JOEBOX-L Archives

Joebox User

JOEBOX-L@LISTS.MAINE.EDU

Options: Use Forum View

Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
From:
Garry Peirce <[log in to unmask]>
Reply To:
Joebox User <[log in to unmask]>
Date:
Wed, 8 Dec 2010 12:14:26 -0500
Content-Type:
text/plain
Parts/Attachments:
text/plain (133 lines)
Jud,
Please refer to this message that we sent out to this list a few weeks ago.
Please call the HD is you wish to have your site's HTTPS traffic directed
through the Bess/N2H2 system.

=================

Joebox HTTPS Filtering

Recognizing that this email is fairly lengthy, here is a brief "executive
summary" of the salient points:

* HTTPS filtering is not currently feasible for most sites using the Joebox
as it is now.
* Joebox sites may opt to use Bess/N2H2 for HTTPS filtering until the end of
February break, 2011.
* Prior to the above date, a revised proxy-based filtering mechanism will be
made available on the Joebox.
* Joebox sites must transition away from the current Joebox implementation
or Bess/N2H2 prior to the above date.
* The Helpdesk will assist sites transitioning to Bess/N2H2 in the short
term, and to the improved Joebox filtering in the longer term.

Read on for the complete details.

As most of you are aware, the current implementation of HTTPS filtering on
the Joebox has some shortcomings.  In particular, the method currently
employed to filter HTTPS content generates certificate errors in all web
browser for every domain visited, and even prevents some kinds of web
content from being displayed at all, regardless of filter settings.  And
although it is important to recognize that the nature of the HTTPS protocol
forces trade-offs by any filtering solution, for the reasons noted above few
sites have deployed the HTTPS filtering on their Joeboxes despite the desire
by many to filter HTTPS content. 

Networkmaine is endeavoring to address this filtering limitation of the
Joeboxes and as such we are working closely with MECnet, the developers of
the Joebox, on a solution that will be unveiled early next year, some
details of which are discussed below.  In the shorter term, however, we have
a temporary remedy that should allow Joebox sites to filter HTTPS content
without suffering the limitations of the current Joebox implementation
(though not without some minor drawbacks of its own).  For sites that wish
to make use of it, Networkmaine will enable legacy Bess/N2H2 filtering, for
HTTPS content only, for Joebox sites.  As any of you who have used it
previously are aware, Bess filtering has some shortcomings when applied to
HTTPS content, chief among them that it allows custom filtering by IP
address only (built-in categories do work normally however).  Additionally,
since Bess in this case would be only an adjunct to another filtering
solution operating on standard HTTP (be that MECguard on the Joebox or
something else run locally), there will be the added inconvenience of having
to manage filtering through two separate, unsynchronized interfaces.  As
Bess will be restricted in scope to only HTTPS content, however, it should
need less day-to-day management than the primary HTTP filter solution.

This Bess/N2H2 option will be offered for use beginning immediately until
the end of February break 2011, by which time the revised Joebox MECguard
HTTPS filtering solution will have been available for approximately two
months.  This should allow sufficient time for sites to migrate from the
temporary Bess solution to the new integrated MECguard solution.  The new
implementation of HTTPS filtering on the Joebox will be similar to the
method employed by DansGuardian, for any that are familiar with that
product.  In brief, enabling HTTPS filtering on the Joebox will implicitly
block outgoing connections on port 443, which will prevent any direct
attempts to access HTTPS web sites.  Clients requiring HTTPS access to the
Internet will need to be configured to use the Joebox as a proxy server for
the HTTPS protocol (either via a system-wide setting on each host or
per-browser).  This arrangement will allow HTTPS sites to be filtered based
on the hostname portion of the URL using the standard MECguard filtering
controls.  Note that content filtering HTTPS traffic (that is, filtering
based on keywords within a web page or URL) is not possible due to the
encrypted nature of the traffic involved, so filtering will be limited to
the hostname portion of the URL only.  Nevertheless, this still represents a
significant improvement over the filtering Bess offers for that type of
traffic, while eliminating the certificate-related problems of the current
MECguard implementation.  Be aware that this new MECguard HTTPS filtering
implementation will replace the existing one once deployed, so any sites
currently using the Joebox for HTTPS filtering will also need to migrate
during the aforementioned timeframe.

If you have any questions about this notice, or if you would like to have
the Bess HTTPS filtering enabled for your site, please do not hesitate to
contact the Helpdesk via one of the methods listed below.  The Helpdesk will
also be available to assist any sites needing help migrating from one
filtering solution to another as part of these changes.

Thank  you,
Doretta S. Prior
Networkmaine Support Center Coordinator
Maine School and Library Network
University of Maine System
   Communications and Network Services
888-FOR-MSLN
www.msln.net
[log in to unmask]



> -----Original Message-----
> From: Joebox User [mailto:[log in to unmask]] On Behalf Of Judy
> Dorr
> Sent: Wednesday, December 08, 2010 11:39 AM
> To: [log in to unmask]
> Subject: blocking sites that begin with https
> 
> Can anyone share with me how to block sites that display the secure
> https
> prefix?
> thank you.
> 
> 
> Judy Dorr
> K-8 Technology Coordinator
> Boothbay Region Elementary School
> [log in to unmask]
> (207)633-5097
> "Computer tech people:  We don't believe in miracles, we rely upon
> them."
> 
> This email and any files transmitted with it are confidential and
> intended
> solely for the use of the individual or entity to which they are
> addressed. If you have received this email in error please notify the
> sender immediately and promptly destroy the email. Please note that any
> views do not necessarily represent those of Boothbay Region Elementary
> School. Finally, the recipient should check this email and any
> attachments
> for the presence of viruses. The school accepts no liability for any
> damage caused by any virus transmitted by this email. You are hereby
> notified that any use, dissemination, distribution and / or
> reproduction
> of this message, and or any attachments, by unintended recipients are
> unauthorized and may be unlawful. Thank you for your cooperation.

ATOM RSS1 RSS2