SSL has always been tricky for those filtering appliances. If you deny it, you prevent things like legitimate credit card orders for, say, classroom supplies - or checking a bank account balance regarding a paycheck. If you allow it, kids/employees will just use one of the dozens of SSL proxy sites.
And the nature of SSL is it's pretty much all-or-none.
There are techniques for doing man-in-the-middle attacks against the SSL session which allows for inspection of SSL traffic. It's a premium feature though and I imagine schools don't want to pay for too much extra.
There may also be legal issues with it, but I don't know about those.
It's super simple for a company or school to set up, because they control the master certificate stores on the machines. Just add the proxy's cert as a master cert and it can merrily sign duplicate SSL certs for every website wit
There are techniques for doing man-in-the-middle attacks against the SSL session which allows for inspection of SSL traffic. It's a premium feature though and I imagine schools don't want to pay for too much extra.
Doing MITM attacks on SSL sessions where you control the browser is trivial - you just import a new trusted root cert into the browser and have a proxy decrypt the SSL session and re-encrypt it using a certificate signed by the newly trusted cert.
There may also be legal issues with it, but I don't know about those.
I run a company producing filtering software for schools and we absolutely refuse to do these sorts of MITM attacks because we believe that there are serious legal issues. If someone's bank account, credit card, etc. gets compromised because a school is running MI
I would agree with you up until the fact that google apps for education is a free service. The content filters are the ones being paid to deliver a service and the burden of cooperation should be placed on them. Of course it would be nice if google worked on it as well, but they have no legal liability to. The only thing pushing them to work it out is if it hurts their reputation. Most users will probably recognize this as a filtering issue by the pretty your site is blocked page and it will only look bad o
Full disclosure: I am involved with Opendium [opendium.com] who produce web content filtering software for schools.
The content filters are the ones being paid to deliver a service and the burden of cooperation should be placed on them.
I'm not sure what you mean by this.
With the introduction of Google Search over SSL, the content filter maintainers were faced with a choice: allow unfiltered searches (which essentially defeats the purpose of the content filters), or block google apps. There is no middle ground - there is no magic technological solution to make it all work. Most of the schools seem to consider unfiltered searches to be unac
1) You are a school that chooses to use Google's (free) educational services. 2) You are school that uses an SSL filtering system to limit what students can and can't get too. 3) Google releases a service that for the VAST majority of its customers increases privacy and security, it also unfortunately breaks Google's (free) educational services *if and only if* the schools are using SSL filtering software to limit what students can and can't get to, *and* those schools choose to block Google's SSL searches using this software. 4) You are now saying that Google should roll back this new service, which is beneficial to a large number of Google's income generating users; so that you can figure out how to make your software, that schools paid you to for, work in such that it allows them to continue using Google's free educational offering.
Google is offering two completely independent services, both of them free of charge to the user. These services both have value to someone. If you want to use one, but block the other, that's your problem not Google's. That kind of like me saying that I like Wendy's hamburgers, but their fries aren't very good, so they should provide me with McDonald's fries.
Personally I think the entire concept of filtering Internet access in schools is very sketchy in it's validity. Students should be supervised when they are using school equipment to access the Internet. Does this mean you can watch every kid every second they're on the 'Net? Of course not, you have to blink at a minimum, and most likely you'll need to walk around, check the other kids, etc. That's fine. As long as you're checking the screen of each student every few minutes you're very, very likely to catch any mishaps. Given that filtering software is well know for blocking things that might be very appropriate for learning and research, especially at the high school level, this seems like a better solution to me.
It's easy to say that porn should be blocked, but blocking porn often seems to involve blocking health sites which focus on, shall we say, personal health issues (cancers of various sexual and erogenous organs come to mind immediately). It's easy to say you should block hate sites, but how do you research hate groups without going to their sites? It's easy to say you should block sites related to social issues that create controversy, but who makes those determinations? What right do they have to decide what is controversy and what is learning?
My opinion regarding internet filtering aside though, though... Google is offering a service, Google Apps for Education, that schools want. They are offering another service, SSL search, that schools want to block. It seems to me that it is distinctly the school's problem to figure out how to do that. (Which, since they are paying you to provide filtering, makes it your problem). Google's just going to do what they always do, stick services out there and see what makes money.
Google is offering a service, Google Apps for Education, that schools want. They are offering another service, SSL search, that schools want to block. It seems to me that it is distinctly the school's problem to figure out how to do that. (Which, since they are paying you to provide filtering, makes it your problem). Google's just going to do what they always do, stick services out there and see what makes money.
The problem, as I understand it is that it is impossible for a filtering proxy server (without doing MITM hacks) from telling the difference between the services. All the proxy sees is an https request to www.google.com, with the content of that request fully encrypted. What the filter providers would like to see is for google to segregate the two services, so that they can allow SSL access to (e.g.) apps.google.com without allowing access to search.google.com
2) You are school that uses an SSL filtering system to limit what students can and can't get too.
