Schools, Filtering Companies Blocking Google SSL

An anonymous reader in the UK writes "Over the past several weeks we've discussed the rolling out of Google SSL search. Now an obstacle to the rollout has arisen, much to the frustration of school students and teachers alike. Content filter vendors have decided to block all Google SSL traffic — which also blocks access to Google Apps for Education. Google is working to appease these vendors. The questions at the heart of this situation are: Does a company (school, government) have a right to restrict SSL traffic so it can snoop your data, or does an individual have a right to encrypted Internet facilities? And, is the search data you create your data, or is it your employer's (school's)? IANAL but blocking SSL search seems at odds with the UK Data Protection Act, because some local governments here may be using the very same filtering service for their employees. It would also seem to go against the spirit of FIPS in the US (though I appreciate that federal standards are separate from schools in the States)."

Re:Old news

[Zan Lynx]

There are techniques for doing man-in-the-middle attacks against the SSL session which allows for inspection of SSL traffic. It's a premium feature though and I imagine schools don't want to pay for too much extra.

There may also be legal issues with it, but I don't know about those.

It's super simple for a company or school to set up, because they control the master certificate stores on the machines. Just add the proxy's cert as a master cert and it can merrily sign duplicate SSL certs for every website without triggering any alerts.

Re:Old news

[Anubis350]

*used* to be simple. Now, with wireless prevalent, and employees own devices on the network... I'm spending the summer working at a DOE lab, and the wireless network allows google SSL (at least gmail and gcal) traffic. everything *does* go through a proxy, but without control of my laptop they wouldnt be able to sign duplicate certs and pass them along like they theoretically would with my lab-provided workstation.

Re:In the U.S. It's your employer/school's.

[dward90]

If you signed an agreement saying that you give them that right, then yes. Schools that I attended required you to sign a form consenting to use the computing facilities in the manner specified by the school, including giving them the right to know what you produce. You don't have to sign the agreement, but if you don't, you can't use the computers.

CIPA

[Anonymous Coward]

In the US all schools receiving E-Rate funds (federal funding for electronics and communications) are required to follow CIPA guidelines for filtering and monitoring student traffic. So, making Google Search SSL pretty much makes that impossible meaning we have to block it. I am grateful that Google is creating a workaround since we are about to migrate to Google Apps ourselves.

Re:Exactly.

[Anonymous Coward]

a sysadmin for a school you don't know how to use transparent proxies?

Why would you say that? We use transparent proxies all the time. We're talking about SSL here, which means that you can't do transparent proxying.

This is trivial stuff..

MITM attacks against SSL encrypted connections are trivial? In which universe?

We could probably install ourselves as a CA on machines we own, but besides the dubious legality of that, how do you do suggest doing it against student-owned devices?

Not that I think you have no idea what you're talking about, but if there is some magical technology which can crack HTTPS traffic in realtime, I'm very interested in finding out what it is.

The alternative being?

[kenh]

I work in IT for a public school district, and to get any federal subsidy (eRate) they must filter their internet connection. Not optional, and very, very few school districts can jstify not filtering their internet connection AND making up the 40% subsidy they would be giving up without filtering.

SSH traffic is very, very hard to filter effectively, so many districts turn it off, simply block SSH traffic for kids period. We allow it for faculty accounts, and several times a year we have to reset a faculty user's password when the kids learn it (teacher accounts aren't blocked).

Once kids figure out they can get to facebook by using the https URL, the district really doesn't have a choice...

Re:Not your home network? No right to complain

[pthreadunixman]

On a publicly funded school campus, second amendment rights apply. In California in particular, privacy laws apply. I work on a CSU campus as a network analyst. We are not permitted to keep any logs that can link any individual user to any particular destination ip address. We are not permitted to keep outbound firewall logs or any inbound logs that relate to outbound state initiation. We are certainly not permitted to intercept or block encrypted communications in anyway that would otherwise normally be allowed. This applies equally to staff, faculty and students.

Re:Old news

[AusIV]

That's an implementation details, and there are numerous such proxies. It would not be difficult for a proxy to validate a certificate for a website before generating another cert for the site.

What is the article author's major malfunction?

[jmorris42]

> The questions at the heart of this situation are: Does a company (school, government) have a
> right to restrict SSL traffic so it can snoop your data, or does an individual have a right
> to encrypted Internet facilities?

No, the question at the heart of this situation is does a school/government/employer have a right to monitor your activity while using their equipment. Everyone pretty much answered that one a decade ago: Yes they do. That ship has already sailed. I get so tired of numbnut crypto weenies running around waving their magic pixie dust thinking it changes everything. Nope. If they have the right to monitor you can't wave your crypto weenie and say "Neener neener, you can't stop me!" and expect no reaction from the system/the man/whatever. They aren't going to be all like, "Oh noes, they have crypto so the rules don't apply to them; they can do whatever they want. We are so powerless against it's awesomeness. Wwwaaahh!" No, they are going to open up the crypto or ban/block your use of it. And this is news how? Even news for nerds?

Re:The block will be a block for 15 minutes

[maccodemonkey]

I was on an IT staff that used the nuclear option to take care of issues like this. A white list.

Re:Old news

[FireFury03]

There are techniques for doing man-in-the-middle attacks against the SSL session which allows for inspection of SSL traffic. It's a premium feature though and I imagine schools don't want to pay for too much extra.

Doing MITM attacks on SSL sessions where you control the browser is trivial - you just import a new trusted root cert into the browser and have a proxy decrypt the SSL session and re-encrypt it using a certificate signed by the newly trusted cert.

There may also be legal issues with it, but I don't know about those.

I run a company producing filtering software for schools and we absolutely refuse to do these sorts of MITM attacks because we believe that there are serious legal issues. If someone's bank account, credit card, etc. gets compromised because a school is running MITM attacks on SSL sessions then the school, and possibly the producer of the filtering software, are probably going to be quite liable. The techies at our customers seem to agree with our assessment and are happy to have an all-or-nothing approach to SSL (i.e. they can block or allow by domain name, but that's as far as the filtering goes).

So far we haven't had to explain our position to the management types who might not properly understand the implications of attacking SSL sessions; however I'm sure that it will come up at some point since there are a number of competitors advertising that they can filter content being transferred over SSL.

On the Google front, it's certainly good that they are addressing the problem, but it seems to me that it is too late and too slow - this stuff should have been considered *before* the roll-out of SSL search (it was blindingly obvious to everyone in the content filtering industry how big a problem this was going to be as soon as Google announced it); and the amount of time it is taking for them to sort it out once the problem was discovered is far too long. Since this has effectively prevented a lot of schools from accessing the Google Apps for Education for several weeks, I would have thought the best solution would have been to temporarilly disable search over SSL again until all the problems had been resolved. Also, it has always struck me that bundling all the separate services under a single domain name is crazy - it's just asking for the rollout of one new service to badly impact an existing service.

Re:Old news

[locofungus]

If you use self signed certificates (or a CA that isn't in the browser) and Firefox 2 (or Konqueror etc) then you can usually detect this attack by not adding the CA to your browser and only accepting the certificate for the session.

As soon as the warning disappears when you visit the site you know someone is implementing a MITM attack.

Unfortunately, Firefox 3 forces you to add the certificate to the browser so you cannot detect a MITM attack that replaces the certificate with another one that the browser also accepts.

There's no way for an attacker to reliably attack self signed certs because they cannot tell if a particular browser is expecting a "valid" certificate or an "invalid" one for any particular user.

Tim.