Forgot your password?
typodupeerror
Google Privacy Education United Kingdom United States

Schools, Filtering Companies Blocking Google SSL 308

Posted by kdawson
from the right-to-look-over-your-shoulder dept.
An anonymous reader in the UK writes "Over the past several weeks we've discussed the rolling out of Google SSL search. Now an obstacle to the rollout has arisen, much to the frustration of school students and teachers alike. Content filter vendors have decided to block all Google SSL traffic — which also blocks access to Google Apps for Education. Google is working to appease these vendors. The questions at the heart of this situation are: Does a company (school, government) have a right to restrict SSL traffic so it can snoop your data, or does an individual have a right to encrypted Internet facilities? And, is the search data you create your data, or is it your employer's (school's)? IANAL but blocking SSL search seems at odds with the UK Data Protection Act, because some local governments here may be using the very same filtering service for their employees. It would also seem to go against the spirit of FIPS in the US (though I appreciate that federal standards are separate from schools in the States)."
This discussion has been archived. No new comments can be posted.

Schools, Filtering Companies Blocking Google SSL

Comments Filter:
  • Old news (Score:5, Insightful)

    by slimjim8094 (941042) <slashdot3@@@justconnected...net> on Monday June 21, 2010 @09:56PM (#32648558)

    SSL has always been tricky for those filtering appliances. If you deny it, you prevent things like legitimate credit card orders for, say, classroom supplies - or checking a bank account balance regarding a paycheck. If you allow it, kids/employees will just use one of the dozens of SSL proxy sites.

    And the nature of SSL is it's pretty much all-or-none.

    • Re:Old news (Score:5, Informative)

      by Zan Lynx (87672) on Monday June 21, 2010 @09:59PM (#32648584) Homepage

      There are techniques for doing man-in-the-middle attacks against the SSL session which allows for inspection of SSL traffic. It's a premium feature though and I imagine schools don't want to pay for too much extra.

      There may also be legal issues with it, but I don't know about those.

      It's super simple for a company or school to set up, because they control the master certificate stores on the machines. Just add the proxy's cert as a master cert and it can merrily sign duplicate SSL certs for every website without triggering any alerts.

      • But will it happily resign false certs given to it by phishing and malware sites?
        • Re: (Score:3, Informative)

          by AusIV (950840)
          That's an implementation details, and there are numerous such proxies. It would not be difficult for a proxy to validate a certificate for a website before generating another cert for the site.
      • Re:Old news (Score:4, Informative)

        by Anubis350 (772791) on Monday June 21, 2010 @10:12PM (#32648656)
        *used* to be simple. Now, with wireless prevalent, and employees own devices on the network... I'm spending the summer working at a DOE lab, and the wireless network allows google SSL (at least gmail and gcal) traffic. everything *does* go through a proxy, but without control of my laptop they wouldnt be able to sign duplicate certs and pass them along like they theoretically would with my lab-provided workstation.
        • Re:Old news (Score:5, Insightful)

          by jallen02 (124384) on Monday June 21, 2010 @10:35PM (#32648804) Homepage Journal

          Good thing for you most large governments have the root CAs in their pocket and can easily Man in The Middle most SSL transparently, unless the user is superbly vigilant.

          • Re:Old news (Score:4, Interesting)

            by Eil (82413) on Monday June 21, 2010 @11:15PM (#32649048) Homepage Journal

            My kingdom for mod points. This is exactly true and is the single biggest vulnerability of SSL.

            Every web browser trusts hundreds of root certificates. Most of them are entities that I've never heard of or wouldn't necessarily *want* to trust anyway. (HongKong Post, anyone?) Any of these CAs can effortlessly forge an SSL certificate for any site on the web. I would find it extremely hard to believe that not a single one of them is secretly cooperating with government agencies, law enforcement, or anyone with a large enough check book.

            • Re:Old news (Score:4, Interesting)

              by 0123456 (636235) on Monday June 21, 2010 @11:25PM (#32649122)

              I would find it extremely hard to believe that not a single one of them is secretly cooperating with government agencies, law enforcement, or anyone with a large enough check book.

