×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Schools, Filtering Companies Blocking Google SSL

kdawson posted more than 4 years ago | from the right-to-look-over-your-shoulder dept.

Google 308

An anonymous reader in the UK writes "Over the past several weeks we've discussed the rolling out of Google SSL search. Now an obstacle to the rollout has arisen, much to the frustration of school students and teachers alike. Content filter vendors have decided to block all Google SSL traffic — which also blocks access to Google Apps for Education. Google is working to appease these vendors. The questions at the heart of this situation are: Does a company (school, government) have a right to restrict SSL traffic so it can snoop your data, or does an individual have a right to encrypted Internet facilities? And, is the search data you create your data, or is it your employer's (school's)? IANAL but blocking SSL search seems at odds with the UK Data Protection Act, because some local governments here may be using the very same filtering service for their employees. It would also seem to go against the spirit of FIPS in the US (though I appreciate that federal standards are separate from schools in the States)."

Sorry! There are no comments related to the filter you selected.

Old news (4, Insightful)

slimjim8094 (941042) | more than 4 years ago | (#32648558)

SSL has always been tricky for those filtering appliances. If you deny it, you prevent things like legitimate credit card orders for, say, classroom supplies - or checking a bank account balance regarding a paycheck. If you allow it, kids/employees will just use one of the dozens of SSL proxy sites.

And the nature of SSL is it's pretty much all-or-none.

Re:Old news (4, Informative)

Zan Lynx (87672) | more than 4 years ago | (#32648584)

There are techniques for doing man-in-the-middle attacks against the SSL session which allows for inspection of SSL traffic. It's a premium feature though and I imagine schools don't want to pay for too much extra.

There may also be legal issues with it, but I don't know about those.

It's super simple for a company or school to set up, because they control the master certificate stores on the machines. Just add the proxy's cert as a master cert and it can merrily sign duplicate SSL certs for every website without triggering any alerts.

Re:Old news (1)

The MAZZTer (911996) | more than 4 years ago | (#32648616)

But will it happily resign false certs given to it by phishing and malware sites?

Re:Old news (3, Informative)

Anubis350 (772791) | more than 4 years ago | (#32648656)

*used* to be simple. Now, with wireless prevalent, and employees own devices on the network... I'm spending the summer working at a DOE lab, and the wireless network allows google SSL (at least gmail and gcal) traffic. everything *does* go through a proxy, but without control of my laptop they wouldnt be able to sign duplicate certs and pass them along like they theoretically would with my lab-provided workstation.

Re:Old news (0)

Anonymous Coward | more than 4 years ago | (#32648700)

but without control of my laptop they wouldnt be able to sign duplicate certs and pass them along like they theoretically would with my lab-provided workstation

They don't need control of your laptop to mess with the certs; they would need control to sneakily try to add themselves to your trusted CA list so that you don't know you're being violated. But, as long as they aren't trying to hide what they're doing, they just say do x,y,z to make the SSL error messages go away.

Re:Old news (0)

TooMuchToDo (882796) | more than 4 years ago | (#32648720)

I'm spending the summer working at a DOE lab

FNAL?

Re:Old news (4, Insightful)

jallen02 (124384) | more than 4 years ago | (#32648804)

Good thing for you most large governments have the root CAs in their pocket and can easily Man in The Middle most SSL transparently, unless the user is superbly vigilant.

Re:Old news (3, Interesting)

Eil (82413) | more than 4 years ago | (#32649048)

My kingdom for mod points. This is exactly true and is the single biggest vulnerability of SSL.

Every web browser trusts hundreds of root certificates. Most of them are entities that I've never heard of or wouldn't necessarily *want* to trust anyway. (HongKong Post, anyone?) Any of these CAs can effortlessly forge an SSL certificate for any site on the web. I would find it extremely hard to believe that not a single one of them is secretly cooperating with government agencies, law enforcement, or anyone with a large enough check book.

Re:Old news (3, Interesting)

0123456 (636235) | more than 4 years ago | (#32649122)

I would find it extremely hard to believe that not a single one of them is secretly cooperating with government agencies, law enforcement, or anyone with a large enough check book.

To prove that you just need to provide a single example of a fake certificate used by a government. Which no-one has so far; the only examples I know of were stupid CAs who'd sign any old crap rather than crooked CAs.

The simple fix, as others have pointed out before, is that any web browser should warn the user if the site certificate changes. Then you're at least safe at any site you've visited before.

Re:Old news (4, Insightful)

grcumb (781340) | more than 4 years ago | (#32648776)

There are techniques for doing man-in-the-middle attacks against the SSL session which allows for inspection of SSL traffic. It's a premium feature though and I imagine schools don't want to pay for too much extra.

Well, here's a slightly less costly alternative, then:

Stand where you can see the student's screens.

*sigh* When did morals and ethical behaviour become a technological problem?

Re:Old news (1)

pthreadunixman (1370403) | more than 4 years ago | (#32648874)

There are no MITM attacks on TLS that don't involve PKI forging. The only way forging is going to work if you have control over the users' machines.

Re:Old news (1)

jallen02 (124384) | more than 4 years ago | (#32648788)

Except, that is not true. There are commercial proxies that make it very easy to own users that are using SSL. It just costs money. All the IT administrators have to do is install the proxies certificate authority cert in the list of trusted certificates and transparent man in the middle can be done with ease and the user will never be the wiser. The tools to do this can be developed by anyone with a little knowledge of SSL and some time, as well. This is a major fallacy. It is only difficult for organizations that are lazy and or can't afford the proper tools to do it. So it is easier to fight it administratively than pony up for the commercial tools to do it.

Re:Old news (1)

pthreadunixman (1370403) | more than 4 years ago | (#32649012)

If you already have this level of control over the end users' machines, the point is moot no? You can already monitor their activities and leave such BS with the desktop support people and not kluge up your network architecture with multiple layers of surveillance equipment.