You don't mean "SSL filtering system" - you mean "web filtering system". The point of this article is that, up until the SSL search was introduced, filtering systems worked just fine since the search requests were in the clear and therefore filterable with a suitable proxy server (no SSL involved). Since the introduction of the SSL search, there is a requirement to block SSL access to Google in order to maintain the existing (non-SSL) filtering functionality.
Google releases a service that for the VAST majority of its customers increases privacy and security
I see a number of philosophical issues here, not the least of which is your default assumption that school Internet *must* be filtered. Despite your comment to the contrary I taught elementary school, and I've managed labs for colleges. I don't see the practical issue with simple monitoring to solve most of the filtering issues. When you are teaching (i.e. standing in front of the class lecturing) no one should be messing with the computers. When the students are working independently, you should be mov
I see a number of philosophical issues here, not the least of which is your default assumption that school Internet *must* be filtered.
This isn't my assumption, it is my experience that the vast majority of schools want filtering. Here, in the private sector this is left up to the school and for state schools it is generally handled centrally by the LEA.
When you are teaching (i.e. standing in front of the class lecturing) no one should be messing with the computers.
That very much depends on the type of subject you are lecturing. For something like maths then you're probably right. For an IT class then you're dead wrong.
Expecting perfect protection of not just just the bodies, but the mind and souls of schools children is unreasonable.
Who said anything about perfect? No one (should) expect perfect protection, but there is reason to expect a school to do everythin
I realize you are extremely attached to this issue, but Google is offering a free, without advertisements, service to schools. These people are not customers they are consumers. Maybe the schools shouldn't have become reliant on google and hosted their own services or should just migrate to a new service. Businesses do it all the time when a service stops meeting their needs, they call it upgrading.
Maybe the schools shouldn't have become reliant on google and hosted their own services or should just migrate to a new service.
I'm not expressing any opinion on what the schools should have done with regards to Google services. I'm simply saying that it reflects badly on Google and thus reduces the value of their services to everyone.
Businesses do it all the time when a service stops meeting their needs, they call it upgrading.
There is a _big_ difference between choosing to upgrade because a service doesn't quite do what you want anymore, and being forced to take some action *immediately* because the service provider has done something, without notice, that *prevents* you from using the service you have become reliant on.
Wo
The key elements in human thinking are not numbers but labels of fuzzy sets.
-- L. Zadeh
Old news (Score:5, Insightful)
SSL has always been tricky for those filtering appliances. If you deny it, you prevent things like legitimate credit card orders for, say, classroom supplies - or checking a bank account balance regarding a paycheck. If you allow it, kids/employees will just use one of the dozens of SSL proxy sites.
And the nature of SSL is it's pretty much all-or-none.
Re: (Score:5, Informative)
There are techniques for doing man-in-the-middle attacks against the SSL session which allows for inspection of SSL traffic. It's a premium feature though and I imagine schools don't want to pay for too much extra.
There may also be legal issues with it, but I don't know about those.
It's super simple for a company or school to set up, because they control the master certificate stores on the machines. Just add the proxy's cert as a master cert and it can merrily sign duplicate SSL certs for every website wit
Re: (Score:3, Informative)
There are techniques for doing man-in-the-middle attacks against the SSL session which allows for inspection of SSL traffic. It's a premium feature though and I imagine schools don't want to pay for too much extra.
Doing MITM attacks on SSL sessions where you control the browser is trivial - you just import a new trusted root cert into the browser and have a proxy decrypt the SSL session and re-encrypt it using a certificate signed by the newly trusted cert.
There may also be legal issues with it, but I don't know about those.
I run a company producing filtering software for schools and we absolutely refuse to do these sorts of MITM attacks because we believe that there are serious legal issues. If someone's bank account, credit card, etc. gets compromised because a school is running MI
Re: (Score:2)
Re: (Score:3, Interesting)
Full disclosure: I am involved with Opendium [opendium.com] who produce web content filtering software for schools.
The content filters are the ones being paid to deliver a service and the burden of cooperation should be placed on them.
I'm not sure what you mean by this.
With the introduction of Google Search over SSL, the content filter maintainers were faced with a choice: allow unfiltered searches (which essentially defeats the purpose of the content filters), or block google apps. There is no middle ground - there is no magic technological solution to make it all work. Most of the schools seem to consider unfiltered searches to be unac
Re:Old news (Score:2)
He means, simply, this:
1) You are a school that chooses to use Google's (free) educational services.
2) You are school that uses an SSL filtering system to limit what students can and can't get too.
