Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsIT Pro and developersSchool wants to install self signed root CA on kids devices
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6
Psitec
11 posts

Geek
+1 received by user: 4


  #1495162 18-Feb-2016 19:21
Send private message

UHD:

 

I don't think removing the encryption on communications in order to monitor children's activity is teaching anyone to be or being a responsible digital citizen. I know if this was asked of me I would switch my child exclusively to 4G and make my child aware of the issues that surround a mandatory backdoor of private communications demanded by those in authority.

 

 

 

If the issue is objectionable material on students' devices then that can and should be dealt with on a case by case basis by parents when advised by the schools.

 

 

 

 

I would like to clarify that when performing SSL decryption, the traffic does not have encryption removed. The traffic between the user and the website is still encrypted and private. 

 

So in the example where traffic is delivered over HTTP, it is possible to capture the stream at any point between the user device and end website and this could allow the snooper to view the information such as details posted in a web form. (no privacy of information)

 

With the SSL decryption feature used, the traffic flow is the following;

 

User <encrypted stream> Proxy (scanned) <encrypted stream> Website. So at no point can someone capture the traffic and view the stream as you can with HTTP, therefore the privacy of information is still protected from prying eyes. (which is what SSL encryption was designed for)

 

 

 

 



Beccara
1473 posts

Uber Geek
+1 received by user: 517

ID Verified

  #1495182 18-Feb-2016 19:45
Send private message

Unless the root ca key is stolen or the proxy stores url encoded data or.....

 

 

 

It really is a horrific idea




Most problems are the result of previous solutions...

All comment's I make are my own personal opinion and do not in any way, shape or form reflect the views of current or former employers unless specifically stated 

roobarb
709 posts

Ultimate Geek
+1 received by user: 672

Trusted

  #1495221 18-Feb-2016 20:29
Send private message

Psitec:

 

User <encrypted stream> Proxy (scanned) <encrypted stream> Website. So at no point can someone capture the traffic and view the stream as you can with HTTP, therefore the privacy of information is still protected from prying eyes. (which is what SSL encryption was designed for)

 

I find your description disturbing and suggests you either don't know what your device is doing or else you are deliberately misleading us. If you are using your own CA, you must be terminating the SSL session at the proxy and creating a new session with a certificate created with your own CA to the client. If it is purely a tap on existing data then you must have broken the session key for the original session.

 

In either case the content of the stream is in memory on the device, and likely to end up in log files to aid/abet/confirm filtering.

 

Alternatively, is the decryption/re-encryption occurring within an HSM class device with no logging?

 

Has your proxy passed PCI compliance for the secure filtering of financial transaction data?



wsnz
654 posts

Ultimate Geek
+1 received by user: 204


  #1495224 18-Feb-2016 20:33
Send private message

Psitec:

 

 

 

User <encrypted stream> Proxy (scanned) <encrypted stream> Website. So at no point can someone capture the traffic and view the stream as you can with HTTP, therefore the privacy of information is still protected from prying eyes. (which is what SSL encryption was designed for)

 

 

 

 

 

 

That's a very bold assertion! Unfortunately data exfiltration can occur in this scenario, so great care must be taken with proxy selection, configuration and deployment. A compromised proxy server or one that does not (for example) perform upstream cert validation could compromise end to end security and open up a can of worms for organisations that deploy such inspection systems.

 

 

timslim
44 posts

Geek
+1 received by user: 11


  #1495225 18-Feb-2016 20:35
Send private message

Hi @asjohnstone,

 

 

 

Apologies for taking a while to get back. Hopefully these details below answer your questions, they build on what I said in my last post - which speak to the context and choices/implications that schools consider as they look to create a safe online environment for students. 

I just want to point out again, in case it's thought that HTTPS/SSL inspection is mandated by N4L.

It is not. It never has been mandated or "forced" - but it is available as an option.

HTTPS/SSL inspection is one of a range of options that schools have for filtering and web security.

 

Schools can choose to use N4L's funded tools, or tools from other providers over N4L's Managed Network. 

 

If any of these details are insufficient, please contact our helpdesk on 0800 LEARNING (532 764), and we'll look to answer any further questions.

