy up
the task. If for any reason you would be required to touch any public
YouTube links I would really suggest you to start digging into SSL-BUMP.
Indeed the heart beat idea is nice and if indeed you do have the option
to tie the specific browser\user session and the YouTube connection to
this specific page request you will have an easy job but I suspect it
might be an issue unless you do have some kind of client side software
that "knows" anything that moves on the client machine\pc\device.
If you do have the option to run an ICAP or eCAP solution all the above
tasks are much simpler but still do not provide you anything that ties
the request\user\device to session unless you will be able to use
SSL-BUMP on the connections.
And I have another trump card for you\others in the case you do have the
option to somehow install your own software on the client side.
Indeed squid has SSL-BUMP and it requires you\client install a ROOT CA
certificate on the device. But there are other options for targeted
domains such as YouTube.
In theory you can somehow install a specific certificate that will be
tied to one or more local hosts that will be some kind of reverse proxy
to YouTube services. It's not so "simple" since certificates changes
and\or updates might be applied but it is commonly used in the PC world
by more then one Internet security product and sometimes is considered
more secured then a permanent ROOT CA certificate installation.
All The Bests,
Eliezer
On 25/02/2016 05:52, Darren wrote:
> Hi All
>
> Thanks for the feedback and thanks Eliezer for the Brain Dump on the
> subject. I shall have a good dig through and see if I can gain further
> inspiration.
>
> What I am chiseling away at now is the following idea.
>
> The user visits a page on my server with the YouTube links. Visiting
> this page triggers a state based ACL (something like the captive portal
> login).
>
> The user then clicks a YouTube link and squid checks this ACL to see if
> the user is originating the request from my local page and if it is,
> allows the splice to YouTube and the video can play.
>
> The ACL would need to be tied to the client and the browser session some
> way.
>
> Once the user leaves the page, the ACL goes away (or expires) and
> splicing to YouTube is blocked again.
>
> As I control the master page, I could have it send a heartbeat to the
> local server to keep the splice to YouTube ACL active to allow setting a
> shorter timeout to remove the ACL permission once the user moves on.
>
> thanks again to all, I will let you know if I crack this nut.
>
> Darren Breeze
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Sent from Mailbird
> <http://www.getmailbird.com/?utm_source=Mailbird&utm_medium=email&utm_campaign=sent-from-mailbird>
>>
>> On 25/02/2016 10:33:48 AM, Eliezer Croitoru <eliezer at ngtech.co.il> wrote:
>>
>> Hey Steve,
>>
>> I have not reviewed every product but I have tried couple and these I
>> have tested do not have a really good system that filters YouTube videos
>> the way I would have imagined.
>> I have not tested your product... and I was wondering if the next URL
>> will be filtered by you software in some way?
>>
>> https://www.youtubeeducation.com/embed/KdS6HFQ_LUc
>>
>>
>> I have seen couple pretty really amazing filtering ideas but each has
>> it's own limits. For example it is possible to analyze every in-transit
>> image and video+audio and categorize them which actually is a great
>> solution for many but the Achilles heel is there always.
>> Some filters has higher false positive rates while others has less but
>> leaves the user in abyss after reading a weird faked ransom malware JS
>> page.
>>
>> I am not sure if Darren requires a very restrictive environment or not,
>> which will result in the use of something like url based filtering or a
>> local portal.
>>
>> If there is a requirement for a local playback of YouTube videos rather
>> then a filtering solution I would try a simpler solution.
>> An example to such would be a local hosting service with some kind of
>> simple html5 or flash based player. It's far more simple then doing all
>> sort of weird things with YouTube links as embed inside an iframe.
>>
>> I have seen examples of couple projects that gives a full local video
>> library platform which is far better then YouTube for many use cases but
>> I have never used any of these. I have worked with couple html5 and
>> flash based video players and it actually pretty simple to use them with
>> any normal browser.
>>
>> I cannot really recommend my simple videos collection
>> page[http://ngtech.co.il/squid/videos/] as a tempting and a good looking
>> example but it can give something to anyone that needs.
>>
>> Eliezer
>>
>> * Darren, Take a glimpse at these ideas:
>> - http://blog.plumi.org/
>> - http://cumulusclips.org/
>> - http://mediadrop.net/
>> - http://demo.softaculous.com/enduser/index.php?act=software&soft=435
>> - http://www.netup.tv/en-EN/open_source.php
>> - http://www.cubiware.com/cubitv-iptv-middleware/
>>
>>
>> On 24/02/2016 11:59, Steve Hill wrote:
>> > On 23/02/16 05:01, Darren wrote:
>> >
>> >> AI am putting together a config to allow the kids to access selected
>> >> videos in YouTube from a page of links on a local server.
>> >>
>> >> I am serving up the YouTube links in the
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
More information about the squid-users
mailing list