Re:Old news (1)

ewertz (1191025) | more than 4 years ago | (#32648910)

> And the nature of SSL is it's pretty much all-or-none.
Totally false.
If you own the machine, you own the machine.
Or, translated into dude-ish, "... you pwn the machine."

Re:Old news (5, Interesting)

Eil (82413) | more than 4 years ago | (#32648980)

And the nature of SSL is it's pretty much all-or-none.

The company that I work for has a proxy that filters and caches HTTP, FTP, and HTTPS. The proxy basically does something of a man-in-the-middle attack. When you request an HTTPS website, the proxy establishes a secure connection with the remote site, fetches the data, decrypts it, re-encrypts it with the company's SSL certificate (which is installed by default on all workstations), and sends it to the user's browser.

The most annoying thing is that when this happens, the user has no idea that their traffic is being intercepted, cached, and possibly modified unless they happen to check the certificate and see that the organization is the name of the company they work for rather than, say, Google. But of course even that is easy to spoof when the company has its certificate authority preinstalled on all of the desktops.

Expect this to become more common. Regular users can't spot it because they have been trained to look for the padlock icon and the "https" to determine whether or not a site is "secure." It won't be long until every company does this as automatically as they install firewalls or spam-filtering products. Schools and libraries will have to use it so that they can block inappropriate content coming in via HTTPS. I fully expect that some major national ISPs are already looking into what it would take to force this upon their customer base at some point. I'm afraid hijacking DNS was only the first step, folks.

Re:Old news (0)

Anonymous Coward | more than 4 years ago | (#32649002)

isn't it possible to filter by a combination of website and port though?

what you're suggesting is filtering all of port 443

In the U.S. It's your employer/school's. (3, Insightful)

Anonymous Freak (16973) | more than 4 years ago | (#32648564)

The questions at the heart of this situation are: Does a company (school, government) have a right to restrict SSL traffic so it can snoop your data, or does an individual have a right to encrypted Internet facilities?

Uh... Yes, a company perfectly has that right. No, if you are using an employer/school-provided connection, you have no rights outside the conditions of access you agreed to when you accepted employment/enrollment. (As it relates to internet access, anyway.)

If you want "Free with a capital F" access, you need to get it yourself, not assume that someone else is going to provide it for you.

Re:In the U.S. It's your employer/school's. (1)

martin-boundary (547041) | more than 4 years ago | (#32648630)

What if you write a private letter to your aunt during school hours? Does the school have a right to read it before you post it?

Re:In the U.S. It's your employer/school's. (1)

popeye44 (929152) | more than 4 years ago | (#32648672)

You know I hate to be the guy in a dark van outside the school.. but I'm thinking maybe I could sell wi-fi connections from it.. haha.

Re:In the U.S. It's your employer/school's. (1)

Ethanol-fueled (1125189) | more than 4 years ago | (#32648724)

But will you sell ice cream too?

Re:In the U.S. It's your employer/school's. (2, Insightful)

rotide (1015173) | more than 4 years ago | (#32648674)

If you write it on a Business/School computer with a policy in place where you have no expected right to privacy, yes. If you don't like that, don't sign the AUP, etc, and subsequently don't get hired there.

Re:In the U.S. It's your employer/school's. (4, Informative)

dward90 (1813520) | more than 4 years ago | (#32648686)

If you signed an agreement saying that you give them that right, then yes. Schools that I attended required you to sign a form consenting to use the computing facilities in the manner specified by the school, including giving them the right to know what you produce. You don't have to sign the agreement, but if you don't, you can't use the computers.

Re:In the U.S. It's your employer/school's. (1, Interesting)

Anonymous Coward | more than 4 years ago | (#32648810)

More legal crap from people who would give up anything to make their life 'easier'

When I attended my university, they had a form like that too. They had never disclosed its existence prior to my admission to the CS program. They agreed to teach me in exchange for my money, and suddenly added conditions afterwards. Net result: I guarantee you I broke those rules and gave the admins as much anonymous hell as possible.

This included taking a screenshot of a hidden network share with serial numbers installed in one lab that got forwarded to the BSA. Unfortunately I was in class when the machines were carried out.

Re:In the U.S. It's your employer/school's. (3, Interesting)

Anonymous Freak (16973) | more than 4 years ago | (#32648844)

And that doesn't mean you were allowed to do it, though.

If you don't like it, DON'T AGREE TO IT! Don't be all stupid anonymous (yes, the irony is thick,) about it. Flat out refuse to sign it. Tell them that they changed the contract on you, and you demand a refund, or you demand that they not enforce the agreement on you. It's that simple.

People who cry "FREEDOM!" from anonymous forums, while using the mantle of freedom as an excuse to do illegal things are just whiny spoiled brats. If you actually want to make a real statement, make it. Don't agree to stuff you dislike, then anonymously break it. That's just stupidity and arrogance. (And, yes, I know of which I speak; I have been fired from a job for making public information that WAS public, but which the company declared after the fact should not have been; combined with PUBLICLY standing up to the leadership of the company for their inanity and impropriety.)

Re:In the U.S. It's your employer/school's. (2, Insightful)

rtaylor (70602) | more than 4 years ago | (#32648688)

In the US, there is a good chance they do have the right to look at anything you take out of the building.

Re:In the U.S. It's your employer/school's. (0)

Anonymous Coward | more than 4 years ago | (#32648694)

What if you write a private letter to your aunt during school hours? Does the school have a right to read it before you post it?

Yes, If that's what you agreed to in the contract/school handbook. If you don't want that, don't use their Internet connection.

