Schools, Filtering Companies Blocking Google SSL

An anonymous reader in the UK writes "Over the past several weeks we've discussed the rolling out of Google SSL search. Now an obstacle to the rollout has arisen, much to the frustration of school students and teachers alike. Content filter vendors have decided to block all Google SSL traffic — which also blocks access to Google Apps for Education. Google is working to appease these vendors. The questions at the heart of this situation are: Does a company (school, government) have a right to restrict SSL traffic so it can snoop your data, or does an individual have a right to encrypted Internet facilities? And, is the search data you create your data, or is it your employer's (school's)? IANAL but blocking SSL search seems at odds with the UK Data Protection Act, because some local governments here may be using the very same filtering service for their employees. It would also seem to go against the spirit of FIPS in the US (though I appreciate that federal standards are separate from schools in the States)."

Old news

[slimjim8094]

SSL has always been tricky for those filtering appliances. If you deny it, you prevent things like legitimate credit card orders for, say, classroom supplies - or checking a bank account balance regarding a paycheck. If you allow it, kids/employees will just use one of the dozens of SSL proxy sites.

And the nature of SSL is it's pretty much all-or-none.

Re:Old news

[Zan+Lynx]

There are techniques for doing man-in-the-middle attacks against the SSL session which allows for inspection of SSL traffic. It's a premium feature though and I imagine schools don't want to pay for too much extra.

There may also be legal issues with it, but I don't know about those.

It's super simple for a company or school to set up, because they control the master certificate stores on the machines. Just add the proxy's cert as a master cert and it can merrily sign duplicate SSL certs for every website without triggering any alerts.

Re:Old news

[Anubis350]

*used* to be simple. Now, with wireless prevalent, and employees own devices on the network... I'm spending the summer working at a DOE lab, and the wireless network allows google SSL (at least gmail and gcal) traffic. everything *does* go through a proxy, but without control of my laptop they wouldnt be able to sign duplicate certs and pass them along like they theoretically would with my lab-provided workstation.

Re:Old news

[grcumb]

There are techniques for doing man-in-the-middle attacks against the SSL session which allows for inspection of SSL traffic. It's a premium feature though and I imagine schools don't want to pay for too much extra.

Well, here's a slightly less costly alternative, then:

Stand where you can see the student's screens.

*sigh* When did morals and ethical behaviour become a technological problem?

Re:Old news

[jallen02]

Good thing for you most large governments have the root CAs in their pocket and can easily Man in The Middle most SSL transparently, unless the user is superbly vigilant.

Re:Old news

[Eil]

And the nature of SSL is it's pretty much all-or-none.

The company that I work for has a proxy that filters and caches HTTP, FTP, and HTTPS. The proxy basically does something of a man-in-the-middle attack. When you request an HTTPS website, the proxy establishes a secure connection with the remote site, fetches the data, decrypts it, re-encrypts it with the company's SSL certificate (which is installed by default on all workstations), and sends it to the user's browser.

The most annoying thing is that when this happens, the user has no idea that their traffic is being intercepted, cached, and possibly modified unless they happen to check the certificate and see that the organization is the name of the company they work for rather than, say, Google. But of course even that is easy to spoof when the company has its certificate authority preinstalled on all of the desktops.

Expect this to become more common. Regular users can't spot it because they have been trained to look for the padlock icon and the "https" to determine whether or not a site is "secure." It won't be long until every company does this as automatically as they install firewalls or spam-filtering products. Schools and libraries will have to use it so that they can block inappropriate content coming in via HTTPS. I fully expect that some major national ISPs are already looking into what it would take to force this upon their customer base at some point. I'm afraid hijacking DNS was only the first step, folks.

Re:Old news

[Eil]

My kingdom for mod points. This is exactly true and is the single biggest vulnerability of SSL.

Every web browser trusts hundreds of root certificates. Most of them are entities that I've never heard of or wouldn't necessarily *want* to trust anyway. (HongKong Post, anyone?) Any of these CAs can effortlessly forge an SSL certificate for any site on the web. I would find it extremely hard to believe that not a single one of them is secretly cooperating with government agencies, law enforcement, or anyone with a large enough check book.

Re:Old news

[0123456]

I would find it extremely hard to believe that not a single one of them is secretly cooperating with government agencies, law enforcement, or anyone with a large enough check book.

