CAUTION! Google broke through your filter, test it before your students do!

So Google broke your filtering and you did not even know it?

From what I can gather just about every school who has the Internet now has a huge hole in their Internet filtering and they do not even know it. I found out the hard way so you don't have to!

Try this. Go to http://www.google.com and search for something objectionable, that you would expect to be blocked, Let's say 'sex'. The result should be that the search is blocked.

 

NOW, go to https://www.google.com (note the 's' after http) and try the same search, hopefully, it will be blocked for you, however for most schools it will not be. It all has to do with encryption. 

To help you understand what has gone wrong, you need to understand how the filtering works -note I am note a systems expert, but this is it as it see it.

When a student makes a search enquiry their terminal or device asks (or queries) the filter if it can go and look on the Internet for images or posts of what was searched for. At this time the filter looks at the list of 'black listed' search items and either allows or denies the search. At this stage the search is hopefully blocked if it is looking for something objectional.

However, an encrypted search is different. It is kind of like the device or terminal asking the filter if look on the Internet for something, but inserted of asking in English, the language the filter understands, it asks in French, or another language that the filter does not understand! The filter compares the word to its 'black listed' words and as the does not recognise the search query as something of concern so it allows the search to happen!

This is bad news for Internet safety at school! There are two (maybe three) possible solutions to fix this, one that suits schools and one that does not. One being deep packet inspection and the other DNS redirecting.

SOLUTION ONE: Deep Packet Inspection (DPI) is, in its simplist form, like having a translator working with the filter. The 'safe' search is presented in another language and the translator (ie Deep Packet Inspector) translates the search for the filter and the filter can then decide if it will allow the search to happen based on the list of 'BAD' words that it is not allowed to let through. The the search is allowed to be completed the translator translates back into a language that is similar to the language that the search first came through in. The trouble with DPI in schools is that it is very expensive to get a grunts enough filter to complete the inspection quickly and thoroughly and at the moment it seems to 'break' Google Docs/Apps/Drive.

SOLUTION TWO: redirect your DNS so that when a student or other user tries to go to https://www.Google.com (note the 's' again) that it redirects back to the 'http', more visible version. This way the students/users are ONLY allowed to complete searches that are in the language that the filter speaks.

?SOLUTION THREE: Disable the Internet. obviously this is not a popular or maybe even a real option for most in the long term.  However, are you prepared to deal with parents whose children have been able to access inappropriate material at your school, what about the possible media fallout?  Your call but might be worth considering in the short term if you have found the issue exists at your school.

Bottomline, you may not understand all that is above but if the https search 'broke' through your filter when you did the test above you need to talk to someone.

Click here for a post on the essentials of school Internet security