              To prove that you just need to provide a single example of a fake certificate used by a government. Which no-one has so far; the only examples I know of were stupid CAs who'd sign any old crap rather than crooked CAs.

              The simple fix, as others have pointed out before, is that any web browser should warn the user if the site certificate changes. Then you're at least safe at any site you've visited before.

          • Um.. no. This has never been documented happening. Not once.

          • by blueg3 (192743)

            It's not transparent, it's just not obvious. If they have that capability, exposing it by MitM-ing SSL connections at one of their own facilities (one low-security enough to have a wireless network) would be stupid, since the likelihood of it being discovered and disclosed is high.

      • Re:Old news (Score:5, Insightful)

        by grcumb (781340) on Monday June 21, 2010 @10:30PM (#32648776) Homepage Journal

        There are techniques for doing man-in-the-middle attacks against the SSL session which allows for inspection of SSL traffic. It's a premium feature though and I imagine schools don't want to pay for too much extra.

        Well, here's a slightly less costly alternative, then:

        Stand where you can see the student's screens.

        *sigh* When did morals and ethical behaviour become a technological problem?

        • by Gerzel (240421)

          Yeah...200+ students on a single (small) campus. Lets see how much does it cost for a system to send screen shots over to a single office with someone hired to "stand behind" the students and watch them?

          Or do you mean physically? YOu want to have the teacher stand behind their students watching them or teach the class? Yes these two things are often mutually exclusive.

      • Re: (Score:3, Informative)

        by FireFury03 (653718)

        There are techniques for doing man-in-the-middle attacks against the SSL session which allows for inspection of SSL traffic. It's a premium feature though and I imagine schools don't want to pay for too much extra.

        Doing MITM attacks on SSL sessions where you control the browser is trivial - you just import a new trusted root cert into the browser and have a proxy decrypt the SSL session and re-encrypt it using a certificate signed by the newly trusted cert.

        There may also be legal issues with it, but I don't know about those.

        I run a company producing filtering software for schools and we absolutely refuse to do these sorts of MITM attacks because we believe that there are serious legal issues. If someone's bank account, credit card, etc. gets compromised because a school is running MI

    • by jallen02 (124384)

      Except, that is not true. There are commercial proxies that make it very easy to own users that are using SSL. It just costs money. All the IT administrators have to do is install the proxies certificate authority cert in the list of trusted certificates and transparent man in the middle can be done with ease and the user will never be the wiser. The tools to do this can be developed by anyone with a little knowledge of SSL and some time, as well. This is a major fallacy. It is only difficult for organizati

    • Re:Old news (Score:5, Interesting)

      by Eil (82413) on Monday June 21, 2010 @11:03PM (#32648980) Homepage Journal

      And the nature of SSL is it's pretty much all-or-none.

      The company that I work for has a proxy that filters and caches HTTP, FTP, and HTTPS. The proxy basically does something of a man-in-the-middle attack. When you request an HTTPS website, the proxy establishes a secure connection with the remote site, fetches the data, decrypts it, re-encrypts it with the company's SSL certificate (which is installed by default on all workstations), and sends it to the user's browser.

      The most annoying thing is that when this happens, the user has no idea that their traffic is being intercepted, cached, and possibly modified unless they happen to check the certificate and see that the organization is the name of the company they work for rather than, say, Google. But of course even that is easy to spoof when the company has its certificate authority preinstalled on all of the desktops.

      Expect this to become more common. Regular users can't spot it because they have been trained to look for the padlock icon and the "https" to determine whether or not a site is "secure." It won't be long until every company does this as automatically as they install firewalls or spam-filtering products. Schools and libraries will have to use it so that they can block inappropriate content coming in via HTTPS. I fully expect that some major national ISPs are already looking into what it would take to force this upon their customer base at some point. I'm afraid hijacking DNS was only the first step, folks.

      • I fully expect that some major national ISPs are already looking into what it would take to force this upon their customer base at some point.

        Why? This would add a lot of load to their servers, and for what benefit? If they want to, e.g., add their own advertisement to every site (it's been done), they'd simply do it for the 99,9% of pages server through unencrypted HTTP.

