Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6
Mad Scientist
18705 posts

Uber Geek
+1 received by user: 2381

Trusted
Lifetime subscriber

  Reply # 1493666 17-Feb-2016 09:12
Send private message

roobarb:

 

joker97: can you explain why this is a bad thing to install?

 

Browsers show a little padlock to show that a site is trusted and SSL is in use, this in turn allows you to trust doing any banking on the internet because you know that it is truly the bank acting as the server and you have a secure connection preventing eavesdropping by a man in the middle.

 

Being a root CA means you trust it won't sign dodgy certificates for sites that are not who they claim to be, at the very least, that they own the domain name for which an SSL certificate has been signed.

 

SSL inspection by a man in the middle completely removes this trust, and your trust now has to transfer to the filter and who ever is managing the CA and signing these effectively bogus certificates.

 

So if you now go to your bank while on the school network you wont see a certificate signed by Verisign/Thawte etc, you will see it signed by the school, and all your communications with the bank that you thought were confidential are in the clear within the filter system.

 

So you could say, that's okay, I won't do my banking at school, ( will the teachers remember that ? ), there are other scenarios regarding the CA getting compromised and agents other than the school signing certificates.

 

Sony and Lenovo were hauled over the coals for doing exactly this, and in some cases creating signed SSL certificates without even validating the original.

 

 

Pardon me for asking - are MY browsers on my computer now using that certificate to assume everything is ok, or does this happens when I browse on my RDP or when I am using work computer?


483 posts

Ultimate Geek
+1 received by user: 286

Trusted

  Reply # 1493671 17-Feb-2016 09:21
Send private message

joker97: Pardon me for asking - are MY browsers on my computer now using that certificate to assume everything is ok, or does this happens when I browse on my RDP or when I am using work computer?

 

If you have installed a root CA on your own computer, then your browsers will trust any SSL certificate signed specifically by that CA, or where the CA is at the root of a chain. That CA will be ignored for SSL certificates signed by anybody else.

 

So the risk requires that the CA is compromised and used to maliciously sign rogue certificates and your computer has been tricked by DNS or network routing to go to a different site, both are technically met by the school filtering.

 

 

 

 


2277 posts

Uber Geek
+1 received by user: 370

Trusted
Subscriber

  Reply # 1493692 17-Feb-2016 10:02
One person supports this post
Send private message

roobarb:

joker97: Pardon me for asking - are MY browsers on my computer now using that certificate to assume everything is ok, or does this happens when I browse on my RDP or when I am using work computer?


If you have installed a root CA on your own computer, then your browsers will trust any SSL certificate signed specifically by that CA, or where the CA is at the root of a chain. That CA will be ignored for SSL certificates signed by anybody else.


So the risk requires that the CA is compromised and used to maliciously sign rogue certificates and your computer has been tricked by DNS or network routing to go to a different site, both are technically met by the school filtering.


 


 



Only IF someone configuring it decided to inspect categories which they are explicitly advised not to. Then on top of that they would have to partake in some devious action all while being logged at every step.

Schools already use other teacher dashboard tools like Hapara that allow teachers to even view what's on their kids screen.

this whole installing root CAs is being blown way out of proportion, this will be comon practice soon and we'll move onto the next contentious issue :)








UHD

650 posts

Ultimate Geek
+1 received by user: 290


  Reply # 1493719 17-Feb-2016 10:08
2 people support this post
Send private message

I don't think removing the encryption on communications in order to monitor children's activity is teaching anyone to be or being a responsible digital citizen. I know if this was asked of me I would switch my child exclusively to 4G and make my child aware of the issues that surround a mandatory backdoor of private communications demanded by those in authority.

 

 

 

If the issue is objectionable material on students' devices then that can and should be dealt with on a case by case basis by parents when advised by the schools.


483 posts

Ultimate Geek
+1 received by user: 286

Trusted

  Reply # 1493730 17-Feb-2016 10:21
One person supports this post
Send private message

insane: this whole installing root CAs is being blown way out of proportion, this will be comon practice soon and we'll move onto the next contentious issue :)

 

I hope the opposite happens, where schemes like Let's Encrypt remove the requirement for root CA as long as you own the domain name you claim you are from. Signing your own certificate as if it came from *.google.com should be treated as the deliberate deception that it is.

 

 


484 posts

Ultimate Geek
+1 received by user: 111


  Reply # 1493855 17-Feb-2016 12:13
Send private message

roobarb:

 

That's just all or nothing. Alternatively how about school determines curriculum and list of sites to support it and allow them using DNS. Anything else is ex-curricula.

 

That can be done at the school WiFi network level, no CAs required.

 

 

 

 

 

Unfortunately, it can be impractical - another layer of management and general administration is required. There are also some fantastic resources that students often find themselves, and searching the internet for resources is another skill we should also be encouraging.


484 posts

Ultimate Geek
+1 received by user: 111


  Reply # 1493917 17-Feb-2016 12:18
Send private message

UHD:

 

I don't think removing the encryption on communications in order to monitor children's activity is teaching anyone to be or being a responsible digital citizen. I know if this was asked of me I would switch my child exclusively to 4G and make my child aware of the issues that surround a mandatory backdoor of private communications demanded by those in authority.

