Schools, Filtering Companies Blocking Google SSL 308
An anonymous reader in the UK writes "Over the past several weeks we've discussed the rolling out of Google SSL search. Now an obstacle to the rollout has arisen, much to the frustration of school students and teachers alike. Content filter vendors have decided to block all Google SSL traffic — which also blocks access to Google Apps for Education. Google is working to appease these vendors. The questions at the heart of this situation are: Does a company (school, government) have a right to restrict SSL traffic so it can snoop your data, or does an individual have a right to encrypted Internet facilities? And, is the search data you create your data, or is it your employer's (school's)? IANAL but blocking SSL search seems at odds with the UK Data Protection Act, because some local governments here may be using the very same filtering service for their employees. It would also seem to go against the spirit of FIPS in the US (though I appreciate that federal standards are separate from schools in the States)."
Old news (Score:5, Insightful)
SSL has always been tricky for those filtering appliances. If you deny it, you prevent things like legitimate credit card orders for, say, classroom supplies - or checking a bank account balance regarding a paycheck. If you allow it, kids/employees will just use one of the dozens of SSL proxy sites.
And the nature of SSL is it's pretty much all-or-none.
Re:Old news (Score:5, Informative)
There are techniques for doing man-in-the-middle attacks against the SSL session which allows for inspection of SSL traffic. It's a premium feature though and I imagine schools don't want to pay for too much extra.
There may also be legal issues with it, but I don't know about those.
It's super simple for a company or school to set up, because they control the master certificate stores on the machines. Just add the proxy's cert as a master cert and it can merrily sign duplicate SSL certs for every website without triggering any alerts.
Re: (Score:2)
Re: (Score:3, Informative)
Re:Old news (Score:4, Informative)
Re:Old news (Score:5, Insightful)
Good thing for you most large governments have the root CAs in their pocket and can easily Man in The Middle most SSL transparently, unless the user is superbly vigilant.
Re:Old news (Score:4, Interesting)
My kingdom for mod points. This is exactly true and is the single biggest vulnerability of SSL.
Every web browser trusts hundreds of root certificates. Most of them are entities that I've never heard of or wouldn't necessarily *want* to trust anyway. (HongKong Post, anyone?) Any of these CAs can effortlessly forge an SSL certificate for any site on the web. I would find it extremely hard to believe that not a single one of them is secretly cooperating with government agencies, law enforcement, or anyone with a large enough check book.
Re:Old news (Score:4, Interesting)
I would find it extremely hard to believe that not a single one of them is secretly cooperating with government agencies, law enforcement, or anyone with a large enough check book.
To prove that you just need to provide a single example of a fake certificate used by a government. Which no-one has so far; the only examples I know of were stupid CAs who'd sign any old crap rather than crooked CAs.
The simple fix, as others have pointed out before, is that any web browser should warn the user if the site certificate changes. Then you're at least safe at any site you've visited before.
Re: (Score:2)
Um.. no. This has never been documented happening. Not once.
Re: (Score:2)
It's not transparent, it's just not obvious. If they have that capability, exposing it by MitM-ing SSL connections at one of their own facilities (one low-security enough to have a wireless network) would be stupid, since the likelihood of it being discovered and disclosed is high.
Re: (Score:2)
It doesn't sound quite that sinister. Quoting from your link:
You should follow these steps only, if you get a security warning message upon viewing Jacobs University's web services.
Sounds like they're doing what my college did, and what a lot of other schools do - issue self-signed certs for their webmail server. (Or use the wrong cert on the wrong server, or get one for their intranet domain only, or any other number of stupid things you can do with SSL certs.)
Re:Old news (Score:5, Insightful)
Well, here's a slightly less costly alternative, then:
Stand where you can see the student's screens.
*sigh* When did morals and ethical behaviour become a technological problem?
Re: (Score:2)
Yeah...200+ students on a single (small) campus. Lets see how much does it cost for a system to send screen shots over to a single office with someone hired to "stand behind" the students and watch them?
