Q: What is SSL inspection?
A: SSL inspection (often referred to as Man in the Middle) has the capability to decrypt HTTPS web sessions.
Q: That sounds scary, why would schools want this set up?
A: Over recent months, changes have been made by websites such as Yahoo and Google, in the way it retrieves search results. It now diverts users to their HTTPS site, rather than the HTTP site that it previously used. The effect of this change compromised eSafety as this disabled some of the safety features available throughout HICS. This technology will decrypt the HTTPS session allowing for the necessary safety features to be applied.
Q: So is this going to replace the web filtering (WF1/WF2/WF3/WF4)?
A: No, it will work in parallel with it and SSL inspection will run over the existing filtering platform.
Q: What will happen if we choose not to install the CA Certificate? Do we have to?
A: We would encourage all schools to set this up… However, equally we will not force you. Google safe search will be forced on regardless even without SSL inspection – rest assured. The functionality you’ll lose is the search keywords list. The search keywords is a long list of words that we restrict users searching on. So without SSL inspection, users will be able to search on any word they want… And get a set of results… But they will be Google’s safe results.
So the big difference is:
SSL inspection deployed = All safety modes forced on for Google, Yahoo and YouTube.
SSL inspection NOT deployed = In Google, safe search will be forced on BUT search keywords functionality will no longer work. Safety modes will not be forced on for Yahoo or YouTube.
Q: Do you have a ‘safe’ HTTP search engine you can provide us?
A: It’s important to state that no search engine or filtering platform is 100% reliable. However, http://www.bing.com still has the safety features forced on. The reason for this is because it is HTTP, we do not have the decrypt the web session and this site is fully accessible throughout the network. Bing also has a HTTPS site which is unsafe and is only available on the WF1 filtering policy, alongside Yahoo. As to how long Bing will have a HTTP and a HTTPS site, only they can say. The general trend is everything is heading towards HTTPS.
Q: What HTTPS websites will be inspected throughout HICS?
A: The only sites we will be doing this for are: Google, Yahoo and YouTube. The ONLY reason we are doing this is so we can decrypt the HTTPS sessions for these sites allowing us to apply the necessary safety features. We are not interested in snooping on people’s bank account details. If we add any other sites, a communication will be forthcoming.
Q: So online banking websites won’t be decrypted - but what is stopping someone with the relevant access going ahead and doing this?
A: We have provided Updata (the broadband provider of HICS) with a whitelist of sites to decrypt. If they start decrypting other websites they will be breaching their contract, and something this serious could end up with them losing their PSN (public sector network) accreditation. So it is in their interests that this does not happen.
Q: Can we have this working on some machines and not others? Can for example, we only install it on PCs that the pupils use but leave it off staff only PCs?
A: When Updata enable SSL inspection at the school, they will permit this on the entire school subnet. I can ask them to omit particular IP addresses from having SSL inspection deployed, but that would mean providing static IP addresses to all staff/machines you do not want to have SSL inspection deployed for. If this works for you, I can happily arrange.
Q: We allow office staff at the school to use the internet on their lunch break, do they now have to stop this?
A: No, we are not saying that. The school can proceed with their IT acceptable use policy as normal.
Q: How does this affect BYOD (bring your own device)users?
A: SSL inspection is not available on the transparent proxy network yet. There needs to be some upgrades on the HICS core before this is possible. So schools do not need to worry about the BYOD on your 10.* range for now. I’ll arrange a communication where there are developments. As explained earlier, Google safe search is forced on for ALL users. If you have BYOD users connecting to your curriculum LAN (172.* range), they will need the certificate manually installed.
Q: Okay, it sounds like I need to set this up, what do I need to do?
A: Instructions are found here: http://ssl-filtering.updata.net/. You or your IT Support needs to make sure every device has the certificate installed. Often this can be installed onto the locally hosted file server and pushed out accordingly – please note, often this is only pushed out to Chrome and IE. You may have to do this to Firefox manually. For standalone devices, you will also need to manually enter the certificate on an individual basis.
Q: I am struggling to install the certificate into Chrome on IOS. What can I do?
A: Updata do not believe it will be possible to provide support to Chrome on IOS devices. Until Google can provide a way to either import a certificate into Chrome itself, or they change Chrome to use the IOS certificate store, then users will continuously experience issues.
Q: If I have any other questions, what should I do?
A: Please contact the SITSS Connectivity Service Desk on firstname.lastname@example.org and we will do all we can to help you out.