 

  • Decrypted payload data is never stored on the filtering platform servers, it’s decrypted in memory, scanned, then re-encrypted and passed onto the user.
  • Traffic logs (who viewed what etc) are stored in a secure off site database, and all access to that database is also logged for auditing purposes and transparency.
  • Traffic Logs for allowed traffic are retained for 45 days, and logs of blocked traffic are retained for 365 days
  • In line with N4L’s privacy obligations, inspection policies are managed by the schools themselves and N4L will not be able to provide traffic log information to anyone external of the school.

The only visibility that school or N4L administrators have is to be able to view traffic logs and not the content on the sites.

 

N4L’s privacy policy specifies that we never look into user activity without the explicit instruction of the school, or on discovery of a serious breach. In these cases all viewing of logs is tracked and auditable.

 

Hope this is useful.

 

Cheers,

 

Tim

JimmyH
2898 posts

Uber Geek
+1 received by user: 1554


  #1495226 18-Feb-2016 20:43
Send private message

I'm in the camp of thinking this is a horrible idea.

 

If they want to use their own root certificate in this fashion then they are at liberty to install it on devices that the school itself owns - and maybe rent them to parents. But as for installing it on hardware that I own and a child of mine was using in the home, and potentially their bedroom as well with a camera on it, and/or connected to my network, no way!

 

I would be having a fairly blunt conversation with the school if they tried that.

 
 
 
 

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.
yitz
2240 posts

Uber Geek
+1 received by user: 594


  #1495232 18-Feb-2016 20:50
Send private message

JimmyH:

If they want to use their own root certificate in this fashion then they are at liberty to install it on devices that the school itself owns - and maybe rent them to parents. But as for installing it on hardware that I own and a child of mine was using in the home, and potentially their bedroom as well with a camera on it, and/or connected to my network, no way!

Huh? I'm not sure as to why you make the cert sound like some sort of remote access tool?

timslim
44 posts

Geek
+1 received by user: 11


  #1495256 18-Feb-2016 20:59
Send private message

JimmyH:

 

I'm in the camp of thinking this is a horrible idea.

 

If they want to use their own root certificate in this fashion then they are at liberty to install it on devices that the school itself owns - and maybe rent them to parents. But as for installing it on hardware that I own and a child of mine was using in the home, and potentially their bedroom as well with a camera on it, and/or connected to my network, no way!

 

I would be having a fairly blunt conversation with the school if they tried that.

 

 

Hi Jimmy,

 

The SSL certificate generated by N4L is only used when on N4L’s Managed Network, and is only active when used with N4L's filtering platform on that network.

 

Cheers,

 

Tim

Beccara
1473 posts

Uber Geek
+1 received by user: 517

ID Verified

  #1495257 18-Feb-2016 21:01
Send private message

That makes no sense. For it to be effective the cert must be a CA root cert installed as trusted. Taking the device off the N4L network would not remove it




Most problems are the result of previous solutions...

All comment's I make are my own personal opinion and do not in any way, shape or form reflect the views of current or former employers unless specifically stated 

timslim
44 posts

Geek
+1 received by user: 11


  #1495260 18-Feb-2016 21:15
Send private message

Beccara:

 

That makes no sense. For it to be effective the cert must be a CA root cert installed as trusted. Taking the device off the N4L network would not remove it

 

 

The certificate is not removed from the device - it remains on the device.

But for the SSL decryption to be implemented and filtering applied, the certificate needs to be invoked by N4L's filtering platform, which will only be available to the device if it is using N4L's managed network. 

 

If the device is on another network, the certificate is inoperative and no decryption occurs.

 

 

asjohnstone

76 posts

Master Geek
+1 received by user: 27


  #1495261 18-Feb-2016 21:16
Send private message

Psitec: 

 

I would like to clarify that when performing SSL decryption, the traffic does not have encryption removed. The traffic between the user and the website is still encrypted and private. 