      • Re:Old news (Score:4, Informative)

        by locofungus (179280) on Tuesday June 22, 2010 @05:59AM (#32650908)

        If you use self signed certificates (or a CA that isn't in the browser) and Firefox 2 (or Konqueror etc) then you can usually detect this attack by not adding the CA to your browser and only accepting the certificate for the session.

        As soon as the warning disappears when you visit the site you know someone is implementing a MITM attack.

        Unfortunately, Firefox 3 forces you to add the certificate to the browser so you cannot detect a MITM attack that replaces the certificate with another one that the browser also accepts.

        There's no way for an attacker to reliably attack self signed certs because they cannot tell if a particular browser is expecting a "valid" certificate or an "invalid" one for any particular user.

        Tim.

    • by fermion (181285)
      Also note that many k-12 schools and district have code of conduct that prohibit the use of shopping sites. Blocking SSL is a way to enforce that code of conduct. Many firms may prefer their employees to work instead of shop as well.

      As far as snooping is concerned, at least in the US the courts have upheld the right of those that own the machines to control and inspect the contents of those machines. Anything that one does at work or at school should be considered public information. If I wanted to sn

  • The questions at the heart of this situation are: Does a company (school, government) have a right to restrict SSL traffic so it can snoop your data, or does an individual have a right to encrypted Internet facilities?

    Uh... Yes, a company perfectly has that right. No, if you are using an employer/school-provided connection, you have no rights outside the conditions of access you agreed to when you accepted employment/enrollment. (As it relates to internet access, anyway.)

    If you want "Free with a capital F" access, you need to get it yourself, not assume that someone else is going to provide it for you.

    • What if you write a private letter to your aunt during school hours? Does the school have a right to read it before you post it?
      • by popeye44 (929152)

        You know I hate to be the guy in a dark van outside the school.. but I'm thinking maybe I could sell wi-fi connections from it.. haha.

      • Re: (Score:3, Insightful)

        by rotide (1015173)
        If you write it on a Business/School computer with a policy in place where you have no expected right to privacy, yes. If you don't like that, don't sign the AUP, etc, and subsequently don't get hired there.
      • by dward90 (1813520) on Monday June 21, 2010 @10:17PM (#32648686)
        If you signed an agreement saying that you give them that right, then yes. Schools that I attended required you to sign a form consenting to use the computing facilities in the manner specified by the school, including giving them the right to know what you produce. You don't have to sign the agreement, but if you don't, you can't use the computers.
      • Re: (Score:3, Insightful)

        by rtaylor (70602)

        In the US, there is a good chance they do have the right to look at anything you take out of the building.

      • I hate to break it to you, but you are not at school for fun, you are there to get your learn on. Students should very well be monitored at school to make sure they doing what they are assigned. Computer monitoring shouldn't just be filtering (that is mostly liability issues) but the teacher walking around seeing what is going on. Computers at school are there for educational purposes, not for you to dick around on.

        Now once you go home, well then the school is welcome to fuck off. It's your own time, you do

        • Re: (Score:3, Insightful)

          by Archades54 (925582)

          Sadly people misunderstand how extremely important it is to have fun at school, to excercise creativity and gain inspiration. To be happy, have fun and work on positive socializing AS well as learning. Not all the learning done at schools is purely academics as it's the prime area we learn how to socialize, to get a long with people etc.

          • Sadly people misunderstand how extremely important it is to have fun at school, to excercise creativity and gain inspiration. To be happy, have fun and work on positive socializing AS well as learning. Not all the learning done at schools is purely academics as it's the prime area we learn how to socialize, to get a long with people etc.

            Sure, but there's a huge difference between having fun by browsing pr0n and warez sites or downloading torrents of the latest movies and having fun by playing around with hacking a bit of Python, playing Bejeweled, or even wasting hours and hours playing Farmville.

          • by Macrat (638047)

            Sadly people misunderstand how extremely important it is to have fun at school

            Fun is naughty...

