Sunday, April 18, 2010

OS X Parental Controls: The https bug and our family Google Apps services

OS X has a longstanding bug with parental controls and https connections. In my home with a 10.5 machine I need to use https for Parental Controlled Wikipedia, but other times it doesn't work.

Even things that do work can stop. My son has open access to a tightly locked account. I wanted that access to include his email (hosted on our family domain Google App services - now managed via Dreamhost) so I put our family domain on the allowed list. About two weeks ago it stopped working; I got the inane Apple "couldn’t establish a secure connection to the server" error message.

I'd run into Apple Parental Control's notorious https minefield. Consider this discussion thread that began in 2005 and is still alive in 2010!
Apple - Support - Discussions - Secure Connections and Parental Controls ...

... I have Parental Controls turned on....

The problem that I'm experiencing is that when I try to connect to some secure sites, sometimes Safari complains:

Safari can’t open the page '...' because it couldn’t establish a secure connection to the server “...”."
In 2009 "Mango Buzz" commented ...
... I finally got a fix that seems to work, however, it may be cumbersome. It involves finding the IP address of the websites you are wanting to add...

... I added both the web address with the prefix http and https for both the domain name and the ip address. So far this has worked.
Matt Wagner had some interesting background in 5/09, though he's wrong about the fix. Adding https sites to the allowed list doesn't always work ...
According to http://support.apple.com/kb/HT2900 , the problem that we have been experiencing is by design. Secured connections are encrypted (obviously). This means that the contents of the website are unreadable by the content filter. Because of this, Apple decided to block all connections to secured connections. Just like zuciello explained above, the only way around this problem is to add secured sites that you do not want blocked to the list of allowed sites.
In Aug 2009 biovizier suggested something odd enough to be credible ...
.."I've got a user that is managed, but allowed unrestricted access to web and applications.[...]If access is unrestricted, the parental controls should not interfere with web communication at all."...

When "parental controls" are enabled, whether web restrictions are in place or not, it somewhat stupidly by default enables logging for internet traffic, passing requests through an internal proxy server to do so. It is at this stage that secure connections are being interfered with.

In your situation, since you don't appear to be interested in restricting web use, just turn the logging off as a workaround, eg.

/usr/bin/sudo /usr/bin/dscl . -mcxset /users/username com.apple.familycontrols.logging web always -bool false

Enter the command using "/Applications" > "Utilities" > "Terminal.app" while logged in to an "admin" account, substituting the managed users "short name" where it says "username".
In March of 2010 Sidney San Martin contributed a monster post ...
We ran into this problem, and a wonderfully helpful Apple technician dug up a solution brought down from engineering ... The problem is that https, by design, keeps the hostname you're trying to access (apple.com, mail.google.com, etc.) secret. The computer can't determine directly whether the connection should be allowed. It does know the IP address, and performs a reverse lookup on that IP address get the hostname it checks against your list of allowed sites.

So, the solution is to add as an allowed site the hostname associated with the IP address. It's not too difficult, but does require that you dive into the Terminal.

As an example, let's try to allow access to the Apple store. Start with the hostname you know: store.apple.com. Head into Terminal, and type:

host store.apple.com

You should get back something like this:

store.apple.com is an alias for store.apple.com.akadns.net.
store.apple.com.akadns.net has address 17.251.201.32
store.x.com.akadns.net mail is handled by 10 cbox-ember01.apple.com.
store.apple.com.akadns.net mail is handled by 10 cbox-ember02.apple.com.
store.apple.com.akadns.net mail is handled by 10 cbox-ember03.apple.com.

You can ignore everything except the address line. Now we know that the Apple Store's IP address is 17.251.201.32. Let's use host again:

host 17.251.201.32

Which returns

32.201.251.17.in-addr.arpa domain name pointer cup-store.apple.com.

Which is the information that we're looking for. The reverse DNS name of the Apple Store's only IP address is cup-store.apple.com. You can add this to allowed sites, or just add apple.com.

Head back over to the store page, reload, and see if everything's loading. You can use the Activity window (in the Window menu) to see what is and isn't loading successfully on the page. In some cases, you may find content that's not loaded from the same domain — in this case, static content like images is coming from a248.e.akamai.net. You can follow the same steps to find the reverse DNS names of these other domains.

If a domain resolves to multiple IP addresses, check a few of them. If you're lucky, they'll all point to the same or similar domains, and you can just add the second level domain to allowed sites. If you're not, they may not have reverse DNS records at all, and you'll get a response like this:

Host 153.234.138.207.in-addr.arpa. not found: 3(NXDOMAIN)

In this case, you may have to add all of the IP addresses individually to allowed sites.

