blackice

Level 14
Verified
With DoH coming to Windows soon, I wonder how the secure home router market will adapt, they can still do deep packet inspection on https but maybe this has a higher cost to implement.
Looking back over the thread I remembered that @Slyguy had mentioned it does some level of DPI (Layer 7?). I know when I asked them they said they were filtering at the domain level in some way. But, I reread their response email and it doesn’t actually specify how they do it. Probably not wanting to divulge too much to average users about how it works.
 

notabot

Level 15
Looking back over the thread I remembered that @Slyguy had mentioned it does some level of DPI (Layer 7?). I know when I asked them they said they were filtering at the domain level in some way. But, I reread their response email and it doesn’t actually specify how they do it. Probably not wanting to divulge too much to average users about how it works.
If I recall correctly, under https the domain is visible (beyond the IP which is anyhow visible) but not the full path in that domain eg from www.xyzsampledomain.com/path/to/uri , www.xyzsampledomain.com is visible via network monitoring (before the handshake has completed) but /path/to/uri is not .

So them saying they filter domains is not in conflict with what what you say @Slyguy had mentioned. Then the question is, do they indeed use DPI for blocking domains or they use DPI for other purposes and they block domains via DNS.
 

blackice

Level 14
Verified
If I recall correctly, under https the domain is visible (beyond the IP which is anyhow visible) but not the full path in that domain eg from www.xyzsampledomain.com/path/to/uri , www.xyzsampledomain.com is visible via network monitoring (before the handshake has completed) but /path/to/uri is not .

So them saying they filter domains is not in conflict with what what you say @Slyguy had mentioned. Then the question is, do they indeed use DPI for blocking domains or they use DPI for other purposes and they block domains via DNS.
Very good question. Their support is very responsive if you ask a question through their site.
 

Slyguy

Level 43
There are plenty of ways they can process HTTPS traffic for identification. Also, since they have application layer protection available, you can be pretty assured they are using something similar to the following methods. None of which require MiTM or Cert installation on local devices;

Process HTTPS traffic by SNI (Server Name Indication) HTTPS traffic will be categorized using the "Server Name Indication" in the HTTPS data stream .
Process HTTPS traffic by hostname in server certificate when SNI information not present.
Process HTTPS traffic by server IP if both SNI and certificate hostname information are not available
 

blackice

Level 14
Verified
There are plenty of ways they can process HTTPS traffic for identification. Also, since they have application layer protection available, you can be pretty assured they are using something similar to the following methods. None of which require MiTM or Cert installation on local devices;

Process HTTPS traffic by SNI (Server Name Indication) HTTPS traffic will be categorized using the "Server Name Indication" in the HTTPS data stream .
Process HTTPS traffic by hostname in server certificate when SNI information not present.
Process HTTPS traffic by server IP if both SNI and certificate hostname information are not available
So I tested this out this morning. It is definitely filtering by the DNS. I enabled DoH on Firefox and blocked a test site for my user account. The site was blocked in every browser except for Firefox. So they will have to make a change if they want to adapt to this.
 

notabot

Level 15
So I tested this out this morning. It is definitely filtering by the DNS. I enabled DoH on Firefox and blocked a test site for my user account. The site was blocked in every browser except for Firefox. So they will have to make a change if they want to adapt to this.
Thanks for this, I'd intuitively expect it to be more expensive to filter the domain during the TLS handshake (I think that's the SNI that @Slyguy references in his post) so they resorted to filtering domains via DNS, which is fine when DoH is not used but now DoH will be widely available and lots of us will want to use it for privacy reasons.

I guess this implies either a need for ramp up in the capabilities of home security routers, or moving the responsibility for this towards endpoints ( where it can be done without certificate interception, this is just blocking domains, not scanning the body of http traffic ). The trouble with doing it (exclusively) at endpoint level is all these IoT devices for which there's no endpoint protection.

I'd view the other two methods @Slyguy mentioned as not so good for filtering at router level

Process HTTPS traffic by hostname in server certificate when SNI information not present.
a malware site running on AWS could just show the amazon.com certificate and the router wouldn't be able to tell. The endpoint browser will reject it (as the malware endpoint won't be amazon.com) but this traffic could well be coming from a trojan which uses a certificate purely as decoy, with this info in isolation the router can't reject anything.

Process HTTPS traffic by server IP if both SNI and certificate hostname information are not available
This is always possible as the IP one connects to is visible, but the trouble is these days typically a single IP hosts multiple domains and vice versa. This is essentially just an IP-level firewall, while it's great to have, it's not equivalent to web filtering.

Perhaps the market of secure DNS servers that support DoH will grow, and filtering will be done at the paid-for secure DoH servers. That's a service I wouldn't mind paying for as a consumer, provided the service provider does not sell the data.
 
Last edited:

blackice

Level 14
Verified
Perhaps the market of secure DNS servers that support DoH will grow, and filtering will be done at the paid-for secure DoH servers. That's a service I wouldn't mind paying for as a consumer, provided the service provider does not sell the data.
Cleanbrowsing has had good results in malware filtering tests and supports secure dns. They also have parental filter options, a little more of a pain than using a router, though. Also keeping devices on the DNS you want isn’t going to work with teens.
 

notabot

Level 15
actually DoH combined with ESNI will essentially cancel web filtering at router level and it will likely move exclusively to endpoint level. Of course routers will always be able to filter IPs but the secure home router market will need to go through major product changes in the coming years.
 

r32mj

New Member
First time poster here, so please forgive the stupid question.

I have a simple home network with three PCs and just bought a Synology NAS DS918+. My main concern is security since I've been reading about these ransomware attacks, which scare me.

+How does this Gryphon compare to the Synology routers (RT2600ac or MR2200AC)?

+Is it better to have a Synology router since I also have a Synology NAS or better to have two diff manufacturers to diversify my protection?

+If I get the Gryphon or the Synology router, do I also need a separate firewall unit for the house and antivirus suite for my PC?


Many thanks.
 

blackice

Level 14
Verified
What if the vendor gets bankrupt or ceases to exist? Very likely the domains in use will get shut down.
- Will the configuration via the app then still work?
- Will the added security features then still work?
Most likely the ESET detection engine would stop being updated and the app would stop working eventually when they stopped paying for the backend infrastructure. Worst case you buy a new router. The business seems to be going well as they launched a second product, their website is improving, and they continue to get new product reviews on Amazon.

My bigger concern is their filter relies on DNS filtering. With the advent of all browsers starting to offer DNS over HTTPS, and Microsoft preparing to build the functionality for DoH in Windows 10, the days of that being an effective solution are numbered. I asked them if they had a plan for that and they said their engineers are working on a solution. For now DoH and DoT completely bypass the filter.
 

Slyguy

Level 43
Gryphon Guardian looks to be slightly delayed. Apparently a few software bugs to work out still in the email I got from them.

No worries for me, I don't really NEED a Guardian, I just bought it to play around with it and to see if it can extend my network to my garage.
 

blackice

Level 14
Verified
Slyguy is young and vibrant.

MT is starting to crumble with his reduced participation...

View attachment 231985


Back on topic.

Gryphon Guardian will.... uh... be great.


That is all.
Forums are going the way of...well something. Unless you’re on Reddit yelling into the void none of these kids have time for forums. It’s not stimulating enough. Oh God I sound like my father used to!

Still love the gryphon, by the way.