        • Re: (Score:3, Insightful)

          by Curunir_wolf (588405)
          I think you're confusing "teaching" with "tyrannical indoctrination".
      • If you post it at a school mailroom that very obviously says it is a school post office, not a Mailboxes Etc, Kinkos, or USPS; especially when the contract you signed when you signed up to be a student says so right in there that if you mail from that mailroom, they may read it. That's what the internet agreements all say. If you don't like it, don't sign it, and don't use school internet.

        Same with employment. If I write that patent application at my office, it belongs to my employer, period. If my empl

    • Re: (Score:2, Insightful)

      by Ixokai (443555)

      I'm of somewhat mixed opinions on this subject.

      Its really a very different question if you're talking about a company, a school (for minors? or adults? public? private?), or the government.

      For a company-- absolutely they have the right. They own the connection and the computer. They have every right to set any policy they see fit in this regard. Your rights are to choose to accept the terms of your employment (which include, 'follow policy'), or not.

      For a school of minors-- this is irritating to me, as I fe

    • by poetmatt (793785)

      uh, no, you are incorrect. They have you sign something giving them that right.

      They don't just "have it", it's more like "You're giving it away". That's what all of those "you have no right to privacy" things are about. You do have a right to privacy, they're saying that you're giving it away. That's a significant difference.

      Meanwhile, blocking SSL/HTTPS? It's not going to help anything, it's just going to cause the people who know how to use it to look for other solutions.

    • by b4upoo (166390)

      Many students are compelled by law to attend school due to their age. Being that it is a compulsory environment I feel that the students do have the right to encrypt their communications.
      As for employers, I do not feel that they have the right to any expectations at all other than a workman like approach to the work agreed to when employed. All the other nonsense that employers try to enforce is a violation of workers' liberties. For e

      • Note that I consider business practices that have no bearing on the business itself to be abhorrent. I run a small business, and my only policy for my workers is "Do your work well, and you get paid well. Do your work poorly, and you likely won't get a raise, and may be let go. Don't do your work at all, and you get fired. Don't do anything illegal while operating on my business' behalf."

        I've had to fire three employees over the years, all for being lackluster employees. I didn't fire them because they

  • Snooping? (Score:3, Insightful)

    by Ethanol-fueled (1125189) * on Monday June 21, 2010 @09:57PM (#32648566) Homepage Journal

    The questions at the heart of this situation are: Does a company (school, government) have a right to restrict SSL traffic so it can snoop your data

    It's not about snooping as much as it is about being able to bypass the filtering function. The fact that a student could use the secure search to access www.porn.com [porn.com][NSFW!] does not mean that the sysadmin is watching their every move online.

    • Exactly. (Score:4, Interesting)

      by Anonymous Coward on Monday June 21, 2010 @10:16PM (#32648680)

      As a sysadmin for a school district, I don't give a flying fsck about "someone's data". My job is to implement our filtering policy. As we can't tell if SSL-encrypted search pages contain banned content, we block them.

      This whole article is just the rantings of an idiot who thinks they know more than they do.

      • Students these days could be surfing wherever they feel like using their smartphones.

        I wonder what the purpose, effectiveness, relevance of these filtering policies is, particularly
        given the above consideration.

        The purpose can't really be to protect the students from the content anymore. That's no longer
        practical given web-surfing phones & personal netbooks that use the cell network.

        So what is the purpose? Just to protect the schools from legal liability and lambasting
        by the prude faction?

        • by kenh (9056)

          Schools that offer their students internet access have a responsibility to filter what the students can access over that connection. That a student can come to school with a smart phone or wireless data card doesn't absolve the school of it's need to filter it's internet connection.

          What your clever little argument avoids is that students aren't allowed to use their cellphones during school hours, so a clever student who is updating their facebook page on their smartphone is still in trouble, the one that fa

        • Re: (Score:3, Insightful)

          by phorm (591458)

          So what is the purpose? Just to protect the schools from legal liability and lambasting
          by the prude faction?

          That's pretty much it, yes. I've worked in SD's and I've seen some things that - IMHO - might seem like a lack of common sense to people with a technical acumen, however to many technology is still very much a boogeyman. For smartphones, I don't see *too* many kids with the high-end ones yet, most are just used for texting and possibly a bit of facebook.