Or do you mean physically? YOu want to have the teacher stand behind their students watching them or teach the class? Yes these two things are often mutually exclusive.
Re: (Score:3, Informative)
There are techniques for doing man-in-the-middle attacks against the SSL session which allows for inspection of SSL traffic. It's a premium feature though and I imagine schools don't want to pay for too much extra.
Doing MITM attacks on SSL sessions where you control the browser is trivial - you just import a new trusted root cert into the browser and have a proxy decrypt the SSL session and re-encrypt it using a certificate signed by the newly trusted cert.
There may also be legal issues with it, but I don't know about those.
I run a company producing filtering software for schools and we absolutely refuse to do these sorts of MITM attacks because we believe that there are serious legal issues. If someone's bank account, credit card, etc. gets compromised because a school is running MI
Re: (Score:3, Interesting)
Full disclosure: I am involved with Opendium [opendium.com] who produce web content filtering software for schools.
The content filters are the ones being paid to deliver a service and the burden of cooperation should be placed on them.
I'm not sure what you mean by this.
With the introduction of Google Search over SSL, the content filter maintainers were faced with a choice: allow unfiltered searches (which essentially defeats the purpose of the content filters), or block google apps. There is no middle ground - there is no magic technological solution to make it all work. Most of the schools seem to consider unfiltered searches to be unac
Re: (Score:3, Interesting)
2) You are school that uses an SSL filtering system to limit what students can and can't get too.
You don't mean "SSL filtering system" - you mean "web filtering system". The point of this article is that, up until the SSL search was introduced, filtering systems worked just fine since the search requests were in the clear and therefore filterable with a suitable proxy server (no SSL involved). Since the introduction of the SSL search, there is a requirement to block SSL access to Google in order to maintain the existing (non-SSL) filtering functionality.
Google releases a service that for the VAST majority of its customers increases privacy and security
It does? I imagine the VAST majority of Google
Re: (Score:2)
Except, that is not true. There are commercial proxies that make it very easy to own users that are using SSL. It just costs money. All the IT administrators have to do is install the proxies certificate authority cert in the list of trusted certificates and transparent man in the middle can be done with ease and the user will never be the wiser. The tools to do this can be developed by anyone with a little knowledge of SSL and some time, as well. This is a major fallacy. It is only difficult for organizati
Re:Old news (Score:5, Interesting)
The company that I work for has a proxy that filters and caches HTTP, FTP, and HTTPS. The proxy basically does something of a man-in-the-middle attack. When you request an HTTPS website, the proxy establishes a secure connection with the remote site, fetches the data, decrypts it, re-encrypts it with the company's SSL certificate (which is installed by default on all workstations), and sends it to the user's browser.
The most annoying thing is that when this happens, the user has no idea that their traffic is being intercepted, cached, and possibly modified unless they happen to check the certificate and see that the organization is the name of the company they work for rather than, say, Google. But of course even that is easy to spoof when the company has its certificate authority preinstalled on all of the desktops.
Expect this to become more common. Regular users can't spot it because they have been trained to look for the padlock icon and the "https" to determine whether or not a site is "secure." It won't be long until every company does this as automatically as they install firewalls or spam-filtering products. Schools and libraries will have to use it so that they can block inappropriate content coming in via HTTPS. I fully expect that some major national ISPs are already looking into what it would take to force this upon their customer base at some point. I'm afraid hijacking DNS was only the first step, folks.
Re: (Score:2)
Why? This would add a lot of load to their servers, and for what benefit? If they want to, e.g., add their own advertisement to every site (it's been done), they'd simply do it for the 99,9% of pages server through unencrypted HTTP.
Re:Old news (Score:4, Informative)
If you use self signed certificates (or a CA that isn't in the browser) and Firefox 2 (or Konqueror etc) then you can usually detect this attack by not adding the CA to your browser and only accepting the certificate for the session.
As soon as the warning disappears when you visit the site you know someone is implementing a MITM attack.
