Due to SSL, it wouldn't be easy: you'd need to have SSL certs for some google.com subdomains, and they'd need to be trusted by every device. Blocking the traffic is much easier.
You're right that you'd need to trust the certificates on each machine, but really, you only need to trust a single CA on each device. With an SSL-replacing proxy you create and give control of a CA certificate and key to the proxy and set it between your computer and the network. It replaces the certificate of any (or some small subset if you want to specifically target) site with its own on the fly. Then it can inspect and manipulate the contents of that communication. If the machine trusts the CA, and the CA trusts the certificate (because it replaced and signed the cert itself.. so not so much trust, but.. you get the idea. You could probably limit it to certs signed by CA known by your browsers), the machines would trust the certificates.
Enforcing use of the proxy could even be automatic if your router supports it. eg, LEDE can redirect all traffic outbound to WAN on 443 through a specific endpoint (your MITM proxy or pi-hole or whatever).
It might be problematic for guests who have never seen the CA before, but that's what guest networks are for, I guess.
I've seen this technique used by some large multinational and security-sensitive companies to help monitor data egress from their networks. Probably via some overly-expensive software, but the software doesn't have to be expensive. They tend to have better automation systems than your typical home user, though.
However, for a small network, it's fairly straight-forward to get a CA certificate onto each device. If it's you or a few people on individual machines you or a few people you can add it manually in less than a minute on each. Or for the larger case there are automation tools.
One such open source project for an SSL replacing proxy:
> Write powerful addons and script mitmproxy with mitmdump. The scripting API offers full control over mitmproxy and makes it possible to automatically modify messages, redirect traffic, visualize messages, or implement custom commands
I'm sure there's a way to make this live side-by-side with pi-hole or something similar, but I unfortunately have other things on my plate.. Would make an interesting weekend project someday, though.
Enforcing use of the proxy could even be automatic if your router supports it. eg, LEDE can redirect all traffic outbound to WAN on 443 through a specific endpoint (your MITM proxy or pi-hole or whatever).
It might be problematic for guests who have never seen the CA before, but that's what guest networks are for, I guess.
I've seen this technique used by some large multinational and security-sensitive companies to help monitor data egress from their networks. Probably via some overly-expensive software, but the software doesn't have to be expensive. They tend to have better automation systems than your typical home user, though.
However, for a small network, it's fairly straight-forward to get a CA certificate onto each device. If it's you or a few people on individual machines you or a few people you can add it manually in less than a minute on each. Or for the larger case there are automation tools.
One such open source project for an SSL replacing proxy:
https://mitmproxy.org/
> Write powerful addons and script mitmproxy with mitmdump. The scripting API offers full control over mitmproxy and makes it possible to automatically modify messages, redirect traffic, visualize messages, or implement custom commands
I'm sure there's a way to make this live side-by-side with pi-hole or something similar, but I unfortunately have other things on my plate.. Would make an interesting weekend project someday, though.