Schools, Filtering Companies Blocking Google SSL 308
An anonymous reader in the UK writes "Over the past several weeks we've discussed the rolling out of Google SSL search. Now an obstacle to the rollout has arisen, much to the frustration of school students and teachers alike. Content filter vendors have decided to block all Google SSL traffic — which also blocks access to Google Apps for Education. Google is working to appease these vendors. The questions at the heart of this situation are: Does a company (school, government) have a right to restrict SSL traffic so it can snoop your data, or does an individual have a right to encrypted Internet facilities? And, is the search data you create your data, or is it your employer's (school's)? IANAL but blocking SSL search seems at odds with the UK Data Protection Act, because some local governments here may be using the very same filtering service for their employees. It would also seem to go against the spirit of FIPS in the US (though I appreciate that federal standards are separate from schools in the States)."
They're doing it wrong (Score:4, Interesting)
I hate to tell these schools how to turn into a police state, but if they really want to monitor Google SSL traffic, this is the right way to do it:
1. Install a trusted root certificate in all client browsers (they do control their client computers, right?)
2. Man in the middle all SSL traffic through a transparent proxy, which masquerades as Google SSL traffic and redirects from https://www.google.com/ [google.com] to http://www.google.com./ [www.google.com]
Don't just block all SSL traffic. If you truly have a legitimate reason to monitor users search queries and application traffic, then you already control their client PCs (right?) and can do this in a semi-legitimate way. If not, don't bother blocking it because your users will be up in arms with pitchforks and torches.
The block will be a block for 15 minutes (Score:5, Interesting)
Exactly. (Score:4, Interesting)
As a sysadmin for a school district, I don't give a flying fsck about "someone's data". My job is to implement our filtering policy. As we can't tell if SSL-encrypted search pages contain banned content, we block them.
This whole article is just the rantings of an idiot who thinks they know more than they do.
Re:Freedom of the press belongs to the owner... (Score:3, Interesting)
Re:In the U.S. It's your employer/school's. (Score:1, Interesting)
More legal crap from people who would give up anything to make their life 'easier'
When I attended my university, they had a form like that too. They had never disclosed its existence prior to my admission to the CS program. They agreed to teach me in exchange for my money, and suddenly added conditions afterwards. Net result: I guarantee you I broke those rules and gave the admins as much anonymous hell as possible.
This included taking a screenshot of a hidden network share with serial numbers installed in one lab that got forwarded to the BSA. Unfortunately I was in class when the machines were carried out.
Re:In the U.S. It's your employer/school's. (Score:4, Interesting)
And that doesn't mean you were allowed to do it, though.
If you don't like it, DON'T AGREE TO IT! Don't be all stupid anonymous (yes, the irony is thick,) about it. Flat out refuse to sign it. Tell them that they changed the contract on you, and you demand a refund, or you demand that they not enforce the agreement on you. It's that simple.
People who cry "FREEDOM!" from anonymous forums, while using the mantle of freedom as an excuse to do illegal things are just whiny spoiled brats. If you actually want to make a real statement, make it. Don't agree to stuff you dislike, then anonymously break it. That's just stupidity and arrogance. (And, yes, I know of which I speak; I have been fired from a job for making public information that WAS public, but which the company declared after the fact should not have been; combined with PUBLICLY standing up to the leadership of the company for their inanity and impropriety.)
Re:Old news (Score:5, Interesting)
The company that I work for has a proxy that filters and caches HTTP, FTP, and HTTPS. The proxy basically does something of a man-in-the-middle attack. When you request an HTTPS website, the proxy establishes a secure connection with the remote site, fetches the data, decrypts it, re-encrypts it with the company's SSL certificate (which is installed by default on all workstations), and sends it to the user's browser.
The most annoying thing is that when this happens, the user has no idea that their traffic is being intercepted, cached, and possibly modified unless they happen to check the certificate and see that the organization is the name of the company they work for rather than, say, Google. But of course even that is easy to spoof when the company has its certificate authority preinstalled on all of the desktops.
Expect this to become more common. Regular users can't spot it because they have been trained to look for the padlock icon and the "https" to determine whether or not a site is "secure." It won't be long until every company does this as automatically as they install firewalls or spam-filtering products. Schools and libraries will have to use it so that they can block inappropriate content coming in via HTTPS. I fully expect that some major national ISPs are already looking into what it would take to force this upon their customer base at some point. I'm afraid hijacking DNS was only the first step, folks.
nah... (Score:3, Interesting)
Comment removed (Score:2, Interesting)
Re:Old news (Score:4, Interesting)
My kingdom for mod points. This is exactly true and is the single biggest vulnerability of SSL.