Unfortunately, Firefox 3 forces you to add the certificate to the browser so you cannot detect a MITM attack that replaces the certificate with another one that the browser also accepts.
There's no way for an attacker to reliably attack self signed certs because they cannot tell if a particular browser is expecting a "valid" certificate or an "invalid" one for any particular user.
Tim.
Re: (Score:2)
As far as snooping is concerned, at least in the US the courts have upheld the right of those that own the machines to control and inspect the contents of those machines. Anything that one does at work or at school should be considered public information. If I wanted to sn
In the U.S. It's your employer/school's. (Score:4, Insightful)
Uh... Yes, a company perfectly has that right. No, if you are using an employer/school-provided connection, you have no rights outside the conditions of access you agreed to when you accepted employment/enrollment. (As it relates to internet access, anyway.)
If you want "Free with a capital F" access, you need to get it yourself, not assume that someone else is going to provide it for you.
Re: (Score:2)
Re: (Score:2)
You know I hate to be the guy in a dark van outside the school.. but I'm thinking maybe I could sell wi-fi connections from it.. haha.
Re: (Score:3, Insightful)
Re:In the U.S. It's your employer/school's. (Score:5, Informative)
Re:In the U.S. It's your employer/school's. (Score:4, Interesting)
And that doesn't mean you were allowed to do it, though.
If you don't like it, DON'T AGREE TO IT! Don't be all stupid anonymous (yes, the irony is thick,) about it. Flat out refuse to sign it. Tell them that they changed the contract on you, and you demand a refund, or you demand that they not enforce the agreement on you. It's that simple.
People who cry "FREEDOM!" from anonymous forums, while using the mantle of freedom as an excuse to do illegal things are just whiny spoiled brats. If you actually want to make a real statement, make it. Don't agree to stuff you dislike, then anonymously break it. That's just stupidity and arrogance. (And, yes, I know of which I speak; I have been fired from a job for making public information that WAS public, but which the company declared after the fact should not have been; combined with PUBLICLY standing up to the leadership of the company for their inanity and impropriety.)
Re: (Score:3, Insightful)
In the US, there is a good chance they do have the right to look at anything you take out of the building.
Don't write it during school hours (Score:2)
I hate to break it to you, but you are not at school for fun, you are there to get your learn on. Students should very well be monitored at school to make sure they doing what they are assigned. Computer monitoring shouldn't just be filtering (that is mostly liability issues) but the teacher walking around seeing what is going on. Computers at school are there for educational purposes, not for you to dick around on.
Now once you go home, well then the school is welcome to fuck off. It's your own time, you do
Re: (Score:3, Insightful)
Sadly people misunderstand how extremely important it is to have fun at school, to excercise creativity and gain inspiration. To be happy, have fun and work on positive socializing AS well as learning. Not all the learning done at schools is purely academics as it's the prime area we learn how to socialize, to get a long with people etc.
Re: (Score:2)
Sadly people misunderstand how extremely important it is to have fun at school, to excercise creativity and gain inspiration. To be happy, have fun and work on positive socializing AS well as learning. Not all the learning done at schools is purely academics as it's the prime area we learn how to socialize, to get a long with people etc.
Sure, but there's a huge difference between having fun by browsing pr0n and warez sites or downloading torrents of the latest movies and having fun by playing around with hacking a bit of Python, playing Bejeweled, or even wasting hours and hours playing Farmville.
Re: (Score:2)
Sadly people misunderstand how extremely important it is to have fun at school
Fun is naughty...
Re: (Score:2)
Should we get off your lawn now?
Re: (Score:3, Insightful)
Re: (Score:2)
If you post it at a school mailroom that very obviously says it is a school post office, not a Mailboxes Etc, Kinkos, or USPS; especially when the contract you signed when you signed up to be a student says so right in there that if you mail from that mailroom, they may read it. That's what the internet agreements all say. If you don't like it, don't sign it, and don't use school internet.