 

So in the example where traffic is delivered over HTTP, it is possible to capture the stream at any point between the user device and end website and this could allow the snooper to view the information such as details posted in a web form. (no privacy of information)

 

With the SSL decryption feature used, the traffic flow is the following;

 

User <encrypted stream> Proxy (scanned) <encrypted stream> Website. So at no point can someone capture the traffic and view the stream as you can with HTTP, therefore the privacy of information is still protected from prying eyes. (which is what SSL encryption was designed for) 

 

 

"So at no point can someone capture the traffic and view the stream"

 

Except for you of course; you can capture the traffic and view the stream.

 
 
 
 

Want to support Geekzone and browse the site without the ads? Subscribe to Geekzone now (monthly, annual and lifetime options).
asjohnstone

76 posts

Master Geek
+1 received by user: 27


  #1495262 18-Feb-2016 21:20
Send private message

Beccara:

 

That makes no sense. For it to be effective the cert must be a CA root cert installed as trusted. Taking the device off the N4L network would not remove it

 

 

Yes, but unless the private key was compromised it wouldn't be a problem. But it could be.

 

There is no path of trust, no CRL, no OCSP. No way to disable the certificate, it's valid for 10 years, no turning it off. 

timslim
44 posts

Geek
+1 received by user: 11


  #1495280 18-Feb-2016 21:32
Send private message

asjohnstone:

 

Beccara:

 

That makes no sense. For it to be effective the cert must be a CA root cert installed as trusted. Taking the device off the N4L network would not remove it

 

 

Yes, but unless the private key was compromised it wouldn't be a problem. But it could be.

 

There is no path of trust, no CRL, no OCSP. No way to disable the certificate, it's valid for 10 years, no turning it off. 

 

 

The validity of the certificate is set by the school. It can be 1 year, 3 years or 5 years or 7 years. 

 

We suggest certificates are issued for 1 year, but that is up the school to determine with regards to managing devices for students.

 

 

 

Tim

 

 

 

 

Psitec
11 posts

Geek
+1 received by user: 4


  #1495284 18-Feb-2016 21:44
Send private message

asjohnstone:

 

Psitec: 

 

I would like to clarify that when performing SSL decryption, the traffic does not have encryption removed. The traffic between the user and the website is still encrypted and private. 

 

So in the example where traffic is delivered over HTTP, it is possible to capture the stream at any point between the user device and end website and this could allow the snooper to view the information such as details posted in a web form. (no privacy of information)

 

With the SSL decryption feature used, the traffic flow is the following;

 

User <encrypted stream> Proxy (scanned) <encrypted stream> Website. So at no point can someone capture the traffic and view the stream as you can with HTTP, therefore the privacy of information is still protected from prying eyes. (which is what SSL encryption was designed for) 

 

 

"So at no point can someone capture the traffic and view the stream"

 

Except for you of course; you can capture the traffic and view the stream.

 

 

 

 

There were comments around encryption been disabled and just wanted to highlight that the traffic is still encrypted.. So it is not in clear text across the network.

 

@asjohnstone, As Tim mentioned, the SSL decryption and re-encryption is all done in memory on the proxy server dealing with that traffic flow. 
The payload data is not written to disk. N4L does not have any access to the Cisco Cloud Web Security infrastructure and therefore does not have access to this payload data. FYI - In regards to the N4L network itself, there are private links within N4L network (VRF) and the CWS solution.

 

There is some additional information on the product and data privacy around HTTPS in the following document. For privacy reasons the Query and Path attribute is also not logged: http://www.cisco.com/c/dam/en/us/products/collateral/security/cloud-web-security/data-privacy-final-source.pdf

 

 

 

 

Beccara
1473 posts

Uber Geek
+1 received by user: 517

ID Verified

  #1495307 18-Feb-2016 22:25
Send private message

And what clearance level does N4L staff hold? Secret? Top Secret? What auditing is done and how is access monitored? Are the support systems for the product secured just as much as the main system? In a world with APT's these are all vectors for access to said systems and keys

 

Given the data stream from the client device to the proxy is compromised a tap installed anywhere along that chain by a N4L staff member or associated party could decrypt the packet capture with the CA keys. This data could be used for any number of reasons all because N4L decided to break decades worth of security best practices

 

 




Most problems are the result of previous solutions...

All comment's I make are my own personal opinion and do not in any way, shape or form reflect the views of current or former employers unless specifically stated 

1 | 2 | 3 | 4 | 5 | 6
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright