Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6
9 posts

Wannabe Geek
+1 received by user: 1


  Reply # 1495162 18-Feb-2016 19:21
Send private message

UHD:

 

I don't think removing the encryption on communications in order to monitor children's activity is teaching anyone to be or being a responsible digital citizen. I know if this was asked of me I would switch my child exclusively to 4G and make my child aware of the issues that surround a mandatory backdoor of private communications demanded by those in authority.

 

 

 

If the issue is objectionable material on students' devices then that can and should be dealt with on a case by case basis by parents when advised by the schools.

 

 

 

 

I would like to clarify that when performing SSL decryption, the traffic does not have encryption removed. The traffic between the user and the website is still encrypted and private. 

 

So in the example where traffic is delivered over HTTP, it is possible to capture the stream at any point between the user device and end website and this could allow the snooper to view the information such as details posted in a web form. (no privacy of information)

 

With the SSL decryption feature used, the traffic flow is the following;

 

User <encrypted stream> Proxy (scanned) <encrypted stream> Website. So at no point can someone capture the traffic and view the stream as you can with HTTP, therefore the privacy of information is still protected from prying eyes. (which is what SSL encryption was designed for)

 

 

 

 


965 posts

Ultimate Geek
+1 received by user: 146

UberGroup

  Reply # 1495182 18-Feb-2016 19:45
2 people support this post
Send private message

Unless the root ca key is stolen or the proxy stores url encoded data or.....

 

 

 

It really is a horrific idea





Most problems are the result of previous solutions...

All comment's I make are my own personal opinion and do not in any way, shape or form reflect the views of current or former employers unless specifically stated 

 
 
 
 


483 posts

Ultimate Geek
+1 received by user: 286

Trusted

  Reply # 1495221 18-Feb-2016 20:29
3 people support this post
Send private message

Psitec:

 

User <encrypted stream> Proxy (scanned) <encrypted stream> Website. So at no point can someone capture the traffic and view the stream as you can with HTTP, therefore the privacy of information is still protected from prying eyes. (which is what SSL encryption was designed for)

 

I find your description disturbing and suggests you either don't know what your device is doing or else you are deliberately misleading us. If you are using your own CA, you must be terminating the SSL session at the proxy and creating a new session with a certificate created with your own CA to the client. If it is purely a tap on existing data then you must have broken the session key for the original session.

 

In either case the content of the stream is in memory on the device, and likely to end up in log files to aid/abet/confirm filtering.

 

Alternatively, is the decryption/re-encryption occurring within an HSM class device with no logging?

 

Has your proxy passed PCI compliance for the secure filtering of financial transaction data?


431 posts

Ultimate Geek
+1 received by user: 94


  Reply # 1495224 18-Feb-2016 20:33
One person supports this post
Send private message

Psitec:

 

 

 

User <encrypted stream> Proxy (scanned) <encrypted stream> Website. So at no point can someone capture the traffic and view the stream as you can with HTTP, therefore the privacy of information is still protected from prying eyes. (which is what SSL encryption was designed for)

 

 

 

 

 

 

That's a very bold assertion! Unfortunately data exfiltration can occur in this scenario, so great care must be taken with proxy selection, configuration and deployment. A compromised proxy server or one that does not (for example) perform upstream cert validation could compromise end to end security and open up a can of worms for organisations that deploy such inspection systems.

 

 


42 posts

Geek
+1 received by user: 11


  Reply # 1495225 18-Feb-2016 20:35
Send private message

Hi @asjohnstone,

 

 

 

Apologies for taking a while to get back. Hopefully these details below answer your questions, they build on what I said in my last post - which speak to the context and choices/implications that schools consider as they look to create a safe online environment for students. 

I just want to point out again, in case it's thought that HTTPS/SSL inspection is mandated by N4L.

It is not. It never has been mandated or "forced" - but it is available as an option.

HTTPS/SSL inspection is one of a range of options that schools have for filtering and web security.

 

Schools can choose to use N4L's funded tools, or tools from other providers over N4L's Managed Network. 

 

If any of these details are insufficient, please contact our helpdesk on 0800 LEARNING (532 764), and we'll look to answer any further questions.

 

  • Decrypted payload data is never stored on the filtering platform servers, it’s decrypted in memory, scanned, then re-encrypted and passed onto the user.
  • Traffic logs (who viewed what etc) are stored in a secure off site database, and all access to that database is also logged for auditing purposes and transparency.
  • Traffic Logs for allowed traffic are retained for 45 days, and logs of blocked traffic are retained for 365 days
  • In line with N4L’s privacy obligations, inspection policies are managed by the schools themselves and N4L will not be able to provide traffic log information to anyone external of the school.