Same with employment. If I write that patent application at my office, it belongs to my employer, period. If my empl
Re: (Score:2, Insightful)
I'm of somewhat mixed opinions on this subject.
Its really a very different question if you're talking about a company, a school (for minors? or adults? public? private?), or the government.
For a company-- absolutely they have the right. They own the connection and the computer. They have every right to set any policy they see fit in this regard. Your rights are to choose to accept the terms of your employment (which include, 'follow policy'), or not.
For a school of minors-- this is irritating to me, as I fe
Re: (Score:2)
uh, no, you are incorrect. They have you sign something giving them that right.
They don't just "have it", it's more like "You're giving it away". That's what all of those "you have no right to privacy" things are about. You do have a right to privacy, they're saying that you're giving it away. That's a significant difference.
Meanwhile, blocking SSL/HTTPS? It's not going to help anything, it's just going to cause the people who know how to use it to look for other solutions.
Re: (Score:2)
Many students are compelled by law to attend school due to their age. Being that it is a compulsory environment I feel that the students do have the right to encrypt their communications.
As for employers, I do not feel that they have the right to any expectations at all other than a workman like approach to the work agreed to when employed. All the other nonsense that employers try to enforce is a violation of workers' liberties. For e
Re: (Score:2)
Note that I consider business practices that have no bearing on the business itself to be abhorrent. I run a small business, and my only policy for my workers is "Do your work well, and you get paid well. Do your work poorly, and you likely won't get a raise, and may be let go. Don't do your work at all, and you get fired. Don't do anything illegal while operating on my business' behalf."
I've had to fire three employees over the years, all for being lackluster employees. I didn't fire them because they
Snooping? (Score:3, Insightful)
It's not about snooping as much as it is about being able to bypass the filtering function. The fact that a student could use the secure search to access www.porn.com [porn.com][NSFW!] does not mean that the sysadmin is watching their every move online.
Exactly. (Score:4, Interesting)
As a sysadmin for a school district, I don't give a flying fsck about "someone's data". My job is to implement our filtering policy. As we can't tell if SSL-encrypted search pages contain banned content, we block them.
This whole article is just the rantings of an idiot who thinks they know more than they do.
Purpose of banning the content? (Score:2)
Students these days could be surfing wherever they feel like using their smartphones.
I wonder what the purpose, effectiveness, relevance of these filtering policies is, particularly
given the above consideration.
The purpose can't really be to protect the students from the content anymore. That's no longer
practical given web-surfing phones & personal netbooks that use the cell network.
So what is the purpose? Just to protect the schools from legal liability and lambasting
by the prude faction?
Re: (Score:2)
Schools that offer their students internet access have a responsibility to filter what the students can access over that connection. That a student can come to school with a smart phone or wireless data card doesn't absolve the school of it's need to filter it's internet connection.
What your clever little argument avoids is that students aren't allowed to use their cellphones during school hours, so a clever student who is updating their facebook page on their smartphone is still in trouble, the one that fa
Re:Purpose of banning the content? (Score:4, Interesting)
Full disclosure: I am involved with Opendium [opendium.com] who produce web content filtering software for schools.
OK, so what about the student with the 3G iPad?
Sure, you can't prevent pupils from accessing questionable content on their own internet connections. But that isn't such a big problem.
Kids need *an* internet connection for their education - the school provides this and implements filters to ensure that this internet connection is "safe" (we'll come onto "safe" later). If pupils have their own equipment then the school need to police it's use manually; but they can be much more draconian with the way they handle it - if a pupil is caught surfing porn on their 3G iPad then the school can just plain confiscate it and inform the parents. The pupil does not *need* that equipment for their education - if they abuse the privilege of having their own equipment then they forfeit it and have use the school's equipment instead.