          But a few stories. Years ago, some students foun

      • Re: (Score:3, Insightful)

        by xero314 (722674)

        As a sysadmin for a school district, I don't give a flying fsck about "someone's data". My job is to implement our filtering policy. As we can't tell if SSL-encrypted search pages contain banned content, we block them.

        If you don't care about someone's data then why are you filtering it. I mean seriously if you didn't care then you would be blocking it. And you could blocking it you weren't scanning the content (even if you are only looking at the content of the URL, you are still looking at "someone's data"). Never mind the fact that in most cases you are only annoying the legit users, because the one's that want to misuse your network, can and will find a way around the blocks.

  • by LostCluster (625375) * on Monday June 21, 2010 @09:59PM (#32648580)

    It's their computers and their networks, so they can do whatever they want. Still, if you deny Google the right to encrypt on your network, Google still has the right to deny you any or all of their services. Teachers like to call that "natural consequences...

    • by TheLink (130905) on Monday June 21, 2010 @10:21PM (#32648716) Journal
      > It's their computers and their networks, so they can do whatever they want

      Funny how that's not true when it comes to landlords and tenants. In some countries it's even not true when it comes to landlords and squatters. Even squatters have rights.

      I suspect there was some history in getting those protections.

      The landlords in the "IT world" want their stuff to be legally treated like property but not too much like property ;).
      • Re: (Score:3, Interesting)

        by rotide (1015173)
        I'm going to bet that has everything to do with your home being a constitutionally protected zone. Work computers and school computers aren't protected the same way.
        • by Dhalka226 (559740)

          I'm going to bet it has everything to do with the fact that people can die as a result of being homeless while nobody has ever died from not being able to perform encrypted Internet searches.

          Further, homeless people are bad for society as a whole. They're bad for property values, bad from cleanliness and thus health issues, bad from safety issues (when you're starving to death or dying of cold, robbing that guy for food money or a nice coat is suddenly not a big deal) -- just bad. Not to mention how bad

    • by zrq (794138)

      if you deny Google the right to encrypt on your network, Google still has the right to deny you any or all of their services

      Which results in all the students at the school being taught to use Bing for internet searches ... perhaps not the best result for Google, or for the students.

  • by illumin8 (148082) on Monday June 21, 2010 @10:05PM (#32648614) Journal

    I hate to tell these schools how to turn into a police state, but if they really want to monitor Google SSL traffic, this is the right way to do it:

    1. Install a trusted root certificate in all client browsers (they do control their client computers, right?)
    2. Man in the middle all SSL traffic through a transparent proxy, which masquerades as Google SSL traffic and redirects from https://www.google.com/ [google.com] to http://www.google.com./ [www.google.com]

    Don't just block all SSL traffic. If you truly have a legitimate reason to monitor users search queries and application traffic, then you already control their client PCs (right?) and can do this in a semi-legitimate way. If not, don't bother blocking it because your users will be up in arms with pitchforks and torches.

    • Do you tap all the phones too?

      • by dward90 (1813520)
        I reserve the right to tap all phones which I own and for which I pay all associated costs.
        • by Sir_Lewk (967686)

          In at least some states that would still be quite illegal. Actually, I think that'd be illegal in just about all states, as neither party would be informed of the wiretap, let alone both of them.

    • by blueg3 (192743)

      That's the wrong way to do it. Even if you inform users (and in this case, probably their parents) that that's what you're doing, you're potentially exposing yourself to substantial legal risk.

  • by Wolvenhaven (1521217) on Monday June 21, 2010 @10:05PM (#32648622) Homepage
    I graduated from highschool in 2008; every few months the county would roll out a new filtering system designed to block myspace/facebook/sourceforge/other questionable stuff. It would take the tech students about 15 minutes to figure out either a new workaround or modify an old one to get around the new filter. This would then filter down to the technologically illiterate kids in a about a month, prompting the release of a new blocking system. Repeat process. The end use of this was we wound up running an apache server off a flash drive on one machine which everyone would ssh to locally using firefox's proxy settings and that "server" would connect to a home server which acted as the gateway. Kids will find a way around it, so I doubt it will work for long in schools.
    • by MobileTatsu-NJG (946591) on Monday June 21, 2010 @11:37PM (#32649182)