To prove that you just need to provide a single example of a fake certificate used by a government. Which no-one has so far; the only examples I know of were stupid CAs who'd sign any old crap rather than crooked CAs.

The simple fix, as others have pointed out before, is that any web browser should warn the user if the site certificate changes. Then you're at least safe at any site you've visited before.

Re:Old news

[locofungus]

If you use self signed certificates (or a CA that isn't in the browser) and Firefox 2 (or Konqueror etc) then you can usually detect this attack by not adding the CA to your browser and only accepting the certificate for the session.

As soon as the warning disappears when you visit the site you know someone is implementing a MITM attack.

Unfortunately, Firefox 3 forces you to add the certificate to the browser so you cannot detect a MITM attack that replaces the certificate with another one that the browser also accepts.

There's no way for an attacker to reliably attack self signed certs because they cannot tell if a particular browser is expecting a "valid" certificate or an "invalid" one for any particular user.

Tim.

In the U.S. It's your employer/school's.

[Anonymous+Freak]

The questions at the heart of this situation are: Does a company (school, government) have a right to restrict SSL traffic so it can snoop your data, or does an individual have a right to encrypted Internet facilities?

Uh... Yes, a company perfectly has that right. No, if you are using an employer/school-provided connection, you have no rights outside the conditions of access you agreed to when you accepted employment/enrollment. (As it relates to internet access, anyway.)

If you want "Free with a capital F" access, you need to get it yourself, not assume that someone else is going to provide it for you.

Re:In the U.S. It's your employer/school's.

[dward90]

If you signed an agreement saying that you give them that right, then yes. Schools that I attended required you to sign a form consenting to use the computing facilities in the manner specified by the school, including giving them the right to know what you produce. You don't have to sign the agreement, but if you don't, you can't use the computers.

Re:In the U.S. It's your employer/school's.

[Anonymous+Freak]

And that doesn't mean you were allowed to do it, though.

If you don't like it, DON'T AGREE TO IT! Don't be all stupid anonymous (yes, the irony is thick,) about it. Flat out refuse to sign it. Tell them that they changed the contract on you, and you demand a refund, or you demand that they not enforce the agreement on you. It's that simple.

People who cry "FREEDOM!" from anonymous forums, while using the mantle of freedom as an excuse to do illegal things are just whiny spoiled brats. If you actually want to make a real statement, make it. Don't agree to stuff you dislike, then anonymously break it. That's just stupidity and arrogance. (And, yes, I know of which I speak; I have been fired from a job for making public information that WAS public, but which the company declared after the fact should not have been; combined with PUBLICLY standing up to the leadership of the company for their inanity and impropriety.)

Snooping?

[Ethanol-fueled]

The questions at the heart of this situation are: Does a company (school, government) have a right to restrict SSL traffic so it can snoop your data

It's not about snooping as much as it is about being able to bypass the filtering function. The fact that a student could use the secure search to access www.porn.com[NSFW!] does not mean that the sysadmin is watching their every move online.

Freedom of the press belongs to the owner...

[LostCluster]

It's their computers and their networks, so they can do whatever they want. Still, if you deny Google the right to encrypt on your network, Google still has the right to deny you any or all of their services. Teachers like to call that "natural consequences...

Re:Freedom of the press belongs to the owner...

[TheLink]

> It's their computers and their networks, so they can do whatever they want

Funny how that's not true when it comes to landlords and tenants. In some countries it's even not true when it comes to landlords and squatters. Even squatters have rights.

I suspect there was some history in getting those protections.

The landlords in the "IT world" want their stuff to be legally treated like property but not too much like property ;).

They're doing it wrong

[illumin8]

I hate to tell these schools how to turn into a police state, but if they really want to monitor Google SSL traffic, this is the right way to do it:

1. Install a trusted root certificate in all client browsers (they do control their client computers, right?)
2. Man in the middle all SSL traffic through a transparent proxy, which masquerades as Google SSL traffic and redirects from https://www.google.com/ to http://www.google.com./

Don't just block all SSL traffic. If you truly have a legitimate reason to monitor users search queries and application traffic, then you already control their client PCs (right?) and can do this in a semi-legitimate way. If not, don't bother blocking it because your users will be up in arms with pitchforks and torches.

The block will be a block for 15 minutes

[Wolvenhaven]

I graduated from highschool in 2008; every few months the county would roll out a new filtering system designed to block myspace/facebook/sourceforge/other questionable stuff. It would take the tech students about 15 minutes to figure out either a new workaround or modify an old one to get around the new filter. This would then filter down to the technologically illiterate kids in a about a month, prompting the release of a new blocking system. Repeat process. The end use of this was we wound up running an apache server off a flash drive on one machine which everyone would ssh to locally using firefox's proxy settings and that "server" would connect to a home server which acted as the gateway. Kids will find a way around it, so I doubt it will work for long in schools.

Re:The block will be a block for 15 minutes

[MobileTatsu-NJG]

I graduated from highschool in 2008; every few months the county would roll out a new filtering system designed to block myspace/facebook/sourceforge/other questionable stuff. It would take the tech students about 15 minutes to figure out either a new workaround or modify an old one to get around the new filter. This would then filter down to the technologically illiterate kids in a about a month, prompting the release of a new blocking system. Repeat process. The end use of this was we wound up running an apache server off a flash drive on one machine which everyone would ssh to locally using firefox's proxy settings and that "server" would connect to a home server which acted as the gateway. Kids will find a way around it, so I doubt it will work for long in schools.

All I could think while reading this is "wow, all those students learned a lot about how networks work!"

Re:The block will be a block for 15 minutes

[maccodemonkey]

I was on an IT staff that used the nuclear option to take care of issues like this. A white list.

Exactly.

As a sysadmin for a school district, I don't give a flying fsck about "someone's data". My job is to implement our filtering policy. As we can't tell if SSL-encrypted search pages contain banned content, we block them.

This whole article is just the rantings of an idiot who thinks they know more than they do.

CIPA

In the US all schools receiving E-Rate funds (federal funding for electronics and communications) are required to follow CIPA guidelines for filtering and monitoring student traffic. So, making Google Search SSL pretty much makes that impossible meaning we have to block it. I am grateful that Google is creating a workaround since we are about to migrate to Google Apps ourselves.

Not your home network? No right to complain

[adosch]

I've never understood or comprehended, for that matter, why people/employees/students, ect. think they have rights on a controlled government or educational internet-enabled network. Quite honestly, if you're doing things like online purchases, bill paying, senseless surfing, looking at soft-porn, chatting, facebooking, tweeting, ect. at school or work on a fairly regular basis several times a day, and you somehow are pissed because your rights are infringed? You're delusional and should go read your network agreement policy again. If you, as an employee or student, are that security conscious of your local big brother system administrator being told to troll logs and give web reports to upper management, then use good common sense. People shouldn't be using these networks for anything other than business as usual IMHO. Anything else, is just subject to interpretation against you. This isn't new people, it's the way shit works now.

As a system administrator, I deal with these same dilemmas on a daily basis and all I have to say is: Yes, I have an easier way to get away with things like this, however, I'm still held just as accountable as Joe Typist down the cube row. Everyone knows about ethics and morals just as much as they know absolutely every thing you do on a digital device these days is logged, recorded and stored somewhere. So keep your personal business... at home unless it's absolute emergency, your cable bill is past due or you flat don't give a shit.

Re:Don't write it during school hours

[Archades54]

Sadly people misunderstand how extremely important it is to have fun at school, to excercise creativity and gain inspiration. To be happy, have fun and work on positive socializing AS well as learning. Not all the learning done at schools is purely academics as it's the prime area we learn how to socialize, to get a long with people etc.

The alternative being?

[kenh]

I work in IT for a public school district, and to get any federal subsidy (eRate) they must filter their internet connection. Not optional, and very, very few school districts can jstify not filtering their internet connection AND making up the 40% subsidy they would be giving up without filtering.

SSH traffic is very, very hard to filter effectively, so many districts turn it off, simply block SSH traffic for kids period. We allow it for faculty accounts, and several times a year we have to reset a faculty user's password when the kids learn it (teacher accounts aren't blocked).

Once kids figure out they can get to facebook by using the https URL, the district really doesn't have a choice...

Re:Not your home network? No right to complain

[pthreadunixman]

On a publicly funded school campus, second amendment rights apply. In California in particular, privacy laws apply. I work on a CSU campus as a network analyst. We are not permitted to keep any logs that can link any individual user to any particular destination ip address. We are not permitted to keep outbound firewall logs or any inbound logs that relate to outbound state initiation. We are certainly not permitted to intercept or block encrypted communications in anyway that would otherwise normally be allowed. This applies equally to staff, faculty and students.

Open access in school's doesn't work

[Fone626]

I was the tech director of a school district for 13 years. I've run schools with very restrictive Internet filters and everything in between to schools with no restrictions at all. What I've found over the years is that the more you restrict the Internet the more the school's grade average goes up, and the nicer the students are to deal with. Our schools consisted of about 75% to 100% of the classes,depending on the school, being delivered though distance learning courses. If you give the kids open access to the Internet 90% of the kids will just chat, play games and watch non educational videos all day every day. They get away with this by leaving a window with their school work up and when the teachers comes to check on them they bring it to front, or by making the offending browser window very very small, so that you can't tell without looking very closely that they aren't doing your work. Left unchecked, at the end of the year, 90% of the students would need to be held back a grade. A couple of side effects of kids that aren't on task is they tend to have very bad classroom behavior that disturbs the students that are trying to stay on task, and most of the time wasters the kids like to use are also HUGE bandwidth hogs, so you end up having to buy 10X the Internet connection that you actually need for the school to function, which only deprives the school of much needed funds that could better be spend on something else.

The extreme other side of the coin, and the way the school is currently running is to completely block the Internet except for a select few websites that the school needs for their distance learning courses. There are some "research" or "library" computers that the kids need special permission to use when they need to look things up for papers and such. By blocking everything, the grade average of the entire schools district has shot up to record highs, and the classrooms are a lot more quiet and easier to control.
When it comes down to it, schools are a closed environment that is specially designed for education. When you introduce distractions into that environment that level of education that the kids are getting goes down significantly. It's not a matter of free speech or the school snooping in on private things, it's a matter of making sure that your kids get a certain level of education.
As for using school computers for personal activities and the school snooping in on them... you weren't supposed to use the computers for personal activities at all. Everyone, teachers and students alike, sign off on the school's computer use policy at the beginning of every year, and I don't know of a school that doesn't require one in some form. We didn't give the teachers computers so that they could maintain contact with their family while they were supposed to be working, and we didn't give the students computers so that they could keep in touch with all their friends on facebook. To argue that it is violating their rights not to be given unfettered Internet access would be like arguing that the school should provide every student with a cell phone so that they could keep in touch with their family and perhaps call people for help on research for papers... even if you could figure out a good reason to give students a cell phone, it would ultimately be a complete flop and a total distraction for an education environment.

In a traditional school, the students time on a school provided computer would be a lot less and therefore a lot less of noticeable
on their overall grades, but the problems are still there.

All that being said, I am completely against any kind of censorship when it comes to my personal Internet, or anyone else's personal Internet, but when you get into a school/business environment, it's no longer YOUR Internet and the owners of the Internet connection can do with it what they like... you have to remember, they don't HAVE to give Internet access at all, and whining that they are blocking access to things that are not in keeping with the task at hand... well maybe you should think about what you are saying before you start whining. After all, you are probably 1 step away from being expelled/fired, and the block is their way protecting you from yourself.

Re:Purpose of banning the content?

[phorm]

So what is the purpose? Just to protect the schools from legal liability and lambasting
by the prude faction?

That's pretty much it, yes. I've worked in SD's and I've seen some things that - IMHO - might seem like a lack of common sense to people with a technical acumen, however to many technology is still very much a boogeyman. For smartphones, I don't see *too* many kids with the high-end ones yet, most are just used for texting and possibly a bit of facebook.

But a few stories. Years ago, some students found the semi-nude/nude section of deviantart. It's well labelled, so not somewhere you'd stray by accident. Solution given: block all of DA. I protested by was overruled, and thus DA was blocked. In any non-IT instance, say if it was a kid bringing racy mags to school, the solution would be to deal with the kid, except nowadays that doesn't seem to be a viable option as the parents complain if little junior gets suspended or given detentions. Usually the parents that complain the loudest are - surprise - the ones with the more ill-behaved children.