Also, importantly from a PR perspective, if this is happening on the pupil's own equipment and connection then it won't be seen as the school's fault (it is more like the kid going to the corner shop and buying Playboy - hardly something the school can prevent, although they would probably confiscate the magazine if they saw it); whereas if kids are actively surfing porn on the school's equipment/connection then the school is seen by many to be failing in their duty of care. Silly, I know, but I have seen schools getting some seriously bad PR from the tabloids because little Johnny got at dodgy websites through the school's computers - remember that news papers don't care about news these days, they are more interested in a sensationalist story with a definite villain in it.
As for what is "safe", filtering is basically about 3 things:
Different schools have different attitudes to how strict they want to be. Something my customers often find very useful to help deal with distractions is the ability to set certain websites, such as facebook, games, etc. to be off-limits during lesson times but allowed during breaks - this seems like a very fair balance to me. Another thing quite common amongst my customers is to use more relaxed controls for older kids since there are websites the older kids may legitimately want to see (e.g. sexual health sites, etc.) that you wouldn't want the younger kids to stumble across.
Something that I've noticed amongst people commenting on these subjects on the internet is that they frequently fall into one of two camps:
To address (1) first - I am usually the last person to promote censorship, but I do believe that schools have a responsibility to protect kids from the content on the internet. Most parents seem to agree. If you, as a parent, disagree with this then you are free to let your child have free reign on the internet from home; just don't expect this to happen on school equipment. As someone involved in writing filtering software, I certainly don't see myself as "evil" - I don't set policies on what gets filtered, I simply provide the tools to allow those in charge to do what they believe is the responsible thing. Note that I am only saying that censorship
Re: (Score:3, Insightful)
So what is the purpose? Just to protect the schools from legal liability and lambasting
by the prude faction?
That's pretty much it, yes. I've worked in SD's and I've seen some things that - IMHO - might seem like a lack of common sense to people with a technical acumen, however to many technology is still very much a boogeyman. For smartphones, I don't see *too* many kids with the high-end ones yet, most are just used for texting and possibly a bit of facebook.
But a few stories. Years ago, some students foun
Re: (Score:3, Insightful)
As a sysadmin for a school district, I don't give a flying fsck about "someone's data". My job is to implement our filtering policy. As we can't tell if SSL-encrypted search pages contain banned content, we block them.
If you don't care about someone's data then why are you filtering it. I mean seriously if you didn't care then you would be blocking it. And you could blocking it you weren't scanning the content (even if you are only looking at the content of the URL, you are still looking at "someone's data"). Never mind the fact that in most cases you are only annoying the legit users, because the one's that want to misuse your network, can and will find a way around the blocks.
Re: (Score:2, Informative)
a sysadmin for a school you don't know how to use transparent proxies?
Why would you say that? We use transparent proxies all the time. We're talking about SSL here, which means that you can't do transparent proxying.
This is trivial stuff..
MITM attacks against SSL encrypted connections are trivial? In which universe?
We could probably install ourselves as a CA on machines we own, but besides the dubious legality of that, how do you do suggest doing it against student-owned devices?
Not that I think you have no idea what you're talking about, but if there is some magical technology which can crack
Re: (Score:2)
It's not dubiously legal. So install your certs, use a proxy and don't allow student owned devices. Besides, how do you stop students "bypassing" you firewall with their brand new sprint evo's?
We worry about filtering and securing our own equipment, not our students. They own it, they can always stick stuff on there to get around us.
Re: (Score:3, Interesting)
It's not dubiously legal.
Yes, it is. If someone's bank account gets compromised because you were performing a MITM attack on their SSL session then you can bet there will be some quite serious questions levelled at you.
Might want to rethink that (Score:2)
Check back further up in this thread. At least two people have described how to hiijack incoming SSL connections. I don't understand the details, but they are setting up a transparent proxy that intercepts the SSL connection and substitutes their own certificate to the user's browser.
Re: (Score:2)
You should red about SSL. The proxy isn't enough: you have to install the CA certificate in the browser, or it won't be accepted (it'll give you that red "Get me out of here!" warning in Firefox).
Re: (Score:2)
Freedom of the press belongs to the owner... (Score:5, Insightful)
It's their computers and their networks, so they can do whatever they want. Still, if you deny Google the right to encrypt on your network, Google still has the right to deny you any or all of their services. Teachers like to call that "natural consequences...