Don't write it during school hours (1)

Sycraft-fu (314770) | more than 4 years ago | (#32648730)

I hate to break it to you, but you are not at school for fun, you are there to get your learn on. Students should very well be monitored at school to make sure they doing what they are assigned. Computer monitoring shouldn't just be filtering (that is mostly liability issues) but the teacher walking around seeing what is going on. Computers at school are there for educational purposes, not for you to dick around on.

Now once you go home, well then the school is welcome to fuck off. It's your own time, you do as you please. But at school you are on their time.

This happens with companies too. Friend of mine works at General Dynamics doing work on the military's future communication system. Good deal of it is classified, unsurprisingly. This imposes several restrictions on him. He can't have a phone with a camera at work, he either has to have a no camera phone or leave his phone with security. Also they are fine with him accessing the outside world, he can IM and so on they don't expect him to work every second, but it all has to be unencrypted. So telnet is actually permitted but SSH is not. Reason is all around monitoring for classified data. They want ti make sure it isn't being leaked.

When you are on school time, you do what the school assigns you to do. That means listening to your teacher and doing lessons, not writing private letters. Wait till you are home, then write the letter.

Re:Don't write it during school hours (3, Insightful)

Archades54 (925582) | more than 4 years ago | (#32648898)

Sadly people misunderstand how extremely important it is to have fun at school, to excercise creativity and gain inspiration. To be happy, have fun and work on positive socializing AS well as learning. Not all the learning done at schools is purely academics as it's the prime area we learn how to socialize, to get a long with people etc.

Re:Don't write it during school hours (1)

Logger (9214) | more than 4 years ago | (#32649066)

Texting and cell phones are a big enough distraction as is. Kids are expert time wasters, and the internet is largely a gigantic waste of time. (Like for me right now:) There are plenty of ways for kids to have fun and socialize while at school without also having unlimited internet. When I was in school I actually, god forbid, talked, with my mouth! That said, it is a technically pointless limitation. With internet access on smartphones, it doesn't matter what the school blocks.

I personally would build a Faraday cage into a school if I built it. Exclude the gym, cafeteria, and possibly a few other spots. There's always the land line in an emergency. Today's kids are connected 24/7, they need to learn sometime how to live off-line.

Re:In the U.S. It's your employer/school's. (1)

Anonymous Freak (16973) | more than 4 years ago | (#32648802)

If you post it at a school mailroom that very obviously says it is a school post office, not a Mailboxes Etc, Kinkos, or USPS; especially when the contract you signed when you signed up to be a student says so right in there that if you mail from that mailroom, they may read it. That's what the internet agreements all say. If you don't like it, don't sign it, and don't use school internet.

Same with employment. If I write that patent application at my office, it belongs to my employer, period. If my employer wants to say "no sending personal mail from the office, because we may read it", then they absolutely have the right to do so. If you don't like it, don't work there. Or make a point of not agreeing to those provisions, and see if they'll still hire/keep you as an employee.

I am absolutely for free speech, Free Software, net neutrality, and personal privacy. That's why I AVOID those types of establishments when I can, and choose not to do personal things on company/school property when I can't avoid it.

Re:In the U.S. It's your employer/school's. (0)

Anonymous Coward | more than 4 years ago | (#32648900)

So it's school time, your using the schools computers and internet connection, and your question is "does the school have a right to read it before you post it?" I'd say yes, if you want privacy write it on your own time, using your own equipment and internet connection.

If you are talking postal mail (aka snail mail), I don't see the parallel... It isn't mail until you put a stamp on it, once you do it is protected - before then it is a document subject to all the search and seizure protections your student locker is...

Re:In the U.S. It's your employer/school's. (-1, Troll)

Anonymous Coward | more than 4 years ago | (#32648722)

Why do you roofers always come out of the woodwork?

Re:In the U.S. It's your employer/school's. (0)

Anonymous Coward | more than 4 years ago | (#32648738)

It's not as clear cut as you state, as there have been recent challenges to this notion that have yet to pass the courts, in different jurisdiction. While email sent through your employer provided email account is not private, email sent via your own webmail account is somewhat protected. For example, here is a link to a recent court ruling:

http://www.cio.com/article/589647/Ruling_Suggests_Limits_on_Employer_s_Access_to_Personal_E_Mail [cio.com]

Re:In the U.S. It's your employer/school's. (2, Insightful)

Ixokai (443555) | more than 4 years ago | (#32648742)

I'm of somewhat mixed opinions on this subject.

Its really a very different question if you're talking about a company, a school (for minors? or adults? public? private?), or the government.

For a company-- absolutely they have the right. They own the connection and the computer. They have every right to set any policy they see fit in this regard. Your rights are to choose to accept the terms of your employment (which include, 'follow policy'), or not.

For a school of minors-- this is irritating to me, as I feel we treat our youth far too much like idiots and do not encourage their actual questioning and independent growth, BUT-- a school acts in loco parentis. They have a responsibility to monitor the children in their care. We take that to stupid lengths, but that's another topic.

A private school for adults-- absolutely they have the right. Largely the same argument as company above, save you probably own your own computer, and are just using their network by whatever terms you've agreed to.

A publicly funded school for adults-- this is where I start questioning. The university may in a way 'own' the network, and the machine, but the public ultimately does. Just like in a library, an adult should be able to do anything not-illegal that they want.

The government-- in its capacity as a government, absolutely not without court order. In its capacity as employeer (especially employeer of someone who may have access to sensitive data), absolutely.

Re:In the U.S. It's your employer/school's. (1)

poetmatt (793785) | more than 4 years ago | (#32648786)

uh, no, you are incorrect. They have you sign something giving them that right.

They don't just "have it", it's more like "You're giving it away". That's what all of those "you have no right to privacy" things are about. You do have a right to privacy, they're saying that you're giving it away. That's a significant difference.

Meanwhile, blocking SSL/HTTPS? It's not going to help anything, it's just going to cause the people who know how to use it to look for other solutions.

