You may want to start blocking https://google.com/ before the students (and teachers) start using it to evade your proxy server(s).
Source: http://www.wired.com/threatlevel/201...rypted-search/
Google will begin letting users run encrypted searches on its flagship search site Google.com starting next week, the company said in a blog post Thursday.
Allowing users to search using https - the web security system which many associate with online banking and shopping — would mark a first for a major search engine, and could begin a move by web services such as social networks to begin offering encryption for more than just log-ins. Such increased adoption would cut down on network eavesdropping and also have the added benefit of preventing some online attacks.Google turned on encryption — better known as https:// — as a default for Gmail users earlier this year. That encrypts the data sent between a user’s browser and Google’s servers, making it nearly impossible for someone in the middle to read the contents of that e-mail. When not using SSL, a user of a school or corporate network can have their e-mail and web traffic content read by authorities who control the network, while anyone using an open Wi-Fi connection can have their traffic sniffed by a hacker using simple tools.
Handily, I'm pretty sure the RM SmartCache doesn't have the ability to differentiate between HTTP and HTTPS. If it does have such a setting, I can't find it.
At least they won't be able to get through to the actual results, since those will still be via HTTP; Google is only presenting it's own pages via HTTPS, not proxying the sites it finds, unless I'm mistaken. That said, anyone know if the cache servers will also be HTTPS?
The SmartCache is pretty rubbish when it comes to HTTPS. The way I understand it is that once a user signs into the encrypted Google search engine (or any SSL website for that matter) it would be impossible to block things like search terms because nothing after https://google.com/ would be shown. In the case of the SmartCache I don't think it logs any HTTPS URLs. This is one of the reasons we are looking at alternative proxies like SmoothWall.
Unless you add exceptions like the ones listed below it would also mean things such as Google Calendar would be filtered too. I know my headteacher uses this so he wouldn't be too happy if I blocked https://google.*/*.
Code:docs.google.*/* groups.google.*/* knol.google.*/* mail.google.com/* sites.google.*/* spreadsheets.google.*/* google.*/bookmarks/* google.*/calendar/* google.*/contacts google.*/dictionary* google.*/finance* google.*/history/* google.*/notebook/* google.*/reader/* google.*/voice/* google.*/webmasters/tools/*
That's true. It will be interesting to see if they do the Cache URLs too.Originally Posted by AngryTechnician
I would expect my lovely Smoothwall to be able to not suffer with this as it unencrypts the SSL traffic to analyse itGo Smoothwall
Out of technical curiosity, how does that work in Smoothwall? Do they use CA subversion or some other mysterious method?I would expect my lovely Smoothwall to be able to not suffer with this as it unencrypts the SSL traffic to analyse it
Its wizardy, but it works
As for a more techy explanation the Smoothwall guys on here are probably best to explain it rather than me as all I know is it works and stops the kids getting onto proxies (I don't SSL filter my staff just students)
I'm just laughing at the whole concept.
Google preventing "man-in-the-middle" eavesdropping.
THEY ARE the "men-in-the-middle"!
Si
OK, that's exactly how I thought it would work, thanks.
About time that encrypted searches were offered. I would be happier if the default for everything was https.
<pulls down foil hat even tighter>
Yeah, cause .gov wouldn't require ISPs to do MITM attacks would they? "As part of your Broadband setup, just run this handy utility to configure your network settings." < -- Boom, cert installed.
The RM Smartcache cant see any search strings in a HTTPS site. They even did an update recently becuase it didn't show any HTTPS sites at all.
You cannot create a deny rule for https://google.com on the smartcache as it would come out as http://https://google.com I would think. I can only think of changing the host file maybe?
That was my understanding too - it will permit them to hide what they're searching for, but not hide their activity thereafter. IE8's InPrivate Browsing (by default, enabled on RM's config of it), on the other hand...
InPrivate only stops history being stored on the browser. The traffic still has to go through your proxy, and will still be picked up by central filtering and logging systems.
It will be very interesting how this pans out for filtering, as we will be totally stuck if they implement this as all we can do is block addresses such as google.com not specific variants eg google.com:443
If the results are delivered in plain text, it would be pointless as a lot of the time the search query is obvious from the web address. I expect that if the whole site is HTTPS then parts such as the 'cached' section could prove interesting as could the ability to remove the safesearch filters!
And what information are YOU searching for then?About time that encrypted searches were offered. I would be happier if the default for everything was https.
Si
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote
