Schools, Filtering Companies Blocking Google SSL

← Back to Stories (view on slashdot.org)

Schools, Filtering Companies Blocking Google SSL

Posted by kdawson on Monday June 21, 2010 @01:49PM from the right-to-look-over-your-shoulder dept.

An anonymous reader in the UK writes "Over the past several weeks we've discussed the rolling out of Google SSL search. Now an obstacle to the rollout has arisen, much to the frustration of school students and teachers alike. Content filter vendors have decided to block all Google SSL traffic — which also blocks access to Google Apps for Education. Google is working to appease these vendors. The questions at the heart of this situation are: Does a company (school, government) have a right to restrict SSL traffic so it can snoop your data, or does an individual have a right to encrypted Internet facilities? And, is the search data you create your data, or is it your employer's (school's)? IANAL but blocking SSL search seems at odds with the UK Data Protection Act, because some local governments here may be using the very same filtering service for their employees. It would also seem to go against the spirit of FIPS in the US (though I appreciate that federal standards are separate from schools in the States)."

14 of 308 comments (clear)

Min score:

Reason:

Sort:

Old news by slimjim8094 · 2010-06-21 13:56 · Score: 4, Insightful

SSL has always been tricky for those filtering appliances. If you deny it, you prevent things like legitimate credit card orders for, say, classroom supplies - or checking a bank account balance regarding a paycheck. If you allow it, kids/employees will just use one of the dozens of SSL proxy sites.
And the nature of SSL is it's pretty much all-or-none.

--
I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
1. Re:Old news by Zan+Lynx · 2010-06-21 13:59 · Score: 4, Informative
  
  There are techniques for doing man-in-the-middle attacks against the SSL session which allows for inspection of SSL traffic. It's a premium feature though and I imagine schools don't want to pay for too much extra.
  There may also be legal issues with it, but I don't know about those.
  It's super simple for a company or school to set up, because they control the master certificate stores on the machines. Just add the proxy's cert as a master cert and it can merrily sign duplicate SSL certs for every website without triggering any alerts.
2. Re:Old news by grcumb · 2010-06-21 14:30 · Score: 4, Insightful
  
  There are techniques for doing man-in-the-middle attacks against the SSL session which allows for inspection of SSL traffic. It's a premium feature though and I imagine schools don't want to pay for too much extra.
  Well, here's a slightly less costly alternative, then:
  Stand where you can see the student's screens.
  *sigh* When did morals and ethical behaviour become a technological problem?
  
  --
  Crumb's Corollary: Never bring a knife to a bun fight.
3. Re:Old news by jallen02 · 2010-06-21 14:35 · Score: 4, Insightful
  
  Good thing for you most large governments have the root CAs in their pocket and can easily Man in The Middle most SSL transparently, unless the user is superbly vigilant.
4. Re:Old news by Eil · 2010-06-21 15:03 · Score: 5, Interesting
  
  And the nature of SSL is it's pretty much all-or-none.
  The company that I work for has a proxy that filters and caches HTTP, FTP, and HTTPS. The proxy basically does something of a man-in-the-middle attack. When you request an HTTPS website, the proxy establishes a secure connection with the remote site, fetches the data, decrypts it, re-encrypts it with the company's SSL certificate (which is installed by default on all workstations), and sends it to the user's browser.
  The most annoying thing is that when this happens, the user has no idea that their traffic is being intercepted, cached, and possibly modified unless they happen to check the certificate and see that the organization is the name of the company they work for rather than, say, Google. But of course even that is easy to spoof when the company has its certificate authority preinstalled on all of the desktops.
  Expect this to become more common. Regular users can't spot it because they have been trained to look for the padlock icon and the "https" to determine whether or not a site is "secure." It won't be long until every company does this as automatically as they install firewalls or spam-filtering products. Schools and libraries will have to use it so that they can block inappropriate content coming in via HTTPS. I fully expect that some major national ISPs are already looking into what it would take to force this upon their customer base at some point. I'm afraid hijacking DNS was only the first step, folks.
Freedom of the press belongs to the owner... by LostCluster · 2010-06-21 13:59 · Score: 4, Insightful

It's their computers and their networks, so they can do whatever they want. Still, if you deny Google the right to encrypt on your network, Google still has the right to deny you any or all of their services. Teachers like to call that "natural consequences...
1. Re:Freedom of the press belongs to the owner... by TheLink · 2010-06-21 14:21 · Score: 4, Insightful
  
  > It's their computers and their networks, so they can do whatever they want
  
  Funny how that's not true when it comes to landlords and tenants. In some countries it's even not true when it comes to landlords and squatters. Even squatters have rights.
  
  I suspect there was some history in getting those protections.
  
  The landlords in the "IT world" want their stuff to be legally treated like property but not too much like property ;).
  --
  
  Too many replies beneath your current threshold
The block will be a block for 15 minutes by Wolvenhaven · 2010-06-21 14:05 · Score: 5, Interesting

I graduated from highschool in 2008; every few months the county would roll out a new filtering system designed to block myspace/facebook/sourceforge/other questionable stuff. It would take the tech students about 15 minutes to figure out either a new workaround or modify an old one to get around the new filter. This would then filter down to the technologically illiterate kids in a about a month, prompting the release of a new blocking system. Repeat process. The end use of this was we wound up running an apache server off a flash drive on one machine which everyone would ssh to locally using firefox's proxy settings and that "server" would connect to a home server which acted as the gateway. Kids will find a way around it, so I doubt it will work for long in schools.