 

 

 

If the issue is objectionable material on students' devices then that can and should be dealt with on a case by case basis by parents when advised by the schools.

 

 

 

 

I agree.

 

 

 

IMO the best option in most cases, is to deal with problem at layer 8. Technological solutions aren't always the best, and in the long term students need to understand what is acceptable behaviour and what the consequences can be if they do not.


2475 posts

Uber Geek
+1 received by user: 674


  Reply # 1494061 17-Feb-2016 14:53
Send private message

But really, this also needs to be managed in a sliding scale... How many 5 year olds can be taught to avoid spelling mistakes that may end them on a "pron" "prawn" "praun" site???

Do you really expect an 8 year old to realise the consequences of downloading 'those' pictures at school­čś▒

All good when you hit 14+ but not applicable at 5-9!

2277 posts

Uber Geek
+1 received by user: 370

Trusted
Subscriber

  Reply # 1494098 17-Feb-2016 15:26
Send private message

wsnz:

 

UHD:

 

I don't think removing the encryption on communications in order to monitor children's activity is teaching anyone to be or being a responsible digital citizen. I know if this was asked of me I would switch my child exclusively to 4G and make my child aware of the issues that surround a mandatory backdoor of private communications demanded by those in authority.

 

 

 

If the issue is objectionable material on students' devices then that can and should be dealt with on a case by case basis by parents when advised by the schools.

 

 

 

 

I agree.

 

 

 

IMO the best option in most cases, is to deal with problem at layer 8. Technological solutions aren't always the best, and in the long term students need to understand what is acceptable behaviour and what the consequences can be if they do not.

 

 

Yeah agree with you that is the best approach to teach kids what to not look at in the first place, but this still doesn't take care of the very real threat that is being overlooked. How do you effectively protect users (adults or kids) against all those instances of malware and viruses which are embedded in compromised websites or applications that may be OK for corporate or educational use and not blocked through simple domain name based filtering?

 

Don't get me wrong, I'm all down with this digital citizenship,  but my background has taught me that you can't just ignore threats and hope for the best, this costs businesses loads of money each year, opens schools up to nasty things on their networks, and while I understand the argument to not snoop on users private traffic, I'm yet to see someone here offer up an alternative solution that actually protects users against online threats without decrypting potentially threat laden traffic.

 

I do believe that talking openly about this is a great start!

 

 

 

 

 

 

 

 


483 posts

Ultimate Geek
+1 received by user: 286

Trusted

  Reply # 1494124 17-Feb-2016 16:12
2 people support this post
Send private message

insane: Don't get me wrong, I'm all down with this digital citizenship,  but my background has taught me that you can't just ignore threats and hope for the best, this costs businesses loads of money each year, opens schools up to nasty things on their networks, and while I understand the argument to not snoop on users private traffic, I'm yet to see someone here offer up an alternative solution that actually protects users against online threats without decrypting potentially threat laden traffic.

 

There is no issue at all to school owned hardware being used, and it is fully understood that you have no expectation of privacy when using school equipment. You can do what you like with root CA on those devices. If they are commodity devices and they get compromised then a factory reset or restore from known image will get you going in no time.

 

The issue I see, is due to cost, the school wants parents to buy the devices. If you do bring your own device and install whatever school tells you to install then you should treat the device in the same manner and have no expectation of privacy on it, and then not trust using the device for your own personal purposes.

 

 

 

 


988 posts

Ultimate Geek
+1 received by user: 157

UberGroup

  Reply # 1494153 17-Feb-2016 16:40
One person supports this post
Send private message

Interesting events since i posted, Said child is now upset and unhappy as she's the only one in the glass without an ipad and the teacher is excluding her from things kids are doing because of it :/ Not a happy parent here as I'm now in effect forced to buy an ipad 4 or ipad air/2 as these are the devices the school allows (no android)

 

 

 

edit:// Teacher was getting kids to google things and type them down for her to see. Our child was given an dictionary and a list of words to look up and write down their meaning on. Not strictly within the scope of this topic but a fear of mine  before this was how the teacher would integrate tech into their teaching and the answer right now is badly





Most problems are the result of previous solutions...

All comment's I make are my own personal opinion and do not in any way, shape or form reflect the views of current or former employers unless specifically stated 

483 posts

Ultimate Geek
+1 received by user: 286

Trusted

  Reply # 1494182 17-Feb-2016 17:10
One person supports this post
Send private message

Beccara:

 

Not a happy parent here as I'm now in effect forced to buy an ipad 4 or ipad air/2 as these are the devices the school allows (no android)

 

 

I can understand the school's problem, non technical staff can't afford to spend all their time sorting out individual connectivity problems. So much for a free education. I'm sure the school will still ask for "donations" and "contributions". 


UHD

650 posts

Ultimate Geek
+1 received by user: 290


  Reply # 1494195 17-Feb-2016 18:09
Send private message

insane:

 

wsnz:

 

UHD:

 

I don't think removing the encryption on communications in order to monitor children's activity is teaching anyone to be or being a responsible digital citizen. I know if this was asked of me I would switch my child exclusively to 4G and make my child aware of the issues that surround a mandatory backdoor of private communications demanded by those in authority.