Every web browser trusts hundreds of root certificates. Most of them are entities that I've never heard of or wouldn't necessarily *want* to trust anyway. (HongKong Post, anyone?) Any of these CAs can effortlessly forge an SSL certificate for any site on the web. I would find it extremely hard to believe that not a single one of them is secretly cooperating with government agencies, law enforcement, or anyone with a large enough check book.
Pro SSL (Score:3, Interesting)
Re:Old news (Score:4, Interesting)
I would find it extremely hard to believe that not a single one of them is secretly cooperating with government agencies, law enforcement, or anyone with a large enough check book.
To prove that you just need to provide a single example of a fake certificate used by a government. Which no-one has so far; the only examples I know of were stupid CAs who'd sign any old crap rather than crooked CAs.
The simple fix, as others have pointed out before, is that any web browser should warn the user if the site certificate changes. Then you're at least safe at any site you've visited before.
Re:The block will be a block for 15 minutes (Score:4, Interesting)
I graduated from highschool in 2008; every few months the county would roll out a new filtering system designed to block myspace/facebook/sourceforge/other questionable stuff. It would take the tech students about 15 minutes to figure out either a new workaround or modify an old one to get around the new filter. This would then filter down to the technologically illiterate kids in a about a month, prompting the release of a new blocking system. Repeat process. The end use of this was we wound up running an apache server off a flash drive on one machine which everyone would ssh to locally using firefox's proxy settings and that "server" would connect to a home server which acted as the gateway. Kids will find a way around it, so I doubt it will work for long in schools.
All I could think while reading this is "wow, all those students learned a lot about how networks work!"
it may be their network, but... (Score:1, Interesting)
There's already the "it's their network, they can do what they want." This is, technically true. However, do you really want to work for a company that has nothing better to do than snoop on your use of the computer, versus I don't know, actually doing business? Or how about sending your kids to a school that worries about if your kid can hack your systems to see boobies, instead of teaching them something. Hell, if my kids can hack the computers to see boobies, well I guess they're learning computer skills, which is more than the standard curriculum.
tl;dr: Just because you *can* doesn't mean you *should*.
Re:Open access in school's doesn't work (Score:1, Interesting)
What I've found over the years is that the more you restrict the Internet the more the school's grade average goes up, and the nicer the students are to deal with.
What you should have learned is that wealthier schools are more likely to have filtered internet, better education, and more mannered students.
What I've found over the years is that people who support filtering the internet are already filtering their own thoughts.
Re:Exactly. (Score:3, Interesting)
It's not dubiously legal.
Yes, it is. If someone's bank account gets compromised because you were performing a MITM attack on their SSL session then you can bet there will be some quite serious questions levelled at you.
Re:Purpose of banning the content? (Score:4, Interesting)
Full disclosure: I am involved with Opendium [opendium.com] who produce web content filtering software for schools.
OK, so what about the student with the 3G iPad?
Sure, you can't prevent pupils from accessing questionable content on their own internet connections. But that isn't such a big problem.
Kids need *an* internet connection for their education - the school provides this and implements filters to ensure that this internet connection is "safe" (we'll come onto "safe" later). If pupils have their own equipment then the school need to police it's use manually; but they can be much more draconian with the way they handle it - if a pupil is caught surfing porn on their 3G iPad then the school can just plain confiscate it and inform the parents. The pupil does not *need* that equipment for their education - if they abuse the privilege of having their own equipment then they forfeit it and have use the school's equipment instead.
Also, importantly from a PR perspective, if this is happening on the pupil's own equipment and connection then it won't be seen as the school's fault (it is more like the kid going to the corner shop and buying Playboy - hardly something the school can prevent, although they would probably confiscate the magazine if they saw it); whereas if kids are actively surfing porn on the school's equipment/connection then the school is seen by many to be failing in their duty of care. Silly, I know, but I have seen schools getting some seriously bad PR from the tabloids because little Johnny got at dodgy websites through the school's computers - remember that news papers don't care about news these days, they are more interested in a sensationalist story with a definite villain in it.
As for what is "safe", filtering is basically about 3 things:
Different schools have different attitudes to how strict they want to be. Something my customers often find very useful to help deal with distractions is the ability to set certain websites, such as facebook, games, etc. to be off-limits during lesson times but allowed during breaks - this seems like a very fair balance to me. Another thing quite common amongst my customers is to use more relaxed controls for older kids since there are websites the older kids may legitimately want to see (e.g. sexual health sites, etc.) that you wouldn't want the younger kids to stumble across.