If you're having trouble with this method of finding reverse DNS, try to load a problematic site and check the Parental Controls logs. The site should show up under Websites Blocked. Open one of the history entries in a browser. It should just show up as a hostname or IP address, with nothing after the slash. That's the address you need to add

Finally, if you just want to allow access to GMail, I did the work for you: most of Google's IP addresses resolve to a .1e100.net address. If you add google.com and 1e100.net to allowed sites (Google has lots of IPs, it's not worth trying to add them individually), you should be all set.
I tried several of the above fixes (but not disabling logging - I need logging) and more, but I had no luck [1]. Note that I wasn't trying to provide access to google.com or gmail.com -- just family domain Google Apps.

I did finally get something working. I had to ...
  1. Switch from OpenDNS to Google DNS.
  2. As per San Martin add google.com and 1e100.net to the list of approved sites.
  3. Instead of using the URL "mail.myfamilydomain.com" I had to use https://mail.google.com/a/myfamilydomain/#inbox .
I would have preferred not to enable access on this account to www.google.com, but I really did need to have google.com as an authorized site.

I didn't used to have to do all this, so it feels like Google and/or OpenDNS or both of them changes something about two weeks ago.

[1] It's so incredibly tedious. You have to log out of the account, make changes from an admin account, log in again, etc. It saves a bit of time if you remotely manage the parental control prefs rather than use a local admin account. If you look at blocked sites in the logs you can get a clue what's going on and you can right click on blocked sites to enable them. When doing remote admin you need to force a write of your changes by switching tabs - I keep forgetting to do that.

Update:
  • A series of Google discussions in 10/2009 suggested adding the Google.com IP address to the permitted site list: https://74.125.45.100. I believe this is the "secret sauce".
  • Another user was dealing with "try to block adult content automatically" problem of all https being blocked. They used a pattern template in permitted sites: [https://*.*.gmail.*.*]. I am skeptical that this adds anything.
Update 5/5/10:
  • From a google help forum Jawl's Dad wrote: I opened a terminal ... and typed the command host mail.google.com. The first four addresses [see San Martin, above] I added to the 'Allowed sites' with https://a.b.c.d and it works fine now....
Ahh, yes. The Host file. Slowly the memories return. I used to edit host files back when we had to make our own electricity. I'd forgotten about using it to block domains, but that method goes back to the very dawn of the net. It was once used to block advertisers, but I think they got around that. Note that editing the Host file impacts ALL users on a machine, and you may need to worry about permission related side effects.

Searching on Parental Controls and "Host file" brought me a few references.
Update 6/9/10: After a bitter battle, and a review of 3rd party parental control solutions that suggested this was a dying market, I again restored https access to google. So I had to walk through the above post.

I can't say it's the only thing one has to do, but the addition of https://74.125.45.100 to the Parental Controls whitelist did the trick. It resolves, by the way, to a beta trial of encrypted search services. I need to enable this google.com access even when my son is using our Google Apps site -- the authentication step requires an https Google.com connection.

Update 2/7/11: I gave up on using Google web tools. Not at all family friendly. Did come across a tip to add to this thread ...

One more step is required: after adding https://74.125.45.100  which actually only took me to the google home page (though Parental Controls still restrict any browsing from there) THEN ALSO ADD https://mail.google.com/mail - so the combination of the two additions in the allowed websites does the trick - then when attempting to access Gmail go to gmail.com and the Gmail homepage opens
See also:
--
My Google Reader Shared items (feed)

7 comments:

Patrick said...

After spending a few hours with our Apple rep this AM we determined that adding https://px-in-f99.1e100.net to the white list in parental controls allowed access to our school's instance of Google apps (mail, calendar, docs, sites).

Kyle said...

After trying several of the options in this post, I finally settled on a solution that's pretty simple:

When you try to visit a https site from the restricted account, it's noted under the "Logs" tab in your Parental Controls. To grant access, simply select the appropriate item(s) and click the "Allow" button.

Anonymous said...

Looking on the logs tab is a good idea. For gmail you might end up with a number of different servers, though. In a case like this you can use the * to represent a wildcard, so in my entry I have https://*.1e100.net and that works like a charm. What a hassle...

Anonymous said...

The Aug 2009 biovizier "solution" - turning off the auto logging with the terminal command - worked. No issues accessing gmail, LegoDigitalDesign, etc....
Of course this is only applicable if you're not restricting website access and you don't care about logging.

Anonymous said...

I followed Sidney San Martin's tip to get https://sites.google.com working on my daughter's computer, there were 15 address that it resolved to but got them all in to the Parental Controls Allowed list and it works great now.

Anonymous said...

This post was very helpful in getting my son's Macbook to access one of his homework sites. Thank you!

Stacy

Javier said...

Have you any advice for facebook? I've tried the terminal method, but I can't get it working no matter what. I've added *.facebook.com, a bunch of IP addresses (but there seem to be hundreds for facebook). any ideas ? i've scoured the net. I want my kid to have a facebook page without disabling the rest of parental controls. thanks in advance.