Re:In the U.S. It's your employer/school's. (0)

Anonymous Coward | more than 4 years ago | (#32648988)

I know your some asshat, but people have freedoms and rights regardless if your are a slave or not...err I mean if your at work or not. Or if your black.

Re:In the U.S. It's your employer/school's. (0)

Anonymous Coward | more than 4 years ago | (#32649008)

Uh... Yes, a company perfectly has that right [to censor and spy]. No, if you are using an employer/school-provided connection, you have no rights outside the conditions of access you agreed to when you accepted employment/enrollment. (As it relates to internet access, anyway.)

Do you mean legal rights or moral rights? Clearly, people don't have a choice in whether they want to work or not, it's pretty much mandatory for survival, so there needs to be rights (hopefully) legislated, that prevents a company from treating an employee like a non-sentient being. Schooling unfortunately is also a legal requirement in most countries for people under the Age of Majority, so these people too need to be protected from over-bearing authority like government and administrative bureaucracy.

It's sad when people think that implementing security is a bad thing, just for the sake of maintaining an oppressive environment (that deems censorship and invasion of privacy as good) with (de facto) unaccountable administrators. (By de facto unaccountable administrators I mean people like the Authorities, network and otherwise, who can snoop and censor with little or no oversight from students and employees, like with the Lower Merion School District [eweek.com] . Of course you should remember, that LMSD, in their stupidity and arrogance, largely admitted to spying, otherwise they wouldn't have been caught).

Re:In the U.S. It's your employer/school's. (1)

b4upoo (166390) | more than 4 years ago | (#32649032)

Many students are compelled by law to attend school due to their age. Being that it is a compulsory environment I feel that the students do have the right to encrypt their communications.
                  As for employers, I do not feel that they have the right to any expectations at all other than a workman like approach to the work agreed to when employed. All the other nonsense that employers try to enforce is a violation of workers' liberties. For example banks have been known to fire employees for being seen at a race track or casino under the excuse that if spotted in such a place it might make investors nervous.
 

Snooping? (3, Insightful)

Ethanol-fueled (1125189) | more than 4 years ago | (#32648566)

The questions at the heart of this situation are: Does a company (school, government) have a right to restrict SSL traffic so it can snoop your data

It's not about snooping as much as it is about being able to bypass the filtering function. The fact that a student could use the secure search to access www.porn.com [porn.com] [NSFW!] does not mean that the sysadmin is watching their every move online.

Exactly. (4, Interesting)

Anonymous Coward | more than 4 years ago | (#32648680)

As a sysadmin for a school district, I don't give a flying fsck about "someone's data". My job is to implement our filtering policy. As we can't tell if SSL-encrypted search pages contain banned content, we block them.

This whole article is just the rantings of an idiot who thinks they know more than they do.

Re:Exactly. (0)

FictionPimp (712802) | more than 4 years ago | (#32648828)

Because as a sysadmin for a school you don't know how to use transparent proxies? This is trivial stuff..

Re:Exactly. (2, Informative)

Anonymous Coward | more than 4 years ago | (#32648926)

a sysadmin for a school you don't know how to use transparent proxies?

Why would you say that? We use transparent proxies all the time. We're talking about SSL here, which means that you can't do transparent proxying.

This is trivial stuff..

MITM attacks against SSL encrypted connections are trivial? In which universe?

We could probably install ourselves as a CA on machines we own, but besides the dubious legality of that, how do you do suggest doing it against student-owned devices?

Not that I think you have no idea what you're talking about, but if there is some magical technology which can crack HTTPS traffic in realtime, I'm very interested in finding out what it is.

Re:Exactly. (1)

FictionPimp (712802) | more than 4 years ago | (#32649096)

It's not dubiously legal. So install your certs, use a proxy and don't allow student owned devices. Besides, how do you stop students "bypassing" you firewall with their brand new sprint evo's?

We worry about filtering and securing our own equipment, not our students. They own it, they can always stick stuff on there to get around us.

Might want to rethink that (1)

maillemaker (924053) | more than 4 years ago | (#32649222)

Check back further up in this thread. At least two people have described how to hiijack incoming SSL connections. I don't understand the details, but they are setting up a transparent proxy that intercepts the SSL connection and substitutes their own certificate to the user's browser.

Purpose of banning the content? (1)

presidenteloco (659168) | more than 4 years ago | (#32648836)

Students these days could be surfing wherever they feel like using their smartphones.

I wonder what the purpose, effectiveness, relevance of these filtering policies is, particularly
given the above consideration.

The purpose can't really be to protect the students from the content anymore. That's no longer
practical given web-surfing phones & personal netbooks that use the cell network.

So what is the purpose? Just to protect the schools from legal liability and lambasting
by the prude faction?

Re:Exactly. (2, Insightful)

xero314 (722674) | more than 4 years ago | (#32649300)

As a sysadmin for a school district, I don't give a flying fsck about "someone's data". My job is to implement our filtering policy. As we can't tell if SSL-encrypted search pages contain banned content, we block them.

If you don't care about someone's data then why are you filtering it. I mean seriously if you didn't care then you would be blocking it. And you could blocking it you weren't scanning the content (even if you are only looking at the content of the URL, you are still looking at "someone's data"). Never mind the fact that in most cases you are only annoying the legit users, because the one's that want to misuse your network, can and will find a way around the blocks.

In a school, yes. (1, Troll)

Super Jamie (779597) | more than 4 years ago | (#32648570)

A school has a duty of care to students, part of this is monitoring their internet communication to ensure nothing is happening which could potentially be of harm to the student. Perhaps this is overkill for college students but it's definitely required for younger children.

Re:In a school, yes. (1)

Ethanol-fueled (1125189) | more than 4 years ago | (#32648608)

Troll, but I'll bite:

Many of those kids will go home and browse porn there instead. Though I doubt porn "causes harm" to young bucks, it serves to reinforce the message of when it is not appropriate to view porn.