Re:Freedom of the press belongs to the owner... (Score:5, Insightful)
Funny how that's not true when it comes to landlords and tenants. In some countries it's even not true when it comes to landlords and squatters. Even squatters have rights.
I suspect there was some history in getting those protections.
The landlords in the "IT world" want their stuff to be legally treated like property but not too much like property
Re: (Score:3, Interesting)
Re: (Score:2)
I'm going to bet it has everything to do with the fact that people can die as a result of being homeless while nobody has ever died from not being able to perform encrypted Internet searches.
Further, homeless people are bad for society as a whole. They're bad for property values, bad from cleanliness and thus health issues, bad from safety issues (when you're starving to death or dying of cold, robbing that guy for food money or a nice coat is suddenly not a big deal) -- just bad. Not to mention how bad
Re: (Score:2)
Which results in all the students at the school being taught to use Bing for internet searches ... perhaps not the best result for Google, or for the students.
They're doing it wrong (Score:4, Interesting)
I hate to tell these schools how to turn into a police state, but if they really want to monitor Google SSL traffic, this is the right way to do it:
1. Install a trusted root certificate in all client browsers (they do control their client computers, right?)
2. Man in the middle all SSL traffic through a transparent proxy, which masquerades as Google SSL traffic and redirects from https://www.google.com/ [google.com] to http://www.google.com./ [www.google.com]
Don't just block all SSL traffic. If you truly have a legitimate reason to monitor users search queries and application traffic, then you already control their client PCs (right?) and can do this in a semi-legitimate way. If not, don't bother blocking it because your users will be up in arms with pitchforks and torches.
Re: (Score:2)
Do you tap all the phones too?
Re: (Score:2)
Re: (Score:2)
In at least some states that would still be quite illegal. Actually, I think that'd be illegal in just about all states, as neither party would be informed of the wiretap, let alone both of them.
Re: (Score:2)
That's the wrong way to do it. Even if you inform users (and in this case, probably their parents) that that's what you're doing, you're potentially exposing yourself to substantial legal risk.
Re: (Score:2)
No, it can't. It's encrypted from the server to the browser. How could it?
The block will be a block for 15 minutes (Score:5, Interesting)
Re:The block will be a block for 15 minutes (Score:4, Interesting)
I graduated from highschool in 2008; every few months the county would roll out a new filtering system designed to block myspace/facebook/sourceforge/other questionable stuff. It would take the tech students about 15 minutes to figure out either a new workaround or modify an old one to get around the new filter. This would then filter down to the technologically illiterate kids in a about a month, prompting the release of a new blocking system. Repeat process. The end use of this was we wound up running an apache server off a flash drive on one machine which everyone would ssh to locally using firefox's proxy settings and that "server" would connect to a home server which acted as the gateway. Kids will find a way around it, so I doubt it will work for long in schools.
All I could think while reading this is "wow, all those students learned a lot about how networks work!"
Re: (Score:2)
When exactly did firefox's proxy settings SSH to anything? Your story has a few holes man.
Re: (Score:2)
Maybe they used an SSH tunnel? That's how I use my HTTP proxy: Set the proxy settings to localhost, port X, then I have an SSH redirect from localhost:X to the server, then in the server it goes to the proxy.
Re: (Score:2)
Re:The block will be a block for 15 minutes (Score:5, Informative)
I was on an IT staff that used the nuclear option to take care of issues like this. A white list.
Questions have already been answered (Score:2, Insightful)
Does a company (school, government) have a right to restrict SSL traffic so it can snoop your data,
They have a right to restrict what protocols and port numbers are allowed to be used on their network, as a matter of policy.
They have a right to implement technical measures to assist in enforcing policy, even if those technical measures are so draconian that they prevent some things that are technically allowed by policy.
