SSL Inspection Q&A

Q: What is SSL inspection?
A:
SSL inspection (often referred to as Man in the Middle) has the capability to decrypt HTTPS web sessions. 

Q: That sounds scary, why would schools want this set up?
A: Over recent months, changes have been made by websites such as Yahoo and Google, in the way it retrieves search results. It now diverts users to their HTTPS site, rather than the HTTP site that it previously used.  The effect of this change compromised eSafety as this disabled some of the safety features available throughout HICS. This technology will decrypt the HTTPS session allowing for the necessary safety features to be applied.

Q: So is this going to replace the web filtering (WF1/WF2/WF3/WF4)?
A:
No, it will work in parallel with it and SSL inspection will run over the existing filtering platform.

Q: What will happen if we choose not to install the CA Certificate? Do we have to?
A:
We would encourage all schools to set this up… However, equally we will not force you. Google safe search will be forced on regardless even without SSL inspection – rest assured. The functionality you’ll lose is the search keywords list. The search keywords is a long list of words that we restrict users searching on. So without SSL inspection, users will be able to search on any word they want… And get a set of results… But they will be Google’s safe results.
So the big difference is:
SSL inspection deployed = All safety modes forced on for Google, Yahoo and YouTube.
SSL inspection NOT deployed = In Google, safe search will be forced on BUT search keywords functionality will no longer work. Safety modes will not be forced on for Yahoo or YouTube.

Q: Do you have a ‘safe’ HTTP search engine you can provide us?
A:
It’s important to state that no search engine or filtering platform is 100% reliable. However, http://www.bing.com still has the safety features forced on. The reason for this is because it is HTTP, we do not have the decrypt the web session and this site is fully accessible throughout the network. Bing also has a HTTPS site which is unsafe and is only available on the WF1 filtering policy, alongside Yahoo. As to how long Bing will have a HTTP and a HTTPS site, only they can say. The general trend is everything is heading towards HTTPS.

Q: What HTTPS websites will be inspected throughout HICS?
A:
The only sites we will be doing this for are: Google, Yahoo and YouTube. The ONLY reason we are doing this is so we can decrypt the HTTPS sessions for these sites allowing us to apply the necessary safety features. We are not interested in snooping on people’s bank account details. If we add any other sites, a communication will be forthcoming.

Q: So online banking websites won’t be decrypted - but what is stopping someone with the relevant access going ahead and doing this?
A:
We have provided Updata (the broadband provider of HICS) with a whitelist of sites to decrypt. If they start decrypting other websites they will be breaching their contract, and something this serious could end up with them losing their PSN (public sector network) accreditation. So it is in their interests that this does not happen.

Q: Can we have this working on some machines and not others? Can for example, we only install it on PCs that the pupils use but leave it off staff only PCs?
A:
When Updata enable SSL inspection at the school, they will permit this on the entire school subnet. I can ask them to omit particular IP addresses from having SSL inspection deployed, but that would mean providing static IP addresses to all staff/machines you do not want to have SSL inspection deployed for. If this works for you, I can happily arrange.

Q: We allow office staff at the school to use the internet on their lunch break, do they now have to stop this?
A:
No, we are not saying that. The school can proceed with their IT acceptable use policy as normal.

Q: How does this affect BYOD (bring your own device)users?
A:
SSL inspection is not available on the transparent proxy network yet. There needs to be some upgrades on the HICS core before this is possible. So schools do not need to worry about the BYOD on your 10.* range for now. I’ll arrange a communication where there are developments. As explained earlier, Google safe search is forced on for ALL users. If you have BYOD users connecting to your curriculum LAN (172.* range), they will need the certificate manually installed.

Q: Okay, it sounds like I need to set this up, what do I need to do?
A: Instructions are found here: http://ssl-filtering.updata.net/. You or your IT Support needs to make sure every device has the certificate installed. Often this can be installed onto the locally hosted file server and pushed out accordingly – please note, often this is only pushed out to Chrome and IE. You may have to do this to Firefox manually. For standalone devices, you will also need to manually enter the certificate on an individual basis.

Q: I am struggling to install the certificate into Chrome on IOS. What can I do?
A:
Updata do not believe it will be possible to provide support to Chrome on IOS devices. Until Google can provide a way to either import a certificate into Chrome itself, or they change Chrome to use the IOS certificate store, then users will continuously experience issues.

Q: If I have any other questions, what should I do?
A:
 Please contact the SITSS Connectivity Service Desk on sitss.internet@lea.herts.sch.uk and we will do all we can to help you out.

