JOEBOX-L Archives

Joebox User

JOEBOX-L@LISTS.MAINE.EDU

Options: Use Forum View

Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
From:
"Jef H. HamLin" <[log in to unmask]>
Reply To:
Joebox User <[log in to unmask]>
Date:
Mon, 31 Jan 2011 16:32:39 -0500
Content-Type:
text/plain
Parts/Attachments:
text/plain (78 lines)
I'm in.  What would you like me to do?  Would love to cut off https:\\facebook

H

-----Original Message-----
From: Joebox User [mailto:[log in to unmask]] On Behalf Of Ray Soucy
Sent: Monday, January 31, 2011 4:17 PM
To: [log in to unmask]
Subject: MECguard SSL testing

The next Joebox software update seems to be running stable for most testers save a few minor bugs that are being fixed.

One outstanding item that needs testing is the SSL filter.

I am looking for a school that is willing to test this.  This can be tested a few hosts at a time (using MECguard groups).

If interested please contact Networkmaine by phone at 1-888-367-6756 (toll free) or 207-561-3587, or by email at [log in to unmask]




About the SSL filter:

1. A "Force MECguard SSL" checkbox is provided.  Checking this box will redirect all HTTPS requests (TCP port 443) to a block page unless they are made using the Joebox as a proxy server.

2. Browsers that are configured to use the Joebox as a proxy server for HTTPS provide the Joebox with the hostname of the requested site (not the full URL).  The Joebox makes a determination based on the hostname (e.g. facebook.com) and either allows the request or re-directs the user to a block page.

3. The Joebox provides a browser configuration script to properly configure proxy settings on client browsers using WPAD.  The auto-discovery for this is hinted by DNS, and requires that you create a "wpad" host record for the domain you're providing hosts through DHCP.  Some browser configuration is still required, but it's a mater of checking a box, rather than typing settings in, with the use of WPAD.




Management:

The SSL filter uses the same URL lists configured on the Joebox for normal HTTP.  Only entries that are hostname only will be matched.
For example: "facebook.com" will match, while "facebook.com/" will not.  The pre-defined category lists are already formated such that hostnames are used for the majority of entries.

SSL makes use of the same override system as HTTP, and is managed in the same way.

The hostname accessed "e.g. facebook.com" will be logged as SSL requests in the MECguard log.




Background:

When a user attempts to access an SSL website, the computer connects to the IP address of the remote server, negotiates an encrypted session, then sends the request, including the requested URL, as an encrypted message.

Because the request is encrypted, there is no way to reliably determine the hostname of the destination website before the certificate is exchanged.

Attempts to intercept the traffic transparently (as we do with normal HTTP traffic) thus result in the browser rejecting the SSL certificate and producing endless SSL error messages.  This isn't usable in a production environment.

The only work-around for this involves installing a custom "root"
certificate telling every browser to trust the Joebox without question.  This has the unfortunate consequence of introducing a significant attack vector as well as raising some ethical questions about viewing encrypted data (such as credit card numbers or personal records).  This is not the scope of the Joebox.

Instead, we opted to move to a proxy-based SSL filter.  When a web browser is configured to use an SSL proxy server it provides the proxy server with the hostname of the website requested (not the full URL).
The proxy server can then make a ALLOW or DENY decision based on the hostname, and choose to either permit the request or re-direct to a block page.  The proxy server in the model does not see unencrypted data; maintaining user privacy.

Like the SSL certificate method, this method also requires some client configuration.

There are other solutions for SSL available.  OpenDNS is a solution that re-writes domain names to point known sites that you wish blocked to a block server.

The old Bess system maintained a database of "bad" IP addresses for SSL websites to block.  This database is proprietary and could not be used for the Joebox.  Bess has the limitation of only being able to block SSL by IP address but the advantage of being a transparent solution.  Unfortunately, Bess is not cost effective to scale to the levels of bandwidth now enjoyed by MSLN participants and is being retired this year.

The MECguard SSL filter in the upcoming release is the official and recommended SSL filter for this year.




--
Ray Soucy

Epic Communications Specialist

Phone: +1 (207) 561-3526

Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/

ATOM RSS1 RSS2