The only visibility that school or N4L administrators have is to be able to view traffic logs and not the content on the sites.

 

N4L’s privacy policy specifies that we never look into user activity without the explicit instruction of the school, or on discovery of a serious breach. In these cases all viewing of logs is tracked and auditable.

 

Hope this is useful.

 

Cheers,

 

Tim


2371 posts

Uber Geek
+1 received by user: 1032


  Reply # 1495226 18-Feb-2016 20:43
One person supports this post
Send private message

I'm in the camp of thinking this is a horrible idea.

 

If they want to use their own root certificate in this fashion then they are at liberty to install it on devices that the school itself owns - and maybe rent them to parents. But as for installing it on hardware that I own and a child of mine was using in the home, and potentially their bedroom as well with a camera on it, and/or connected to my network, no way!

 

I would be having a fairly blunt conversation with the school if they tried that.


1034 posts

Uber Geek
+1 received by user: 217


  Reply # 1495232 18-Feb-2016 20:50
Send private message

JimmyH:

If they want to use their own root certificate in this fashion then they are at liberty to install it on devices that the school itself owns - and maybe rent them to parents. But as for installing it on hardware that I own and a child of mine was using in the home, and potentially their bedroom as well with a camera on it, and/or connected to my network, no way!

Huh? I'm not sure as to why you make the cert sound like some sort of remote access tool?

42 posts

Geek
+1 received by user: 11


  Reply # 1495256 18-Feb-2016 20:59
One person supports this post
Send private message

JimmyH:

 

I'm in the camp of thinking this is a horrible idea.

 

If they want to use their own root certificate in this fashion then they are at liberty to install it on devices that the school itself owns - and maybe rent them to parents. But as for installing it on hardware that I own and a child of mine was using in the home, and potentially their bedroom as well with a camera on it, and/or connected to my network, no way!

 

I would be having a fairly blunt conversation with the school if they tried that.

 

 

Hi Jimmy,

 

The SSL certificate generated by N4L is only used when on N4L’s Managed Network, and is only active when used with N4L's filtering platform on that network.

 

Cheers,

 

Tim


965 posts

Ultimate Geek
+1 received by user: 146

UberGroup

  Reply # 1495257 18-Feb-2016 21:01
2 people support this post
Send private message

That makes no sense. For it to be effective the cert must be a CA root cert installed as trusted. Taking the device off the N4L network would not remove it





Most problems are the result of previous solutions...

All comment's I make are my own personal opinion and do not in any way, shape or form reflect the views of current or former employers unless specifically stated 

42 posts

Geek
+1 received by user: 11


  Reply # 1495260 18-Feb-2016 21:15
One person supports this post
Send private message

Beccara:

 

That makes no sense. For it to be effective the cert must be a CA root cert installed as trusted. Taking the device off the N4L network would not remove it

 

 

The certificate is not removed from the device - it remains on the device.

But for the SSL decryption to be implemented and filtering applied, the certificate needs to be invoked by N4L's filtering platform, which will only be available to the device if it is using N4L's managed network. 

 

If the device is on another network, the certificate is inoperative and no decryption occurs.

 

 




75 posts

Master Geek
+1 received by user: 28


  Reply # 1495261 18-Feb-2016 21:16
Send private message

Psitec: 

 

I would like to clarify that when performing SSL decryption, the traffic does not have encryption removed. The traffic between the user and the website is still encrypted and private. 

 

So in the example where traffic is delivered over HTTP, it is possible to capture the stream at any point between the user device and end website and this could allow the snooper to view the information such as details posted in a web form. (no privacy of information)

 

With the SSL decryption feature used, the traffic flow is the following;

 

User <encrypted stream> Proxy (scanned) <encrypted stream> Website. So at no point can someone capture the traffic and view the stream as you can with HTTP, therefore the privacy of information is still protected from prying eyes. (which is what SSL encryption was designed for) 

 

 

"So at no point can someone capture the traffic and view the stream"

 

Except for you of course; you can capture the traffic and view the stream.




75 posts

Master Geek
+1 received by user: 28


  Reply # 1495262 18-Feb-2016 21:20
One person supports this post
Send private message

Beccara:

 

That makes no sense. For it to be effective the cert must be a CA root cert installed as trusted. Taking the device off the N4L network would not remove it

 

 

Yes, but unless the private key was compromised it wouldn't be a problem. But it could be.

 

There is no path of trust, no CRL, no OCSP. No way to disable the certificate, it's valid for 10 years, no turning it off. 


