Slashdot Mirror

← Back to Stories (view on slashdot.org)

Schools, Filtering Companies Blocking Google SSL

Posted by kdawson on from the right-to-look-over-your-shoulder dept.

An anonymous reader in the UK writes "Over the past several weeks we've discussed the rolling out of Google SSL search. Now an obstacle to the rollout has arisen, much to the frustration of school students and teachers alike. Content filter vendors have decided to block all Google SSL traffic — which also blocks access to Google Apps for Education. Google is working to appease these vendors. The questions at the heart of this situation are: Does a company (school, government) have a right to restrict SSL traffic so it can snoop your data, or does an individual have a right to encrypted Internet facilities? And, is the search data you create your data, or is it your employer's (school's)? IANAL but blocking SSL search seems at odds with the UK Data Protection Act, because some local governments here may be using the very same filtering service for their employees. It would also seem to go against the spirit of FIPS in the US (though I appreciate that federal standards are separate from schools in the States)."

5 of 308 comments (clear)

  1. Re:Old news by Zan+Lynx · · Score: 4, Informative

    There are techniques for doing man-in-the-middle attacks against the SSL session which allows for inspection of SSL traffic. It's a premium feature though and I imagine schools don't want to pay for too much extra.

    There may also be legal issues with it, but I don't know about those.

    It's super simple for a company or school to set up, because they control the master certificate stores on the machines. Just add the proxy's cert as a master cert and it can merrily sign duplicate SSL certs for every website without triggering any alerts.

  2. Re:In the U.S. It's your employer/school's. by dward90 · · Score: 4, Informative

    If you signed an agreement saying that you give them that right, then yes. Schools that I attended required you to sign a form consenting to use the computing facilities in the manner specified by the school, including giving them the right to know what you produce. You don't have to sign the agreement, but if you don't, you can't use the computers.

    --
    My other sig is clever.
  3. The alternative being? by kenh · · Score: 4, Informative

    I work in IT for a public school district, and to get any federal subsidy (eRate) they must filter their internet connection. Not optional, and very, very few school districts can jstify not filtering their internet connection AND making up the 40% subsidy they would be giving up without filtering.

    SSH traffic is very, very hard to filter effectively, so many districts turn it off, simply block SSH traffic for kids period. We allow it for faculty accounts, and several times a year we have to reset a faculty user's password when the kids learn it (teacher accounts aren't blocked).

    Once kids figure out they can get to facebook by using the https URL, the district really doesn't have a choice...

    --
    Ken
  4. Re:Not your home network? No right to complain by pthreadunixman · · Score: 5, Informative

    On a publicly funded school campus, second amendment rights apply. In California in particular, privacy laws apply. I work on a CSU campus as a network analyst. We are not permitted to keep any logs that can link any individual user to any particular destination ip address. We are not permitted to keep outbound firewall logs or any inbound logs that relate to outbound state initiation. We are certainly not permitted to intercept or block encrypted communications in anyway that would otherwise normally be allowed. This applies equally to staff, faculty and students.

  5. Re:The block will be a block for 15 minutes by maccodemonkey · · Score: 4, Informative

    I was on an IT staff that used the nuclear option to take care of issues like this. A white list.