--
Orwell was an optimist.
1. Re:The block will be a block for 15 minutes by maccodemonkey · 2010-06-21 18:25 · Score: 4, Informative
  
  I was on an IT staff that used the nuclear option to take care of issues like this. A white list.
Exactly. by Anonymous Coward · 2010-06-21 14:16 · Score: 4, Interesting

As a sysadmin for a school district, I don't give a flying fsck about "someone's data". My job is to implement our filtering policy. As we can't tell if SSL-encrypted search pages contain banned content, we block them.
This whole article is just the rantings of an idiot who thinks they know more than they do.
Re:In the U.S. It's your employer/school's. by dward90 · 2010-06-21 14:17 · Score: 4, Informative

If you signed an agreement saying that you give them that right, then yes. Schools that I attended required you to sign a form consenting to use the computing facilities in the manner specified by the school, including giving them the right to know what you produce. You don't have to sign the agreement, but if you don't, you can't use the computers.

--
My other sig is clever.
The alternative being? by kenh · 2010-06-21 14:55 · Score: 4, Informative

I work in IT for a public school district, and to get any federal subsidy (eRate) they must filter their internet connection. Not optional, and very, very few school districts can jstify not filtering their internet connection AND making up the 40% subsidy they would be giving up without filtering.
SSH traffic is very, very hard to filter effectively, so many districts turn it off, simply block SSH traffic for kids period. We allow it for faculty accounts, and several times a year we have to reset a faculty user's password when the kids learn it (teacher accounts aren't blocked).
Once kids figure out they can get to facebook by using the https URL, the district really doesn't have a choice...

--
Ken
Re:Not your home network? No right to complain by pthreadunixman · 2010-06-21 14:57 · Score: 5, Informative

On a publicly funded school campus, second amendment rights apply. In California in particular, privacy laws apply. I work on a CSU campus as a network analyst. We are not permitted to keep any logs that can link any individual user to any particular destination ip address. We are not permitted to keep outbound firewall logs or any inbound logs that relate to outbound state initiation. We are certainly not permitted to intercept or block encrypted communications in anyway that would otherwise normally be allowed. This applies equally to staff, faculty and students.
Open access in school's doesn't work by Fone626 · 2010-06-21 15:23 · Score: 5, Insightful

I was the tech director of a school district for 13 years. I've run schools with very restrictive Internet filters and everything in between to schools with no restrictions at all. What I've found over the years is that the more you restrict the Internet the more the school's grade average goes up, and the nicer the students are to deal with. Our schools consisted of about 75% to 100% of the classes,depending on the school, being delivered though distance learning courses. If you give the kids open access to the Internet 90% of the kids will just chat, play games and watch non educational videos all day every day. They get away with this by leaving a window with their school work up and when the teachers comes to check on them they bring it to front, or by making the offending browser window very very small, so that you can't tell without looking very closely that they aren't doing your work. Left unchecked, at the end of the year, 90% of the students would need to be held back a grade. A couple of side effects of kids that aren't on task is they tend to have very bad classroom behavior that disturbs the students that are trying to stay on task, and most of the time wasters the kids like to use are also HUGE bandwidth hogs, so you end up having to buy 10X the Internet connection that you actually need for the school to function, which only deprives the school of much needed funds that could better be spend on something else.
The extreme other side of the coin, and the way the school is currently running is to completely block the Internet except for a select few websites that the school needs for their distance learning courses. There are some "research" or "library" computers that the kids need special permission to use when they need to look things up for papers and such. By blocking everything, the grade average of the entire schools district has shot up to record highs, and the classrooms are a lot more quiet and easier to control.
When it comes down to it, schools are a closed environment that is specially designed for education. When you introduce distractions into that environment that level of education that the kids are getting goes down significantly. It's not a matter of free speech or the school snooping in on private things, it's a matter of making sure that your kids get a certain level of education.
As for using school computers for personal activities and the school snooping in on them... you weren't supposed to use the computers for personal activities at all. Everyone, teachers and students alike, sign off on the school's computer use policy at the beginning of every year, and I don't know of a school that doesn't require one in some form. We didn't give the teachers computers so that they could maintain contact with their family while they were supposed to be working, and we didn't give the students computers so that they could keep in touch with all their friends on facebook. To argue that it is violating their rights not to be given unfettered Internet access would be like arguing that the school should provide every student with a cell phone so that they could keep in touch with their family and perhaps call people for help on research for papers... even if you could figure out a good reason to give students a cell phone, it would ultimately be a complete flop and a total distraction for an education environment.
In a traditional school, the students time on a school provided computer would be a lot less and therefore a lot less of noticeable
on their overall grades, but the problems are still there.
All that being said, I am completely against any kind of censorship when it comes to my personal Internet, or anyone else's personal Internet, but when you get into a school/business environment, it's no longer YOUR Internet and the owners of the Internet connection can do with it what they like... you have to remember, they don't HAVE to give Internet access at all, and whining that they are blocking access to things that are not in keeping with the task at hand... well maybe you should think about what you are saying before you start whining. After all, you are probably 1 step away from being expelled/fired, and the block is their way protecting you from yourself.