Apparently the National Science Foundation [scientificamerican.com] never got the memo, or even the gene for common sense.

Re:In a school, yes. (2, Insightful)

BarryJacobsen (526926) | more than 4 years ago | (#32648718)

That's very much not a troll. The goal isn't to prevent kids from browsing porn anywhere, the goal is to prevent them from doing so using an internet connection provided by government funds. A school gets additional government funding for technology, but only if it's taking measures to prevent kids from accessing inappropriate material while at school (a filter that meets certain requirements is one of those conditions). Similarly there wouldn't be much public outcry if a random 18-year-old student used a prostitute in Nevada (in one of the counties where it's legal); however if the school district bought him a prostitute there would rightly be some outrage.

Re:In a school, yes. (1)

value_added (719364) | more than 4 years ago | (#32649146)

The goal isn't to prevent kids from browsing porn anywhere, the goal is to prevent them from doing so using an internet connection provided by government funds.

Your characterisation is apt, but it's not entirely accurate as using such an internet connection, the school still has both an ethical and legal obligation to prevent the kids from browsing porn.

There's plenty of recent enough cases for a casual Google search to turn up incidents where school districts, school administrators, teachers and even school employees are involved in legal proceedings brought by, for example, an overzealous parent, or are otherwise are forced to defend themselves (using official school policy) against criminal charges.

So yeah, porn is definitely part of it, irrespective of what the overarching principles may be.

Freedom of the press belongs to the owner... (4, Insightful)

LostCluster (625375) | more than 4 years ago | (#32648580)

It's their computers and their networks, so they can do whatever they want. Still, if you deny Google the right to encrypt on your network, Google still has the right to deny you any or all of their services. Teachers like to call that "natural consequences...

Re:Freedom of the press belongs to the owner... (4, Insightful)

TheLink (130905) | more than 4 years ago | (#32648716)

> It's their computers and their networks, so they can do whatever they want

Funny how that's not true when it comes to landlords and tenants. In some countries it's even not true when it comes to landlords and squatters. Even squatters have rights.

I suspect there was some history in getting those protections.

The landlords in the "IT world" want their stuff to be legally treated like property but not too much like property ;).

Re:Freedom of the press belongs to the owner... (2, Interesting)

rotide (1015173) | more than 4 years ago | (#32648756)

I'm going to bet that has everything to do with your home being a constitutionally protected zone. Work computers and school computers aren't protected the same way.

Re:Freedom of the press belongs to the owner... (1)

Dhalka226 (559740) | more than 4 years ago | (#32649320)

I'm going to bet it has everything to do with the fact that people can die as a result of being homeless while nobody has ever died from not being able to perform encrypted Internet searches.

Further, homeless people are bad for society as a whole. They're bad for property values, bad from cleanliness and thus health issues, bad from safety issues (when you're starving to death or dying of cold, robbing that guy for food money or a nice coat is suddenly not a big deal) -- just bad. Not to mention how bad it is for the person who is actually homeless.

When the consequence of having to give people 30 or 60 or 90 days to try to find a new place to live is to deprive a landlord of a couple months rent, it's paltry compared to the effects of the consequences of performing the eviction. Ultimately it will still happen, but yeah; they certainly try to at least eliminate the "homeless" step between eviction and new place to live.

Re:Freedom of the press belongs to the owner... (1)

zrq (794138) | more than 4 years ago | (#32649256)

if you deny Google the right to encrypt on your network, Google still has the right to deny you any or all of their services

Which results in all the students at the school being taught to use Bing for internet searches ... perhaps not the best result for Google, or for the students.

Free choice. (0)

Saeed al-Sahaf (665390) | more than 4 years ago | (#32648612)

Screw the schools / filter companies. If the schools do not want free services, that's their choice.

They're doing it wrong (3, Interesting)

illumin8 (148082) | more than 4 years ago | (#32648614)

I hate to tell these schools how to turn into a police state, but if they really want to monitor Google SSL traffic, this is the right way to do it:

1. Install a trusted root certificate in all client browsers (they do control their client computers, right?)
2. Man in the middle all SSL traffic through a transparent proxy, which masquerades as Google SSL traffic and redirects from https://www.google.com/ [google.com] to http://www.google.com./ [www.google.com]

Don't just block all SSL traffic. If you truly have a legitimate reason to monitor users search queries and application traffic, then you already control their client PCs (right?) and can do this in a semi-legitimate way. If not, don't bother blocking it because your users will be up in arms with pitchforks and torches.

Re:They're doing it wrong (1)

st0rmshad0w (412661) | more than 4 years ago | (#32648650)

Do you tap all the phones too?

Re:They're doing it wrong (1)

dward90 (1813520) | more than 4 years ago | (#32648706)

I reserve the right to tap all phones which I own and for which I pay all associated costs.

Re:They're doing it wrong (0)

Anonymous Coward | more than 4 years ago | (#32649014)

Not in the USA you don't. Depending on the state, one or both parties to the conversation must consent to your recording the call.

Re:They're doing it wrong (0)

Anonymous Coward | more than 4 years ago | (#32649074)

I hope you mean, "Except in those jurisdictions where it is illegal for me to do so, no matter my intent. Ownership and/or costs not withstanding." You don't want to violate those wiretapping laws, which seem to all widely vary from state to state, commonwealth to commonwealth, province to province, territory to territory, and nation to nation. Unless you want the only wiretapping around you to be some sick prison guards getting a kick out of listening in to Bubba paying your bunk a nightly visit.