      I graduated from highschool in 2008; every few months the county would roll out a new filtering system designed to block myspace/facebook/sourceforge/other questionable stuff. It would take the tech students about 15 minutes to figure out either a new workaround or modify an old one to get around the new filter. This would then filter down to the technologically illiterate kids in a about a month, prompting the release of a new blocking system. Repeat process. The end use of this was we wound up running an apache server off a flash drive on one machine which everyone would ssh to locally using firefox's proxy settings and that "server" would connect to a home server which acted as the gateway. Kids will find a way around it, so I doubt it will work for long in schools.

      All I could think while reading this is "wow, all those students learned a lot about how networks work!"

    • by rivetgeek (977479)

      When exactly did firefox's proxy settings SSH to anything? Your story has a few holes man.

      • Maybe they used an SSH tunnel? That's how I use my HTTP proxy: Set the proxy settings to localhost, port X, then I have an SSH redirect from localhost:X to the server, then in the server it goes to the proxy.

    • by maccodemonkey (1438585) on Tuesday June 22, 2010 @02:25AM (#32649998)

      I was on an IT staff that used the nuclear option to take care of issues like this. A white list.

  • Does a company (school, government) have a right to restrict SSL traffic so it can snoop your data,

    They have a right to restrict what protocols and port numbers are allowed to be used on their network, as a matter of policy.

    They have a right to implement technical measures to assist in enforcing policy, even if those technical measures are so draconian that they prevent some things that are technically allowed by policy.

    They have a right to do this, by virtue of it being their network.

    does an ind

  • When did these filtering services start blocking _all_ SSL? When I was in highschool three years ago the filter my school used didn't. I set up a couple of my own SSL proxies. That was the best way to do it - the larger, more well-known web proxies tended to get blocked within a month of going up. Sometimes within a few days.

  • On the one hand... (Score:3, Insightful)

    by russotto (537200) on Monday June 21, 2010 @10:27PM (#32648758) Journal

    ..sure, in the US, schools have the right and perhaps the duty to block SSL searches. On the other hand, the behavior of both the censors and the censorware providers argues strongly for the idea that censors are scum of the earth.

  • CIPA (Score:3, Informative)

    by Anonymous Coward on Monday June 21, 2010 @10:29PM (#32648770)

    In the US all schools receiving E-Rate funds (federal funding for electronics and communications) are required to follow CIPA guidelines for filtering and monitoring student traffic. So, making Google Search SSL pretty much makes that impossible meaning we have to block it. I am grateful that Google is creating a workaround since we are about to migrate to Google Apps ourselves.

  • by adosch (1397357) on Monday June 21, 2010 @10:31PM (#32648784)

    I've never understood or comprehended, for that matter, why people/employees/students, ect. think they have rights on a controlled government or educational internet-enabled network. Quite honestly, if you're doing things like online purchases, bill paying, senseless surfing, looking at soft-porn, chatting, facebooking, tweeting, ect. at school or work on a fairly regular basis several times a day, and you somehow are pissed because your rights are infringed? You're delusional and should go read your network agreement policy again. If you, as an employee or student, are that security conscious of your local big brother system administrator being told to troll logs and give web reports to upper management, then use good common sense. People shouldn't be using these networks for anything other than business as usual IMHO. Anything else, is just subject to interpretation against you. This isn't new people, it's the way shit works now.

    As a system administrator, I deal with these same dilemmas on a daily basis and all I have to say is: Yes, I have an easier way to get away with things like this, however, I'm still held just as accountable as Joe Typist down the cube row. Everyone knows about ethics and morals just as much as they know absolutely every thing you do on a digital device these days is logged, recorded and stored somewhere. So keep your personal business... at home unless it's absolute emergency, your cable bill is past due or you flat don't give a shit.