They have a right to do this, by virtue of it being their network.
does an ind
Block all SSL? (Score:2)
When did these filtering services start blocking _all_ SSL? When I was in highschool three years ago the filter my school used didn't. I set up a couple of my own SSL proxies. That was the best way to do it - the larger, more well-known web proxies tended to get blocked within a month of going up. Sometimes within a few days.
Re: (Score:2)
On the one hand... (Score:3, Insightful)
..sure, in the US, schools have the right and perhaps the duty to block SSL searches. On the other hand, the behavior of both the censors and the censorware providers argues strongly for the idea that censors are scum of the earth.
CIPA (Score:3, Informative)
In the US all schools receiving E-Rate funds (federal funding for electronics and communications) are required to follow CIPA guidelines for filtering and monitoring student traffic. So, making Google Search SSL pretty much makes that impossible meaning we have to block it. I am grateful that Google is creating a workaround since we are about to migrate to Google Apps ourselves.
Comment removed (Score:4, Insightful)
Re:Not your home network? No right to complain (Score:5, Informative)
Re: (Score:2)
Re: (Score:2)
You're delusional and should go read your network agreement policy again.
Seems to me like you're the one who is delusional. People can comply with whatever the censorship policy of the local gestapo university is and still use SSL to protect their privacy. But perhaps this will lead to some investigation regarding the use of snooped student/employee data, doesn't sound too legal to me ...
This isn't new people, it's the way shit works now.
That's what some people would like us to swallow, but it convinces only the dumbest of us. It ain't the way shit works unless you let it happen, sheeple. :-/
Re: (Score:2, Insightful)
Re: (Score:2)
Luckily, such agreements don't trump the law. At least here, they would be in much trouble if they tried to pull a stunt like MITM'ing HTTPS connections and logging the content.
Re: (Score:2)
Deep packet inspection, anything that doesn't contain a GET/POST or whatever just gets quietly dropped..
HTTPS over HTTP? (Score:2)
I've been wondering for awhile when someone would respond to SSL inspection by proxy servers by making a proxy server package that sits on the internet, tunneling HTTPS over innocuous-looking HTTP traffic. It would be inefficient (especially if the text/HTML looked more or less real) but I don't see why it wouldn't work.
Amazing ... (Score:3, Insightful)
Re: (Score:2)
Re: (Score:2)
So your ISP should be able to censor and snoop your connection? It's their network, right?
Is the difference that you're paying for it? I'm paying for my school too.
arguably, I don't own it but I pay the ISP... (Score:2)
Arguably, because I pay the ISP they have a responsibility to not tamper with my communications. That said, I have *no* expectation that they won't intercept them. That's why we use encryption, after all.
In a school or office environment, I generally don't directly pay for the net connection. It is provided via some other entity and I have the choice of using it under whatever rules they offer, or not using it at all.
The alternative being? (Score:5, Informative)
I work in IT for a public school district, and to get any federal subsidy (eRate) they must filter their internet connection. Not optional, and very, very few school districts can jstify not filtering their internet connection AND making up the 40% subsidy they would be giving up without filtering.
SSH traffic is very, very hard to filter effectively, so many districts turn it off, simply block SSH traffic for kids period. We allow it for faculty accounts, and several times a year we have to reset a faculty user's password when the kids learn it (teacher accounts aren't blocked).
Once kids figure out they can get to facebook by using the https URL, the district really doesn't have a choice...
Re: (Score:2)
If you work on IT, you should know the difference between SSH and SSL.