 

 

 

If the issue is objectionable material on students' devices then that can and should be dealt with on a case by case basis by parents when advised by the schools.

 

 

 

 

I agree.

 

 

 

IMO the best option in most cases, is to deal with problem at layer 8. Technological solutions aren't always the best, and in the long term students need to understand what is acceptable behaviour and what the consequences can be if they do not.

 

 

Yeah agree with you that is the best approach to teach kids what to not look at in the first place, but this still doesn't take care of the very real threat that is being overlooked. How do you effectively protect users (adults or kids) against all those instances of malware and viruses which are embedded in compromised websites or applications that may be OK for corporate or educational use and not blocked through simple domain name based filtering?

 

Don't get me wrong, I'm all down with this digital citizenship,  but my background has taught me that you can't just ignore threats and hope for the best, this costs businesses loads of money each year, opens schools up to nasty things on their networks, and while I understand the argument to not snoop on users private traffic, I'm yet to see someone here offer up an alternative solution that actually protects users against online threats without decrypting potentially threat laden traffic.

 

I do believe that talking openly about this is a great start!

 

 

 

 

 

 

 

 

 

 

 

 

That very real threat is the reason I adblock everything and have a clear conscience. No one has explained to me an alternative to the very real threat of malware-laden advertising being delivered via third party advertising networks and who will pay for the very real damage it can cause. As a side note: a subscription to the websites I visit on a regular basis would bankrupt even a moderately successful New Zealander so I can't fathom that being a solution either but that is a little OT.

 

I will say that the issue is not something that has a simple solution but it is certain that removing encryption is not even a small part of that solution and never should be. An abuse of power like that will certainly be taken advantage of and I would rather the risk of a thousand malware infected networks than a rouge systems administrator snooping on my or anyone else's children's communications with malicious intent.




75 posts

Master Geek
+1 received by user: 28


  Reply # 1494254 17-Feb-2016 20:10
Send private message

I'd actually like N4L to speak about how and where this data is stored *after* it is decrypted. 

 

Do they have access to it, or is it the school ? How is this audited?

 

How long is the data retained for for? How is it securely deleted.

 

Also how do I know what sites you are inspecting ? How can I verify it what you tell me is true?

 

@timslim


895 posts

Ultimate Geek
+1 received by user: 285


  Reply # 1494638 18-Feb-2016 09:20
One person supports this post
Send private message

Beccara:

 

Interesting events since i posted, Said child is now upset and unhappy as she's the only one in the glass without an ipad and the teacher is excluding her from things kids are doing because of it :/ Not a happy parent here as I'm now in effect forced to buy an ipad 4 or ipad air/2 as these are the devices the school allows (no android)

 

 

 

edit:// Teacher was getting kids to google things and type them down for her to see. Our child was given an dictionary and a list of words to look up and write down their meaning on. Not strictly within the scope of this topic but a fear of mine  before this was how the teacher would integrate tech into their teaching and the answer right now is badly

 

 

That's shocking.  I've got friends with kids at a local decile 10 school, but said friends are not well off at all.  No funding for the school to buy devices, so that's $300/kid minimum for a chromebook, thanks...  worse if it was an iPad school.

 


What do you do when you move and shift schools and go from a school with one set of BYOD restrictions to a school with an incompatible set of restrictions?  Buy a new set of devices?

 

<politics>Still, at least we got our tax cuts, right? It's not as if our kids need an education or sick people need hospitals...</politics>


1 | 2 | 3 | 4 | 5 | 6
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Intel introduces new NUC kits and NUC mini PCs
Posted 16-Aug-2018 11:03


The Warehouse leaps into the AI future with Google
Posted 15-Aug-2018 17:56


Targus set sights on enterprise and consumer growth in New Zealand
Posted 13-Aug-2018 13:47


Huawei to distribute nova 3i in New Zealand
Posted 9-Aug-2018 16:23


Home robot Vector to be available in New Zealand stores
Posted 9-Aug-2018 14:47


Panasonic announces new 2018 OLED TV line up
Posted 7-Aug-2018 16:38


Kordia completes first live 4K TV broadcast
Posted 1-Aug-2018 13:00


Schools get safer and smarter internet with Managed Network Upgrade
Posted 30-Jul-2018 20:01


DNC wants a safer .nz in the coming year
Posted 26-Jul-2018 16:08


Auldhouse becomes an AWS Authorised Training Delivery Partner in New Zealand
Posted 26-Jul-2018 15:55


Rakuten Kobo launches Kobo Clara HD entry level reader
Posted 26-Jul-2018 15:44


Kiwi team reaches semi-finals at the Microsoft Imagine Cup
Posted 26-Jul-2018 15:38


KidsCan App to Help Kiwi Children in Need
Posted 26-Jul-2018 15:32


FUJIFILM announces new high-performance lenses
Posted 24-Jul-2018 14:57


New FUJIFILM XF10 introduces square mode for Instagram sharing
Posted 24-Jul-2018 14:44



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.