42 posts

Geek
+1 received by user: 11


  Reply # 1495280 18-Feb-2016 21:32
Send private message

asjohnstone:

 

Beccara:

 

That makes no sense. For it to be effective the cert must be a CA root cert installed as trusted. Taking the device off the N4L network would not remove it

 

 

Yes, but unless the private key was compromised it wouldn't be a problem. But it could be.

 

There is no path of trust, no CRL, no OCSP. No way to disable the certificate, it's valid for 10 years, no turning it off. 

 

 

The validity of the certificate is set by the school. It can be 1 year, 3 years or 5 years or 7 years. 

 

We suggest certificates are issued for 1 year, but that is up the school to determine with regards to managing devices for students.

 

 

 

Tim

 

 

 

 


9 posts

Wannabe Geek
+1 received by user: 1


  Reply # 1495284 18-Feb-2016 21:44
Send private message

asjohnstone:

 

Psitec: 

 

I would like to clarify that when performing SSL decryption, the traffic does not have encryption removed. The traffic between the user and the website is still encrypted and private. 

 

So in the example where traffic is delivered over HTTP, it is possible to capture the stream at any point between the user device and end website and this could allow the snooper to view the information such as details posted in a web form. (no privacy of information)

 

With the SSL decryption feature used, the traffic flow is the following;

 

User <encrypted stream> Proxy (scanned) <encrypted stream> Website. So at no point can someone capture the traffic and view the stream as you can with HTTP, therefore the privacy of information is still protected from prying eyes. (which is what SSL encryption was designed for) 

 

 

"So at no point can someone capture the traffic and view the stream"

 

Except for you of course; you can capture the traffic and view the stream.

 

 

 

 

There were comments around encryption been disabled and just wanted to highlight that the traffic is still encrypted.. So it is not in clear text across the network.

 

@asjohnstone, As Tim mentioned, the SSL decryption and re-encryption is all done in memory on the proxy server dealing with that traffic flow. 
The payload data is not written to disk. N4L does not have any access to the Cisco Cloud Web Security infrastructure and therefore does not have access to this payload data. FYI - In regards to the N4L network itself, there are private links within N4L network (VRF) and the CWS solution.

 

There is some additional information on the product and data privacy around HTTPS in the following document. For privacy reasons the Query and Path attribute is also not logged: http://www.cisco.com/c/dam/en/us/products/collateral/security/cloud-web-security/data-privacy-final-source.pdf

 

 

 

 


965 posts

Ultimate Geek
+1 received by user: 146

UberGroup

  Reply # 1495307 18-Feb-2016 22:25
Send private message

And what clearance level does N4L staff hold? Secret? Top Secret? What auditing is done and how is access monitored? Are the support systems for the product secured just as much as the main system? In a world with APT's these are all vectors for access to said systems and keys

 

Given the data stream from the client device to the proxy is compromised a tap installed anywhere along that chain by a N4L staff member or associated party could decrypt the packet capture with the CA keys. This data could be used for any number of reasons all because N4L decided to break decades worth of security best practices

 

 





Most problems are the result of previous solutions...

All comment's I make are my own personal opinion and do not in any way, shape or form reflect the views of current or former employers unless specifically stated 

1 | 2 | 3 | 4 | 5 | 6
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Fujifilm X beats its best with new top of the range, high-performance camera
Posted 24-Feb-2018 14:05


One million kiwis affected by cybercrime
Posted 24-Feb-2018 13:58


New Zealanders want to engage with government online and via mobile apps
Posted 24-Feb-2018 13:56


Samsung launches Samsung Max
Posted 24-Feb-2018 13:52


CPTPP text and National Interest Analysis released for public scrutiny
Posted 21-Feb-2018 19:43


Foodstuffs to trial digitised shopping trolleys
Posted 21-Feb-2018 18:27


2018: The year of zero-login, smart cars & the biometrics of things
Posted 21-Feb-2018 18:25


Intel reimagines data centre storage with new 3D NAND SSDs
Posted 16-Feb-2018 15:21


Ground-breaking business programme begins in Hamilton
Posted 16-Feb-2018 10:18


Government to continue search for first Chief Technology Officer
Posted 12-Feb-2018 20:30


Time to take Appleā€™s iPad Pro seriously
Posted 12-Feb-2018 16:54


New Fujifilm X-A5 brings selfie features to mirrorless camera
Posted 9-Feb-2018 09:12


D-Link ANZ expands connected smart home with new HD Wi-Fi cameras
Posted 9-Feb-2018 09:01


Dragon Professional for Mac V6: Near perfect dictation
Posted 9-Feb-2018 08:26


OPPO announces R11s with claims to be the picture perfect smartphone
Posted 2-Feb-2018 13:28



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.