Web blocking not blocking


#1

Router is a Surf SOHO HW2 running firmware 7.1.1 build 3102

In Advanced -> Content blocking -> Web blocking there is an entry for adnexus.net as shown below.

I have recently been running a Windows program that logs all TCP/UDP connections. Its called TcpLogView from here
http://nirsoft.net/utils/tcp_log_view.html

It has caught a few instances of a browser opening a connection to a computer at adnexus.net on port 443. For example

462.bm-nginx-loadbalancer.mgmt.nym2.adnexus.net

A screen shot of the details is below. The URL is cut off, but it ends with adnexus.net

net

Am I missing something or is this a bug?


#2

There’s a bit of a difference in the way we do http vs https content blocking.
For http requests, it matches against the hostname/domain name so, adding
adnexus.net to content blocking list would work just fine as it would block everything that matches
*.adnexus.net.

For https requests however we match against the server name from Client Hello packet as the payload is encrypted which in this case is *.adnxs.com.
If you add adnxs.com to your content blocking list, it should block the above URL for you.


#3

Perhaps there was a mis-understanding.
There is no dot com, everything is .net. The URL was
462.bm-nginx-loadbalancer.mgmt.nym2.adnexus.net

That said, I don’t follow your explanation. In this case would not the server name in the Client Hello packet be 462.bm-nginx-loadbalancer.mgmt.nym2.adnexus.net ?


#4

Actually after investigating more, I found that there was a bug in the SSL Client Hello parsing code which was being triggered in this particular case. If we can’t find a server name from Client Hello via SNI, we try to get the common name from the certificate via Server Hello which is what we were reverting to in this case. After the fix, we get the correct hostname and the blocking works correctly.


#5

Thank you for investigating.