Something that I've noticed amongst people commenting on these subjects on the internet is that they frequently fall into one of two camps:
To address (1) first - I am usually the last person to promote censorship, but I do believe that schools have a responsibility to protect kids from the content on the internet. Most parents seem to agree. If you, as a parent, disagree with this then you are free to let your child have free reign on the internet from home; just don't expect this to happen on school equipment. As someone involved in writing filtering software, I certainly don't see myself as "evil" - I don't set policies on what gets filtered, I simply provide the tools to allow those in charge to do what they believe is the responsible thing. Note that I am only saying that censorship
Re:Old news (Score:3, Interesting)
Full disclosure: I am involved with Opendium [opendium.com] who produce web content filtering software for schools.
The content filters are the ones being paid to deliver a service and the burden of cooperation should be placed on them.
I'm not sure what you mean by this.
With the introduction of Google Search over SSL, the content filter maintainers were faced with a choice: allow unfiltered searches (which essentially defeats the purpose of the content filters), or block google apps. There is no middle ground - there is no magic technological solution to make it all work. Most of the schools seem to consider unfiltered searches to be unacceptable so the choice was reasonably obvious. The software my company produces allows schools to have control over their own filtering, so for my customers the choice was up to them; notably the SWGFL also made the choice available to the individual schools by allowing them to submit an "unblock Google for our network please" request.
I should note that when Google introduced the SSL search service, the problems were immediately obvious and I emailed Google to ask if they would work with us to resolve the problem; Google have not responded directly to my email at all; instead they just posted to their blog to say they would work on it "in a few weeks".
they have no legal liability to
Lets be clear on this: *no one* has a legal liability to resolve these problems and the only people with the technical ability to resolve them are Google (for the only technical resolution involves changing the configuration of Google's servers). But it doesn't reflect well on Google when they market a service (Apps for Education) that many schools then become reliant on, and then introduce a new, unrelated, service that essentially leaves the schools with no choice but to block access to the apps they have come to rely on. Even worse when this doesn't get resolved in a timely way.
I should also point out that Google have historically been pretty good at supporting people's requirement to filter questionable content and have published recommendations about how to interact with Google's services in order to do this. The introduction of the SSL search service essentially rendered a lot of their own recommendations useless.
It is good that Google have recognised that this is an issue, it just seems that they haven't acted very quickly to resolve it or even temporarily work around it.
Re:Old news (Score:3, Interesting)
2) You are school that uses an SSL filtering system to limit what students can and can't get too.
You don't mean "SSL filtering system" - you mean "web filtering system". The point of this article is that, up until the SSL search was introduced, filtering systems worked just fine since the search requests were in the clear and therefore filterable with a suitable proxy server (no SSL involved). Since the introduction of the SSL search, there is a requirement to block SSL access to Google in order to maintain the existing (non-SSL) filtering functionality.
Google releases a service that for the VAST majority of its customers increases privacy and security
It does? I imagine the VAST majority of Google's customers have never heard of, and do not use the SSL search service. Sure, it gives the majority of the customers the *option* of increasing privacy (although I would dispute security since we're only talking about search here), but in reality very few will actually exercise this option.
it also unfortunately breaks Google's (free) educational services *if and only if* the schools are using SSL filtering software to limit what students can and can't get to, *and* those schools choose to block Google's SSL searches using this software.
Most schools really don't have much option here - they *have* to block Google's SSL search service because filtering of searches is an absolute requirement for these schools. Of course, the whole problem could've been avoided if Google had thought ahead a little bit.
You are now saying that Google should roll back this new service, which is beneficial to a large number of Google's income generating users; so that you can figure out how to make your software, that schools paid you to for, work in such that it allows them to continue using Google's free educational offering.
No. I'm saying that it might be an idea for Google to temporarily roll back this new service, which relatively few of their income generating users will be using; until such a time that they can resolve these issues (which is simply a case of shuffling some stuff onto subdomains).
I want to reiterate a couple of facts:
(* yes, performing MITM SSL attacks is technically feasible, but extremely legally dubious and probably not something Google wants to encourage).
Google is offering two completely independent services, both of them free of charge to the user.
Correct. And unfortunately the new service has introduced a problem affecting the second service which makes *both services* fundamentally incompatible with the requirement's of the second service's users.
If you want to use one, but block the other, that's your problem not Google's.
Well no, it is Google's problem because the introduction of a new service has automatically excluded a lot of customers from an existing service. Whilst you consider these services to be "free", Google *is* making money from them and that income is reduced if they lose users, so introducing a new service that loses them a load of existing users really is a problem for them.
There is also a PR problem - Google has demonstrated that becoming reliant on one of their services may be a bad idea because they can, without notice, do something that makes it impossible for you to use the thing you rely on.