JOEBOX-L Archives

Joebox User

JOEBOX-L@LISTS.MAINE.EDU

Options: Use Forum View

Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
From:
Ray Soucy <[log in to unmask]>
Reply To:
Joebox User <[log in to unmask]>
Date:
Mon, 31 Jan 2011 16:16:57 -0500
Content-Type:
text/plain
Parts/Attachments:
text/plain (116 lines)
The next Joebox software update seems to be running stable for most
testers save a few minor bugs that are being fixed.

One outstanding item that needs testing is the SSL filter.

I am looking for a school that is willing to test this.  This can be
tested a few hosts at a time (using MECguard groups).

If interested please contact Networkmaine by phone at 1-888-367-6756
(toll free) or 207-561-3587, or by email at [log in to unmask]




About the SSL filter:

1. A "Force MECguard SSL" checkbox is provided.  Checking this box
will redirect all HTTPS requests (TCP port 443) to a block page unless
they are made using the Joebox as a proxy server.

2. Browsers that are configured to use the Joebox as a proxy server
for HTTPS provide the Joebox with the hostname of the requested site
(not the full URL).  The Joebox makes a determination based on the
hostname (e.g. facebook.com) and either allows the request or
re-directs the user to a block page.

3. The Joebox provides a browser configuration script to properly
configure proxy settings on client browsers using WPAD.  The
auto-discovery for this is hinted by DNS, and requires that you create
a "wpad" host record for the domain you're providing hosts through
DHCP.  Some browser configuration is still required, but it's a mater
of checking a box, rather than typing settings in, with the use of
WPAD.




Management:

The SSL filter uses the same URL lists configured on the Joebox for
normal HTTP.  Only entries that are hostname only will be matched.
For example: "facebook.com" will match, while "facebook.com/" will
not.  The pre-defined category lists are already formated such that
hostnames are used for the majority of entries.

SSL makes use of the same override system as HTTP, and is managed in
the same way.

The hostname accessed "e.g. facebook.com" will be logged as SSL
requests in the MECguard log.




Background:

When a user attempts to access an SSL website, the computer connects
to the IP address of the remote server, negotiates an encrypted
session, then sends the request, including the requested URL, as an
encrypted message.

Because the request is encrypted, there is no way to reliably
determine the hostname of the destination website before the
certificate is exchanged.

Attempts to intercept the traffic transparently (as we do with normal
HTTP traffic) thus result in the browser rejecting the SSL certificate
and producing endless SSL error messages.  This isn't usable in a
production environment.

The only work-around for this involves installing a custom "root"
certificate telling every browser to trust the Joebox without
question.  This has the unfortunate consequence of introducing a
significant attack vector as well as raising some ethical questions
about viewing encrypted data (such as credit card numbers or personal
records).  This is not the scope of the Joebox.

Instead, we opted to move to a proxy-based SSL filter.  When a web
browser is configured to use an SSL proxy server it provides the proxy
server with the hostname of the website requested (not the full URL).
The proxy server can then make a ALLOW or DENY decision based on the
hostname, and choose to either permit the request or re-direct to a
block page.  The proxy server in the model does not see unencrypted
data; maintaining user privacy.

Like the SSL certificate method, this method also requires some client
configuration.

There are other solutions for SSL available.  OpenDNS is a solution
that re-writes domain names to point known sites that you wish blocked
to a block server.

The old Bess system maintained a database of "bad" IP addresses for
SSL websites to block.  This database is proprietary and could not be
used for the Joebox.  Bess has the limitation of only being able to
block SSL by IP address but the advantage of being a transparent
solution.  Unfortunately, Bess is not cost effective to scale to the
levels of bandwidth now enjoyed by MSLN participants and is being
retired this year.

The MECguard SSL filter in the upcoming release is the official and
recommended SSL filter for this year.




-- 
Ray Soucy

Epic Communications Specialist

Phone: +1 (207) 561-3526

Networkmaine, a Unit of the University of Maine System
http://www.networkmaine.net/

ATOM RSS1 RSS2