    • by pthreadunixman (1370403) on Monday June 21, 2010 @10:57PM (#32648944)
      On a publicly funded school campus, second amendment rights apply. In California in particular, privacy laws apply. I work on a CSU campus as a network analyst. We are not permitted to keep any logs that can link any individual user to any particular destination ip address. We are not permitted to keep outbound firewall logs or any inbound logs that relate to outbound state initiation. We are certainly not permitted to intercept or block encrypted communications in anyway that would otherwise normally be allowed. This applies equally to staff, faculty and students.
    • by Lazy Jones (8403)

      You're delusional and should go read your network agreement policy again.

      Seems to me like you're the one who is delusional. People can comply with whatever the censorship policy of the local gestapo university is and still use SSL to protect their privacy. But perhaps this will lead to some investigation regarding the use of snooped student/employee data, doesn't sound too legal to me ...

      This isn't new people, it's the way shit works now.

      That's what some people would like us to swallow, but it convinces only the dumbest of us. It ain't the way shit works unless you let it happen, sheeple. :-/

    • Re: (Score:2, Insightful)

      I've never understood system/network administrators that get a thrill out of restricting what users can do outside of preventing operational difficulties. I could care less what users do unless they're disrupting service in some way or another. The network is not the right place to enforce human behavior.
    • should go read your network agreement policy again

      Luckily, such agreements don't trump the law. At least here, they would be in much trouble if they tried to pull a stunt like MITM'ing HTTPS connections and logging the content.

  • I've been wondering for awhile when someone would respond to SSL inspection by proxy servers by making a proxy server package that sits on the internet, tunneling HTTPS over innocuous-looking HTTP traffic. It would be inefficient (especially if the text/HTML looked more or less real) but I don't see why it wouldn't work.

  • Amazing ... (Score:3, Insightful)

    by Lazy Jones (8403) on Monday June 21, 2010 @10:52PM (#32648922) Homepage Journal
    ... how many people seem to think it's fine to snoop people's data and implement various kinds of censorship under the pretext of blocking porn (also, there's no porn produced or consumed in the US or UK, honest!).
    • by kjart (941720)
      Of course it's fine if it's your network. It's amazing how people think they can do whatever they want with something that isn't theirs.
      • So your ISP should be able to censor and snoop your connection? It's their network, right?

        Is the difference that you're paying for it? I'm paying for my school too.

  • by kenh (9056) on Monday June 21, 2010 @10:55PM (#32648932) Homepage Journal

    I work in IT for a public school district, and to get any federal subsidy (eRate) they must filter their internet connection. Not optional, and very, very few school districts can jstify not filtering their internet connection AND making up the 40% subsidy they would be giving up without filtering.

    SSH traffic is very, very hard to filter effectively, so many districts turn it off, simply block SSH traffic for kids period. We allow it for faculty accounts, and several times a year we have to reset a faculty user's password when the kids learn it (teacher accounts aren't blocked).

    Once kids figure out they can get to facebook by using the https URL, the district really doesn't have a choice...

  • nah... (Score:3, Interesting)

    by Charliemopps (1157495) on Monday June 21, 2010 @11:03PM (#32648984)
    Schools should just pull internet access. Yes, I know, it's a useful tool for all of us. But it provides no real help in school. You're supposed to be learning what's in the book, not what slash dots opinion on the subject is. Yes, have computers in the school for word processing, programming, art, etc... But they do not need internet access. In fact, if I were in charge of building a modern school I'd make sure the entire school were a Faraday cage so cellphones would be dead inside it as well.
    • by KarmaMB84 (743001)
      Make a landline that can be cut the only way to call for help in a SCHOOOL. What could possibly go wrong there?
  • If schools are anything like mine, the computer science department requires a $50 "computer access fee" for each computer science course in which you enroll. This would technically constitute payment for services, so a question I have here is if such a mandatory fee is imposed on access to lab machines, do they still have the right to force no SSL traffic? If so, do ISPs have the right to block your SSL traffic to certain websites since in both cases you can technically make the case that you're paying fo
  • Pro SSL (Score:3, Interesting)

    by DaMattster (977781) on Monday June 21, 2010 @11:17PM (#32649072)
    I am very pro SSL and encryption in general. People have an inherent right to privacy and the argument that wanting privacy implies having something (criminal or unsavory) to hide is just bullshit. I do not like having my web surfing habits snooped or other tricky marketing gimmicks. If I want to use a Google SSL proxy, then I should be able to. If I want to use GNUPG to encrypt my email, I can and will. Even though I use the internet for legal means, I don't want Uncle Sam categorizing my activity and mining it.
  • If you're in a school and your traffic is being filtered, then you aren't talking to the right people [thedailywtf.com].
  • by Fone626 (6793) on Monday June 21, 2010 @11:23PM (#32649110)

