SSL Inspection

**URGENT ACTION REQUIRED**

Protecting staff and students from inappropriate or illegal material is a priority of HICS and the service is continually evolving, ensuring it meets the ever-changing needs of schools. To maintain our high standard of filtering to safe guard your pupils and students a significant change is going to be made, in the next few weeks, to the way data is retrieved across the HICS network.

This will require action by your network support staff or third party support organisation.

Background

Over recent months, changes have been made by Yahoo in the way it retrieves search results. It now diverts users to their HTTPS site, rather than the HTTP site that it previously used.  The effect of this change compromised eSafety as this disabled some of the safety features available on HICS. With this in mind, the decision was made by ICT in Schools Partnership Working Group (head teacher and governor representatives) to restrict access to this website and it was subsequently put on our WF1 filtering level.

We believe on June 24th, Google will also be diverting internet sessions through HICS to their HTTPS site. Rather than restrict access to Google, and to combat this growing trend, the decision has been made by ICT in Schools Partnership Working Group to deploy Man in the Middle technology.  This technology has already been successfully adopted by a number of other LAs.

What is Man in the Middle?

It has the capability to decrypt the HTTPS session to apply the necessary HICS safety features. Man in the Middle technology can decrypt all HTTPS traffic. With this in mind, HICS will have a ‘white list’ detailing which websites to decrypt so as data is only decrypted where necessary. For example, even though this technology has the capabilities to decrypt online banking websites, we will leave banking websites from the list of websites that we will decrypt.

Why do we need Man in the Middle?

HTTPS adds additional security for individuals by encrypting transmitted data making it more difficult for snoopers to see personal confidential information.  However this means the existing HICS filtering cannot check for inappropriate material which raises the risk that students and pupils could access inappropriate materials. Man in the Middle technology will decrypt traffic from sites on the white list (see above) enabling the usual HICS e-Safety checks to continue safe guarding your pupils and students.

Actions required by you and your school

Your technical support will need to download and deploy an SSL certificate to all end user devices.  For “managed devices”, this should be possible from a central management point (such as a server),

Important Note for your technical support provider:

If you have computers, tablets, iPADs, etc that are not managed centrally they will take longer as the SSL certificate will need to be installed manually to each device.

Generally staff laptops are managed by the school’s file server but updates, such as the SSL certificate, AV, etc, can only happen when the laptop is brought into school and logged into the network.  Please ensure all staff do this as soon as possible after the certificate has been downloaded to the file server.

To facilitate the change, instructions have been uploaded here: http://ssl-filtering.updata.net .

  • contact the SITSS Connectivity Service Desk, via email,  once the certificates have been correctly installed throughout the school

The SITSS Connectivity Service Desk will arrange for the installation to be completed and will inform you and your IT support team when this happened.

Please be aware we will be inspected HTTPS traffic for the following websites:

Yahoo, YouTube and Google.

It’s probably also worth pointing out that at a technical level, SSL has been superseded by TLS – but the technical details are extremely similar. Righly or wrongly, SSL is the common term used by most people so Updata and myself will be referring to that acronym.

A Q&A on SSL inspection can be found here: http://hics.lea.herts.sch.uk/ssl-inspection-qa/

Thanks,

Kevin Crawley

Leave a Reply