3) Google releases a service that for the VAST majority of its customers increases privacy and security, it also unfortunately breaks Google's (free) educational services *if and only if* the schools are using SSL filtering software to limit what students can and can't get to, *and* those schools choose to block Google's SSL searches using this software.
4) You are now saying that Google should roll back this new service, which is beneficial to a large number of Google's income generating users; so that you can figure out how to make your software, that schools paid you to for, work in such that it allows them to continue using Google's free educational offering.
Google is offering two completely independent services, both of them free of charge to the user. These services both have value to someone. If you want to use one, but block the other, that's your problem not Google's. That kind of like me saying that I like Wendy's hamburgers, but their fries aren't very good, so they should provide me with McDonald's fries.
Personally I think the entire concept of filtering Internet access in schools is very sketchy in it's validity. Students should be supervised when they are using school equipment to access the Internet. Does this mean you can watch every kid every second they're on the 'Net? Of course not, you have to blink at a minimum, and most likely you'll need to walk around, check the other kids, etc. That's fine. As long as you're checking the screen of each student every few minutes you're very, very likely to catch any mishaps. Given that filtering software is well know for blocking things that might be very appropriate for learning and research, especially at the high school level, this seems like a better solution to me.
It's easy to say that porn should be blocked, but blocking porn often seems to involve blocking health sites which focus on, shall we say, personal health issues (cancers of various sexual and erogenous organs come to mind immediately). It's easy to say you should block hate sites, but how do you research hate groups without going to their sites? It's easy to say you should block sites related to social issues that create controversy, but who makes those determinations? What right do they have to decide what is controversy and what is learning?
My opinion regarding internet filtering aside though, though... Google is offering a service, Google Apps for Education, that schools want. They are offering another service, SSL search, that schools want to block. It seems to me that it is distinctly the school's problem to figure out how to do that. (Which, since they are paying you to provide filtering, makes it your problem). Google's just going to do what they always do, stick services out there and see what makes money.
Re: (Score:2)
Google is offering a service, Google Apps for Education, that schools want. They are offering another service, SSL search, that schools want to block. It seems to me that it is distinctly the school's problem to figure out how to do that. (Which, since they are paying you to provide filtering, makes it your problem). Google's just going to do what they always do, stick services out there and see what makes money.
The problem, as I understand it is that it is impossible for a filtering proxy server (without doing MITM hacks) from telling the difference between the services. All the proxy sees is an https request to www.google.com, with the content of that request fully encrypted. What the filter providers would like to see is for google to segregate the two services, so that they can allow SSL access to (e.g.) apps.google.com without allowing access to search.google.com
Re: (Score:3, Interesting)
2) You are school that uses an SSL filtering system to limit what students can and can't get too.
You don't mean "SSL filtering system" - you mean "web filtering system". The point of this article is that, up until the SSL search was introduced, filtering systems worked just fine since the search requests were in the clear and therefore filterable with a suitable proxy server (no SSL involved). Since the introduction of the SSL search, there is a requirement to block SSL access to Google in order to maintain the existing (non-SSL) filtering functionality.
Google releases a service that for the VAST majority of its customers increases privacy and security
It does? I imagine the VAST majority of Google
Re: (Score:2)
I see a number of philosophical issues here, not the least of which is your default assumption that school Internet *must* be filtered. Despite your comment to the contrary I taught elementary school, and I've managed labs for colleges. I don't see the practical issue with simple monitoring to solve most of the filtering issues. When you are teaching (i.e. standing in front of the class lecturing) no one should be messing with the computers. When the students are working independently, you should be mov
Re: (Score:2)
I see a number of philosophical issues here, not the least of which is your default assumption that school Internet *must* be filtered.
This isn't my assumption, it is my experience that the vast majority of schools want filtering. Here, in the private sector this is left up to the school and for state schools it is generally handled centrally by the LEA.
When you are teaching (i.e. standing in front of the class lecturing) no one should be messing with the computers.
That very much depends on the type of subject you are lecturing. For something like maths then you're probably right. For an IT class then you're dead wrong.
Expecting perfect protection of not just just the bodies, but the mind and souls of schools children is unreasonable.
Who said anything about perfect? No one (should) expect perfect protection, but there is reason to expect a school to do everythin
Re: (Score:2)
Re: (Score:2)
Maybe the schools shouldn't have become reliant on google and hosted their own services or should just migrate to a new service.
I'm not expressing any opinion on what the schools should have done with regards to Google services. I'm simply saying that it reflects badly on Google and thus reduces the value of their services to everyone.
Businesses do it all the time when a service stops meeting their needs, they call it upgrading.
There is a _big_ difference between choosing to upgrade because a service doesn't quite do what you want anymore, and being forced to take some action *immediately* because the service provider has done something, without notice, that *prevents* you from using the service you have become reliant on.
Wo