In another case, we had an instructor bring up the whole facebook thing. It's blocked, but as always there's a gazillion ways to get around filters and in the arms race of tech, kids have less experience but time and numbers are on their side. We had discussed *why* the sites were blocked. The answer, cyber-bullying and privacy. Junior might snap an embarrassing picture in the boy's washroom and upload it to facebook. Again, WTF. First of all, junior is probably going to - as the parent mentioned - do so with a smartphone and upload the damn thing over the CELLULAR network, which we have 0% control of. IMHO again, the logical solution is to deal with the "Juniors" of the world, but to non-technical people computers - in addition to being a boogyman - are made up of 50% magic and if you sacrifice the right chicken and do the right chant, you can do anything with them! I'd expect that many people expect us to work in secret labs with holograms and touch-panel transparent screens like in Iron Man or a sci-fi movie.

The faction of parents (and educators) who have a thin grasp on technology is a greater percentage than those who do. Granted, this is changing as one generation ages and replaces another, but for now policy will reflect the whims of the majority, no matter how little it seems to make sense in a technical sense. Think about the last time you helped a less-technical relative work on his/her computer, and then try to imagine that those type of people still represent the majority of the population in terms of technical understanding (and fear). Overally, perhaps that's not a bad thing. Given the number of armchair engineers and professors here on slashdot, if the world were populated by geeks we'd have a few hundred "solutions" to every issue.

Re:Purpose of banning the content?

[FireFury03]

Full disclosure: I am involved with Opendium who produce web content filtering software for schools.

OK, so what about the student with the 3G iPad?

Sure, you can't prevent pupils from accessing questionable content on their own internet connections. But that isn't such a big problem.

Kids need *an* internet connection for their education - the school provides this and implements filters to ensure that this internet connection is "safe" (we'll come onto "safe" later). If pupils have their own equipment then the school need to police it's use manually; but they can be much more draconian with the way they handle it - if a pupil is caught surfing porn on their 3G iPad then the school can just plain confiscate it and inform the parents. The pupil does not *need* that equipment for their education - if they abuse the privilege of having their own equipment then they forfeit it and have use the school's equipment instead.

Also, importantly from a PR perspective, if this is happening on the pupil's own equipment and connection then it won't be seen as the school's fault (it is more like the kid going to the corner shop and buying Playboy - hardly something the school can prevent, although they would probably confiscate the magazine if they saw it); whereas if kids are actively surfing porn on the school's equipment/connection then the school is seen by many to be failing in their duty of care. Silly, I know, but I have seen schools getting some seriously bad PR from the tabloids because little Johnny got at dodgy websites through the school's computers - remember that news papers don't care about news these days, they are more interested in a sensationalist story with a definite villain in it.

As for what is "safe", filtering is basically about 3 things:

1. Stopping people accidentally stumbling across content they really don't want to see (this is a big deal for protecting the younger age groups
2. Stopping people getting to questionable content they want to see (could be porn, info on how to set up a drugs lab, electronic bullying of some poor sucker in the class, etc.)
3. Stopping people getting distracted (surfing facebook in lessons instead of paying attention to the teacher is of no educational value)

Different schools have different attitudes to how strict they want to be. Something my customers often find very useful to help deal with distractions is the ability to set certain websites, such as facebook, games, etc. to be off-limits during lesson times but allowed during breaks - this seems like a very fair balance to me. Another thing quite common amongst my customers is to use more relaxed controls for older kids since there are websites the older kids may legitimately want to see (e.g. sexual health sites, etc.) that you wouldn't want the younger kids to stumble across.

Something that I've noticed amongst people commenting on these subjects on the internet is that they frequently fall into one of two camps:

1. All filtering is evil, no school should take away a 6 year old's god given right to watch 2g1c and thus anyone involved in writing filtering software is also evil.
2. There is absolutely no need to filter search results because you can just filter the actual site when the user tries to go there.

To address (1) first - I am usually the last person to promote censorship, but I do believe that schools have a responsibility to protect kids from the content on the internet. Most parents seem to agree. If you, as a parent, disagree with this then you are free to let your child have free reign on the internet from home; just don't expect this to happen on school equipment. As someone involved in writing filtering software, I certainly don't see myself as "evil" - I don't set policies on what gets filtered, I simply provide the tools to allow those in charge to do what they believe is the responsible thing. Note that I am only saying that censorship