School wants to install self signed root CA on kids devices

Hi all,

I’ve been a very minor participant on Geekzone for a number of years - posting here in my work role, which is Training Lead at N4L.

I'm not aware of the specific details of the school mentioned in the original post from @asjohnstone - and so without knowing exactly what the school is proposing and trying to achieve with their N4L filtering, I can’t speak to the exact case.

However, here are a couple of points to consider, firstly with regards to the education sector environment and to some specifics about what N4L’s filtering and SSL decryption actually entails. Some of these details are what I’ve written in other edu mailing lists, so apologies if you’ve already read them.

1. The Boards of Trustees and school leaders are responsible for maintaining a safe online environment in their schools. There is specific legislation that governs this: http://www.education.govt.nz/ministry-of-education/legislation/nags/#NAG5. Secondary schools obviously have different needs and requirements from primary schools. N4L’s services, which are fully funded and available to any schools on the Managed Network have to be tailored to meet as best possible, all of their needs.

2. For schools on N4L’s Managed Network - 60% of the traffic is delivered over HTTPS. School’s therefore have no visibility over, or ability to apply filters to the encrypted traffic. N4L can block HTTPS traffic if requested, but this would mean preventing the use of Google, Youtube, Vimeo, Pinterest and other sites that have plenty of useful teaching and learning content, as well inappropriate content.

Search engines like Google provide the “Safesearch” security feature which is enabled by default on N4L's network. This is sufficient for some schools however it is not for many schools, particularly primary schools.

SSL decryption on search engines offers schools the ability to filter certain keywords from image or video searches.

3. Schools are able to choose and use whatever tools they wish to maintain the online environment for students. N4L's Web Filtering tools are available to any school on the Managed Network, but not mandated.

Schools can use combinations of N4L's tools and their own onsite tools.

Schools need to take ownership of who's responsible for said tools - and manage accordingly.

Scott has shared the options that his product provides, and there are range of other firewall and filtering providers available to schools. Schools can choose to use these instead of N4L’s services, and/or in tandem with N4L’s services.

As said there is no mandate to use N4L’s services, and we are happy to work with schools who are utilising other products.

Obviously the more complexity you add to the system - the more responsibility and maintenance costs you place upon the schools to manage and maintain those systems.

4. In implementing N4L’s Secure Website Inspection (our teacher friendly phrase for HTTPS/SSL inspection) schools have full control over what sites are decrypted and then filtered.

N4L does not blanket decrypt all SSL traffic.

Certificates are issued and managed by schools.

Schools select and choose which categories eg. social media/search engines, or which specific URLS are decrypted.

Any sites or categories of sites that are not specified for decryption, and are served via HTTPS are untouched between user and site.

The SSL certificate generated by N4L is only used when on N4L’s Managed Network.

Inspection is also configurable by network and IP range so you could exclude a teacher-only SSID, or a range of machines eg. servers - from ever having traffic (HTTP or HTTPS) inspected.

SSL inspection cannot be applied to directory groups - it is only via network or IP range.

Or schools can choose to not apply SSL inspection at all.

We recommend that schools are open and transparent about what they're aiming to achieve with their filtering, and be specific about the online environment they are trying to create for their students, and communicate that with their communities.

That would include being open with the requirement to install certificates, if students wish to use their device on the school's N4L connection - if that was what the school chose to do.

That would include stating what sites are being decrypted - and what sites are excluded from decryption.

That would include being open about what any filtering can achieve - specifically stating that N4L's filtering only applies to devices using the Managed Network connection - and pointing out that if students choose to use their 3G/4G connection, then N4L's filtering cannot apply.

As has been mentioned there will always be ways to work around filtering, and no filtering is 100% guaranteed to prevent inappropriate use.

N4L’s approach is to support schools in their digital citizenship efforts and to allow teachers to get on with working with students. So education and conversations about appropriate and inappropriate use of the Internet, and engaging with students about how they are using the Internet should always be the starting point.

Schools, as self-managing entities are fully entitled to have a range of opinions and ways of achieving safe online environments - these opinions will be reflective of the communities within which they sit. N4L’s tools can be configured to work alongside those community needs.

Personally, I believe an open, secured internet is best - but I appreciate and respect those school leaders who want the options to apply more filtering to ensure the safety of students. In my role at N4L it's about helping them to understand the implications and the steps they are able to take to do so, if they choose to use N4L's tools.

Please feel free to contact the N4L Helpdesk on 0800 LEARNING (532 764) if you are working with a school on the Managed Network - or email me directly - tim.kong @ n4l.co.nz - if you have any more specific queries. If I’m not able to answer them myself, I’ll loop our engineers in.

Regards,

Tim

asjohnstone

timslim