Re:They're doing it wrong (1)

BBTaeKwonDo (1540945) | more than 4 years ago | (#32648772)

I'm with you on the trusted root certificate and MITM, but why redirect from https://www.google.com/ [google.com] to http://www.google.com/ [google.com] ? Other than performance, why not have the transparent proxy use https to www.google.com ? Just because you can snoop on their data doesn't mean that other people should be able to.

Re:They're doing it wrong (1)

Stephenmg (265369) | more than 4 years ago | (#32648876)

Don't even have to do the root certificate. If the filter solution is set inline, it can intercept it just fine. really, no point in blocking or filter search results anyway, search results don't pose much of a risk, the user has to click on a link at some point that is either going to be filter or not filtered. Personally, I just plug my EVO into my computer at work (a school).

The block will be a block for 15 minutes (5, Interesting)

Wolvenhaven (1521217) | more than 4 years ago | (#32648622)

I graduated from highschool in 2008; every few months the county would roll out a new filtering system designed to block myspace/facebook/sourceforge/other questionable stuff. It would take the tech students about 15 minutes to figure out either a new workaround or modify an old one to get around the new filter. This would then filter down to the technologically illiterate kids in a about a month, prompting the release of a new blocking system. Repeat process. The end use of this was we wound up running an apache server off a flash drive on one machine which everyone would ssh to locally using firefox's proxy settings and that "server" would connect to a home server which acted as the gateway. Kids will find a way around it, so I doubt it will work for long in schools.

Re:The block will be a block for 15 minutes (3, Interesting)

MobileTatsu-NJG (946591) | more than 4 years ago | (#32649182)

I graduated from highschool in 2008; every few months the county would roll out a new filtering system designed to block myspace/facebook/sourceforge/other questionable stuff. It would take the tech students about 15 minutes to figure out either a new workaround or modify an old one to get around the new filter. This would then filter down to the technologically illiterate kids in a about a month, prompting the release of a new blocking system. Repeat process. The end use of this was we wound up running an apache server off a flash drive on one machine which everyone would ssh to locally using firefox's proxy settings and that "server" would connect to a home server which acted as the gateway. Kids will find a way around it, so I doubt it will work for long in schools.

All I could think while reading this is "wow, all those students learned a lot about how networks work!"

Re:The block will be a block for 15 minutes (1)

rivetgeek (977479) | more than 4 years ago | (#32649234)

When exactly did firefox's proxy settings SSH to anything? Your story has a few holes man.

Questions have already been answered (2, Insightful)

mysidia (191772) | more than 4 years ago | (#32648624)

Does a company (school, government) have a right to restrict SSL traffic so it can snoop your data,

They have a right to restrict what protocols and port numbers are allowed to be used on their network, as a matter of policy.

They have a right to implement technical measures to assist in enforcing policy, even if those technical measures are so draconian that they prevent some things that are technically allowed by policy.

They have a right to do this, by virtue of it being their network.

does an individual have a right to encrypted Internet facilities? And, is the search data you create your data, or is it your employer's (school's)?

An individual does not have a right to use encryption.

A user has a right to install encryption software that they own on their computer that they own.

A user does not necessarily have the right to transmit data over a network, that they have encrypted using software.

Especially not if that data also belongs to the school/employer (proprietary sensitive info)

In all cases; a school/employer has a right to say: either you connect using non-SSL, or you choose to refrain from connecting.

Of course from a security POV, SSL is probably better, as long as the organization controls the keys and manages ciphers used

Idiots who are clueless (0)

Anonymous Coward | more than 4 years ago | (#32648640)

Good. I hope these idiot school administrators get their systems are well and thoroughly pwnd when they search the web and get infected by some drive-by malware. They deserve all the pain they get for this idiocy!

Doesn't everyone (0)

Anonymous Coward | more than 4 years ago | (#32648642)

Have the option to do SSL interception and filtering? The filter we use at my school lets us publish (through GP) a SSL cert. We can basically set up a man in the middle attack and filter that way.

Block all SSL? (1)

Urza9814 (883915) | more than 4 years ago | (#32648676)

When did these filtering services start blocking _all_ SSL? When I was in highschool three years ago the filter my school used didn't. I set up a couple of my own SSL proxies. That was the best way to do it - the larger, more well-known web proxies tended to get blocked within a month of going up. Sometimes within a few days.

Re:Block all SSL? (1)

yuhong (1378501) | more than 4 years ago | (#32648748)

"Content filter vendors have decided to block all Google SSL traffic"

bi7Hch (-1)

Anonymous Coward | more than 4 years ago | (#32648692)

On the one hand... (2, Insightful)

russotto (537200) | more than 4 years ago | (#32648758)

..sure, in the US, schools have the right and perhaps the duty to block SSL searches. On the other hand, the behavior of both the censors and the censorware providers argues strongly for the idea that censors are scum of the earth.

CIPA (3, Informative)

Anonymous Coward | more than 4 years ago | (#32648770)

In the US all schools receiving E-Rate funds (federal funding for electronics and communications) are required to follow CIPA guidelines for filtering and monitoring student traffic. So, making Google Search SSL pretty much makes that impossible meaning we have to block it. I am grateful that Google is creating a workaround since we are about to migrate to Google Apps ourselves.

Not your home network? No right to complain (3, Insightful)

adosch (1397357) | more than 4 years ago | (#32648784)

I've never understood or comprehended, for that matter, why people/employees/students, ect. think they have rights on a controlled government or educational internet-enabled network. Quite honestly, if you're doing things like online purchases, bill paying, senseless surfing, looking at soft-porn, chatting, facebooking, tweeting, ect. at school or work on a fairly regular basis several times a day, and you somehow are pissed because your rights are infringed? You're delusional and should go read your network agreement policy again. If you, as an employee or student, are that security conscious of your local big brother system administrator being told to troll logs and give web reports to upper management, then use good common sense. People shouldn't be using these networks for anything other than business as usual IMHO. Anything else, is just subject to interpretation against you. This isn't new people, it's the way shit works now.

As a system administrator, I deal with these same dilemmas on a daily basis and all I have to say is: Yes, I have an easier way to get away with things like this, however, I'm still held just as accountable as Joe Typist down the cube row. Everyone knows about ethics and morals just as much as they know absolutely every thing you do on a digital device these days is logged, recorded and stored somewhere. So keep your personal business... at home unless it's absolute emergency, your cable bill is past due or you flat don't give a shit.

Re:Not your home network? No right to complain (5, Informative)

pthreadunixman (1370403) | more than 4 years ago | (#32648944)

On a publicly funded school campus, second amendment rights apply. In California in particular, privacy laws apply. I work on a CSU campus as a network analyst. We are not permitted to keep any logs that can link any individual user to any particular destination ip address. We are not permitted to keep outbound firewall logs or any inbound logs that relate to outbound state initiation. We are certainly not permitted to intercept or block encrypted communications in anyway that would otherwise normally be allowed. This applies equally to staff, faculty and students.

Re:Not your home network? No right to complain (1)

pthreadunixman (1370403) | more than 4 years ago | (#32649076)

Sorry, that should have been first amendment.

Re:Not your home network? No right to complain (1)

adosch (1397357) | more than 4 years ago | (#32649128)

Was that before or after you had to google that?

Re:Not your home network? No right to complain (1)

Lazy Jones (8403) | more than 4 years ago | (#32648948)

You're delusional and should go read your network agreement policy again.

Seems to me like you're the one who is delusional. People can comply with whatever the censorship policy of the local gestapo university is and still use SSL to protect their privacy. But perhaps this will lead to some investigation regarding the use of snooped student/employee data, doesn't sound too legal to me ...

This isn't new people, it's the way shit works now.

That's what some people would like us to swallow, but it convinces only the dumbest of us. It ain't the way shit works unless you let it happen, sheeple. :-/

Re:Not your home network? No right to complain (2, Insightful)

pthreadunixman (1370403) | more than 4 years ago | (#32648976)

I've never understood system/network administrators that get a thrill out of restricting what users can do outside of preventing operational difficulties. I could care less what users do unless they're disrupting service in some way or another. The network is not the right place to enforce human behavior.

Re:Not your home network? No right to complain (0)

Anonymous Coward | more than 4 years ago | (#32649138)

The problem is you can get your ass sued off if you don't. Children access porn at a school, you can bet you are fucked.

Re:Not your home network? No right to complain (0)

Anonymous Coward | more than 4 years ago | (#32649040)

Also, many companies or organizations need to be able to prove that no confidential information leaves the network due to regulatory compliance. If this is the case, I'd much rather know that something like my medical history or credit information isn't going to leave the company, than let the employees there encrypt their google searches or facebook access. I'm for as much anonymity on the internet as anyone here, but if you work in a place of business that needs to protect patient/customer information, I'd rather my information stay safe than you be able to bank while at work.

Re:Not your home network? No right to complain (0)

Anonymous Coward | more than 4 years ago | (#32649078)

You have a right to government provided systems because you paid for them and they are for the public good. They are there to be used by everyone without discrimination. Without good reason to the contrary, it is wrong to deny access to tax-funded resources. It is a bad idea for governments to get into the filtering game. Filtering is subjective to the values of the people doing the filtering. If it is a public good, and someone using it isn't involved in destructive or illegal behavior, it should be allowed.

We generally don't police public resources other than for safety, protection, and practical reasons. When is the last time you have heard of someone getting a ticket specifically for using roads to go to a strip club? Although there is a large minority of people who are against that behavior, it is your right since it is for public use. Not everyone has the same values so it is not possible to define a fair usage policy. Of course school rules that are intended only to keep order and promoting a learning environment are reasonable, but this is can be applied to all kinds of activity, not just computer and Internet.

No right to string you up for being disrespectful. (0)

Anonymous Coward | more than 4 years ago | (#32649098)

You forgot to add

Submit to my AUTH-OR-IT-Y!

Re:Not your home network? No right to complain (0)

Anonymous Coward | more than 4 years ago | (#32649290)

SSH over port 80 is awesome. Try blocking that without disrupting your network.

HTTPS over HTTP? (1)

blincoln (592401) | more than 4 years ago | (#32648870)

I've been wondering for awhile when someone would respond to SSL inspection by proxy servers by making a proxy server package that sits on the internet, tunneling HTTPS over innocuous-looking HTTP traffic. It would be inefficient (especially if the text/HTML looked more or less real) but I don't see why it wouldn't work.

Re:HTTPS over HTTP? (0)

Anonymous Coward | more than 4 years ago | (#32648964)

Been there, done that...

There is these nice utilities called SSH and http-tunnel:
www.http-tunnel.com

Not blocked in China (yet?) (0)

Anonymous Coward | more than 4 years ago | (#32648872)

At least so far, the Great Firewall is not blocking Google SSL.

Amazing ... (2, Insightful)

Lazy Jones (8403) | more than 4 years ago | (#32648922)

... how many people seem to think it's fine to snoop people's data and implement various kinds of censorship under the pretext of blocking porn (also, there's no porn produced or consumed in the US or UK, honest!).

Re:Amazing ... (1)

kjart (941720) | more than 4 years ago | (#32649232)

Of course it's fine if it's your network. It's amazing how people think they can do whatever they want with something that isn't theirs.

The alternative being? (4, Informative)

kenh (9056) | more than 4 years ago | (#32648932)

I work in IT for a public school district, and to get any federal subsidy (eRate) they must filter their internet connection. Not optional, and very, very few school districts can jstify not filtering their internet connection AND making up the 40% subsidy they would be giving up without filtering.

SSH traffic is very, very hard to filter effectively, so many districts turn it off, simply block SSH traffic for kids period. We allow it for faculty accounts, and several times a year we have to reset a faculty user's password when the kids learn it (teacher accounts aren't blocked).

Once kids figure out they can get to facebook by using the https URL, the district really doesn't have a choice...

SSL Inspection (-1, Troll)

Anonymous Coward | more than 4 years ago | (#32648936)

Any firewall/proxy worth a grain of salt can do SSL inspection.

nah... (2, Interesting)

Charliemopps (1157495) | more than 4 years ago | (#32648984)

Schools should just pull internet access. Yes, I know, it's a useful tool for all of us. But it provides no real help in school. You're supposed to be learning what's in the book, not what slash dots opinion on the subject is. Yes, have computers in the school for word processing, programming, art, etc... But they do not need internet access. In fact, if I were in charge of building a modern school I'd make sure the entire school were a Faraday cage so cellphones would be dead inside it as well.

Mandatory "Computer Access Fees" ? (2, Interesting)

jmerlin (1010641) | more than 4 years ago | (#32649026)

If schools are anything like mine, the computer science department requires a $50 "computer access fee" for each computer science course in which you enroll. This would technically constitute payment for services, so a question I have here is if such a mandatory fee is imposed on access to lab machines, do they still have the right to force no SSL traffic? If so, do ISPs have the right to block your SSL traffic to certain websites since in both cases you can technically make the case that you're paying for service. I see this as a nasty can of worms.

Pro SSL (2, Interesting)

DaMattster (977781) | more than 4 years ago | (#32649072)

I am very pro SSL and encryption in general. People have an inherent right to privacy and the argument that wanting privacy implies having something (criminal or unsavory) to hide is just bullshit. I do not like having my web surfing habits snooped or other tricky marketing gimmicks. If I want to use a Google SSL proxy, then I should be able to. If I want to use GNUPG to encrypt my email, I can and will. Even though I use the internet for legal means, I don't want Uncle Sam categorizing my activity and mining it.

Open access in school's doesn't work (5, Insightful)

Fone626 (6793) | more than 4 years ago | (#32649110)

I was the tech director of a school district for 13 years. I've run schools with very restrictive Internet filters and everything in between to schools with no restrictions at all. What I've found over the years is that the more you restrict the Internet the more the school's grade average goes up, and the nicer the students are to deal with. Our schools consisted of about 75% to 100% of the classes,depending on the school, being delivered though distance learning courses. If you give the kids open access to the Internet 90% of the kids will just chat, play games and watch non educational videos all day every day. They get away with this by leaving a window with their school work up and when the teachers comes to check on them they bring it to front, or by making the offending browser window very very small, so that you can't tell without looking very closely that they aren't doing your work. Left unchecked, at the end of the year, 90% of the students would need to be held back a grade. A couple of side effects of kids that aren't on task is they tend to have very bad classroom behavior that disturbs the students that are trying to stay on task, and most of the time wasters the kids like to use are also HUGE bandwidth hogs, so you end up having to buy 10X the Internet connection that you actually need for the school to function, which only deprives the school of much needed funds that could better be spend on something else.

The extreme other side of the coin, and the way the school is currently running is to completely block the Internet except for a select few websites that the school needs for their distance learning courses. There are some "research" or "library" computers that the kids need special permission to use when they need to look things up for papers and such. By blocking everything, the grade average of the entire schools district has shot up to record highs, and the classrooms are a lot more quiet and easier to control.
When it comes down to it, schools are a closed environment that is specially designed for education. When you introduce distractions into that environment that level of education that the kids are getting goes down significantly. It's not a matter of free speech or the school snooping in on private things, it's a matter of making sure that your kids get a certain level of education.
As for using school computers for personal activities and the school snooping in on them... you weren't supposed to use the computers for personal activities at all. Everyone, teachers and students alike, sign off on the school's computer use policy at the beginning of every year, and I don't know of a school that doesn't require one in some form. We didn't give the teachers computers so that they could maintain contact with their family while they were supposed to be working, and we didn't give the students computers so that they could keep in touch with all their friends on facebook. To argue that it is violating their rights not to be given unfettered Internet access would be like arguing that the school should provide every student with a cell phone so that they could keep in touch with their family and perhaps call people for help on research for papers... even if you could figure out a good reason to give students a cell phone, it would ultimately be a complete flop and a total distraction for an education environment.

In a traditional school, the students time on a school provided computer would be a lot less and therefore a lot less of noticeable
on their overall grades, but the problems are still there.

All that being said, I am completely against any kind of censorship when it comes to my personal Internet, or anyone else's personal Internet, but when you get into a school/business environment, it's no longer YOUR Internet and the owners of the Internet connection can do with it what they like... you have to remember, they don't HAVE to give Internet access at all, and whining that they are blocking access to things that are not in keeping with the task at hand... well maybe you should think about what you are saying before you start whining. After all, you are probably 1 step away from being expelled/fired, and the block is their way protecting you from yourself.

Sophos Proxies (1)

binaryspiral (784263) | more than 4 years ago | (#32649152)

We use Sophos web proxies that can decrypt ssl traffic using their own ssl cert we install in the browsers on our school's pc's. It automatically skips any banking sites, and doesn't cache data it only scans for threats over ssl which are becoming more common.

it may be their network, but... (1, Interesting)

Anonymous Coward | more than 4 years ago | (#32649210)

There's already the "it's their network, they can do what they want." This is, technically true. However, do you really want to work for a company that has nothing better to do than snoop on your use of the computer, versus I don't know, actually doing business? Or how about sending your kids to a school that worries about if your kid can hack your systems to see boobies, instead of teaching them something. Hell, if my kids can hack the computers to see boobies, well I guess they're learning computer skills, which is more than the standard curriculum.

tl;dr: Just because you *can* doesn't mean you *should*.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?