    I was the tech director of a school district for 13 years. I've run schools with very restrictive Internet filters and everything in between to schools with no restrictions at all. What I've found over the years is that the more you restrict the Internet the more the school's grade average goes up, and the nicer the students are to deal with. Our schools consisted of about 75% to 100% of the classes,depending on the school, being delivered though distance learning courses. If you give the kids open access to the Internet 90% of the kids will just chat, play games and watch non educational videos all day every day. They get away with this by leaving a window with their school work up and when the teachers comes to check on them they bring it to front, or by making the offending browser window very very small, so that you can't tell without looking very closely that they aren't doing your work. Left unchecked, at the end of the year, 90% of the students would need to be held back a grade. A couple of side effects of kids that aren't on task is they tend to have very bad classroom behavior that disturbs the students that are trying to stay on task, and most of the time wasters the kids like to use are also HUGE bandwidth hogs, so you end up having to buy 10X the Internet connection that you actually need for the school to function, which only deprives the school of much needed funds that could better be spend on something else.

    The extreme other side of the coin, and the way the school is currently running is to completely block the Internet except for a select few websites that the school needs for their distance learning courses. There are some "research" or "library" computers that the kids need special permission to use when they need to look things up for papers and such. By blocking everything, the grade average of the entire schools district has shot up to record highs, and the classrooms are a lot more quiet and easier to control.
    When it comes down to it, schools are a closed environment that is specially designed for education. When you introduce distractions into that environment that level of education that the kids are getting goes down significantly. It's not a matter of free speech or the school snooping in on private things, it's a matter of making sure that your kids get a certain level of education.
    As for using school computers for personal activities and the school snooping in on them... you weren't supposed to use the computers for personal activities at all. Everyone, teachers and students alike, sign off on the school's computer use policy at the beginning of every year, and I don't know of a school that doesn't require one in some form. We didn't give the teachers computers so that they could maintain contact with their family while they were supposed to be working, and we didn't give the students computers so that they could keep in touch with all their friends on facebook. To argue that it is violating their rights not to be given unfettered Internet access would be like arguing that the school should provide every student with a cell phone so that they could keep in touch with their family and perhaps call people for help on research for papers... even if you could figure out a good reason to give students a cell phone, it would ultimately be a complete flop and a total distraction for an education environment.

    In a traditional school, the students time on a school provided computer would be a lot less and therefore a lot less of noticeable
    on their overall grades, but the problems are still there.

    All that being said, I am completely against any kind of censorship when it comes to my personal Internet, or anyone else's personal Internet, but when you get into a school/business environment, it's no longer YOUR Internet and the owners of the Internet connection can do with it what they like... you have to remember, they don't HAVE to give Internet access at all, and whining that they are blocking access to things that are not in keeping with the task at hand... well maybe you should think about what you are saying before you start whining. After all, you are probably 1 step away from being expelled/fired, and the block is their way protecting you from yourself.

  • We use Sophos web proxies that can decrypt ssl traffic using their own ssl cert we install in the browsers on our school's pc's. It automatically skips any banking sites, and doesn't cache data it only scans for threats over ssl which are becoming more common.

  • > The questions at the heart of this situation are: Does a company (school, government) have a
    > right to restrict SSL traffic so it can snoop your data, or does an individual have a right
    > to encrypted Internet facilities?

    No, the question at the heart of this situation is does a school/government/employer have a right to monitor your activity while using their equipment. Everyone pretty much answered that one a decade ago: Yes they do. That ship has already sailed. I get so tired of numbnut cryp

"It's like deja vu all over again." -- Yogi Berra

Working...