Re: (Score:2)
With responsibility comes privilege.
nah... (Score:3, Interesting)
Re: (Score:2)
Re: (Score:2, Interesting)
Pro SSL (Score:3, Interesting)
Filter Bypass (Score:2)
Open access in school's doesn't work (Score:5, Insightful)
I was the tech director of a school district for 13 years. I've run schools with very restrictive Internet filters and everything in between to schools with no restrictions at all. What I've found over the years is that the more you restrict the Internet the more the school's grade average goes up, and the nicer the students are to deal with. Our schools consisted of about 75% to 100% of the classes,depending on the school, being delivered though distance learning courses. If you give the kids open access to the Internet 90% of the kids will just chat, play games and watch non educational videos all day every day. They get away with this by leaving a window with their school work up and when the teachers comes to check on them they bring it to front, or by making the offending browser window very very small, so that you can't tell without looking very closely that they aren't doing your work. Left unchecked, at the end of the year, 90% of the students would need to be held back a grade. A couple of side effects of kids that aren't on task is they tend to have very bad classroom behavior that disturbs the students that are trying to stay on task, and most of the time wasters the kids like to use are also HUGE bandwidth hogs, so you end up having to buy 10X the Internet connection that you actually need for the school to function, which only deprives the school of much needed funds that could better be spend on something else.
The extreme other side of the coin, and the way the school is currently running is to completely block the Internet except for a select few websites that the school needs for their distance learning courses. There are some "research" or "library" computers that the kids need special permission to use when they need to look things up for papers and such. By blocking everything, the grade average of the entire schools district has shot up to record highs, and the classrooms are a lot more quiet and easier to control.
When it comes down to it, schools are a closed environment that is specially designed for education. When you introduce distractions into that environment that level of education that the kids are getting goes down significantly. It's not a matter of free speech or the school snooping in on private things, it's a matter of making sure that your kids get a certain level of education.
As for using school computers for personal activities and the school snooping in on them... you weren't supposed to use the computers for personal activities at all. Everyone, teachers and students alike, sign off on the school's computer use policy at the beginning of every year, and I don't know of a school that doesn't require one in some form. We didn't give the teachers computers so that they could maintain contact with their family while they were supposed to be working, and we didn't give the students computers so that they could keep in touch with all their friends on facebook. To argue that it is violating their rights not to be given unfettered Internet access would be like arguing that the school should provide every student with a cell phone so that they could keep in touch with their family and perhaps call people for help on research for papers... even if you could figure out a good reason to give students a cell phone, it would ultimately be a complete flop and a total distraction for an education environment.
In a traditional school, the students time on a school provided computer would be a lot less and therefore a lot less of noticeable
on their overall grades, but the problems are still there.
All that being said, I am completely against any kind of censorship when it comes to my personal Internet, or anyone else's personal Internet, but when you get into a school/business environment, it's no longer YOUR Internet and the owners of the Internet connection can do with it what they like... you have to remember, they don't HAVE to give Internet access at all, and whining that they are blocking access to things that are not in keeping with the task at hand... well maybe you should think about what you are saying before you start whining. After all, you are probably 1 step away from being expelled/fired, and the block is their way protecting you from yourself.
Sophos Proxies (Score:2)
We use Sophos web proxies that can decrypt ssl traffic using their own ssl cert we install in the browsers on our school's pc's. It automatically skips any banking sites, and doesn't cache data it only scans for threats over ssl which are becoming more common.
What is the article author's major malfunction? (Score:2, Informative)
> The questions at the heart of this situation are: Does a company (school, government) have a
> right to restrict SSL traffic so it can snoop your data, or does an individual have a right
> to encrypted Internet facilities?
No, the question at the heart of this situation is does a school/government/employer have a right to monitor your activity while using their equipment. Everyone pretty much answered that one a decade ago: Yes they do. That ship has already sailed. I get so tired of numbnut cryp
Re: (Score:3, Insightful)
Re: (Score:2)
The goal isn't to prevent kids from browsing porn anywhere, the goal is to prevent them from doing so using an internet connection provided by government funds.
Your characterisation is apt, but it's not entirely accurate as using such an internet connection, the school still has both an ethical and legal obligation to prevent the kids from browsing porn.
There's plenty of recent enough cases for a casual Google search to turn up incidents where school districts, school administrators, teachers and even schoo
Re: (Score:2)
Legal? Quite possibly.
Ethical? I don't believe anybody has any such ethical obligation. They may do it or not as they choose, according to their own set of morality and appropriateness.