Posted in Uncategorized | Leave a comment

Spear Phishing attempt

Now this post is not directly to do with HICS (or SSL inspection, shock horror). However, I have been contacted by a secondary school who has received a targeted spear fishing attempt. The email appeared to be sent from the head teacher to one of the office staff with the relevant text:

Hope your day is going on well , I need you to send out a same day UK to UK
Faster  payment immediately , Kindly email me the required details you will need to send out the payment. I will appreciate a swift email response.
Kind regards.

Despite appearing to, the email was not sent from the head teacher, and the relevant headers show that it was in fact sent from a disposable Yahoo email account. My understanding is that this has been brought to the attention of the relevant email provider and restrictions could be imposed at their end. However, there is very little that myself or Updata can do about this, but it certainly does not do any harm to bring this to your attention.

Thanks,

Kev

 

 

Posted in Email | Leave a comment

SSL communication

Please see the attached communication that has gone out to all schools on SSL.
Man in the Middle – school comms

Thanks,

Kevin Crawley

Posted in Uncategorized | Leave a comment

Meeting at Updata

Please find attached a copy of the minutes from the recent school’s forum with Updata. Can I please also take this opportunity to thank people for their input and time. I will arrange something again for later on in the year but in the meantime, if anyone has any related queries please get in touch in the normal way.
HICS network managers event June 2015

Thanks,

Kevin Crawley

 

 

Posted in Service | Leave a comment

Prepare yourself for SSL inspection

I have added a new page onto the blog, I strongly suggest you read it: http://hics.lea.herts.sch.uk/tech/content-filtering/ssl-inspection/

As explained in the above URL, Google advise they will be making some changes and this will impact your school. If you wish to continue with the existing safe settings, you will need to import the certificate into all devices on your network. Browsing here: http://ssl-filtering.updata.net will provide the instructions required to talk you through what needs to be done. There is also a large message in the middle of the page which clearly tells you whether or not the certificate has been correctly installed or not. Once you are happy that this has been deployed throughout the network, Updata need to enable SSL inspection for your school. Updata are looking to roll this out in a controlled manner. Whilst this is a sensible stance, I am equally keen for Updata to proceed as quickly as possible! However, I strongly suggest you get the certificates deployed throughout the network so you are ready to go. Once you have done this, please email sitss.internet@lea.herts.sch.uk to advise.

Some key points:

Google:
Google’s safe search will be forced on with or without SSL inspection – so you will not lose that functionality don’t worry. Once Google make the change scheduled for 24/6, without SSL inspection the search keywords functionality will disappear. This means, that users will be able to search on any term they wish…and get a ‘safe’ return because the Google safety mode will still kick in. With SSL inspection turned on, users will once again be restricted as to what term they can search on.

Yahoo:
This is HTTPS already.. Without SSL inspection (as it stands), ALL searches and images in Yahoo will come up when searching, hence the reason for restricting access to this website for WF1 users only. There is no filtering on the search results in Yahoo. However, with SSL inspection enabled, the safety settings will return. Please be aware that for the foreseeable future, Yahoo will stay on WF1 only.

YouTube:
YouTube is also currently HTTPS but with SSL inspection enabled, all unsafe videos will not be viewable. As it stands users can currently disable safety mode. In truth, we receive very few related queries on this… But it’s something to be aware of.

Bing:
Bing has a HTTPS site (only accessible on WF1) and without SSL inspection, it produces unsafe results. The HTTP site is fully accessible, search keywords work and safety mode is forced on. With this in mind, you may want to suggest this search engine for the time being.

The transparent proxy:
For now, SSL inspection will not be available on this network. The proxy component needs to be changed and discussions are under way for this to happen. Google safe search will be forced on for these users. Further communications will follow..

Import the certificates first:
If Updata enable SSL inspection first, users will get error messages when trying to browse to Yahoo, Google and Yahoo. So once you are happy with you preparation, please then get in touch with us.

IP addresses:
If you have a particular IP addresses you do want to have SSL inspection deployed for, we can arrange this. I’ll give you an example why you may want this.. We have trialled 10 schools on the network for this. One of them reported that their active directory was no longer syncing with the Google cloud, so Updata disabled this particular IP address from having the SSL inspection capabilities – even though it was permitted for the rest of the LAN. The issue has since been fixed by Updata and SSL has been turned on for this IP address once again.

Myself and my colleagues have been busy highlighting these pending changes to schools. Communications are being sent out, and Head Teachers have been briefed on this, so you are likely to be asked questions.

As ever, if you do have any queries on this please get in touch. If you’d be kind enough to email sitss.internet@lea.herts.sch.uk in the first instance, it would be appreciated.

Thanks,

Kevin Crawley

 

Posted in Web Filtering, Websites | Leave a comment