Recognizing that this email is fairly lengthy, here is a brief "executive summary" of the salient points:
* HTTPS filtering is not currently feasible for most sites using the Joebox as it is now.
* Joebox sites may opt to use Bess/N2H2 for HTTPS filtering until the end of February break, 2011.
* Prior to the above date, a revised proxy-based filtering mechanism will be made available on the Joebox.
* Joebox sites must transition away from the current Joebox implementation or Bess/N2H2 prior to the above date.
* The Helpdesk will assist sites transitioning to Bess/N2H2 in the short term, and to the improved Joebox filtering in the longer term.
Read on for the complete details.
As most of you are aware, the current implementation of HTTPS filtering on the Joebox has some shortcomings. In particular, the method currently employed to filter HTTPS content generates certificate errors in all web browser for every domain visited, and even prevents some kinds of web content from being displayed at all, regardless of filter settings. And although it is important to recognize that the nature of the HTTPS protocol forces trade-offs by any filtering solution, for the reasons noted above few sites have deployed the HTTPS filtering on their Joeboxes despite the desire by many to filter HTTPS content.
Networkmaine is endeavoring to address this filtering limitation of the Joeboxes and as such we are working closely with MECnet, the developers of the Joebox, on a solution that will be unveiled early next year, some details of which are discussed below. In the shorter term, however, we have a temporary remedy that should allow Joebox sites to filter HTTPS content without suffering the limitations of the current Joebox implementation (though not without some minor drawbacks of its own). For sites that wish to make use of it, Networkmaine will enable legacy Bess/N2H2 filtering, for HTTPS content only, for Joebox sites. As any of you who have used it previously are aware, Bess filtering has some shortcomings when applied to HTTPS content, chief among them that it allows custom filtering by IP address only (built-in categories do work normally however). Additionally, since Bess in this case would be only an adjunct to another filtering solution operating on standard HTTP (be that MECguard on the Joebox or something else run locally), there will be the added inconvenience of having to manage filtering through two separate, unsynchronized interfaces. As Bess will be restricted in scope to only HTTPS content, however, it should need less day-to-day management than the primary HTTP filter solution.
This Bess/N2H2 option will be offered for use beginning immediately until the end of February break 2011, by which time the revised Joebox MECguard HTTPS filtering solution will have been available for approximately two months. This should allow sufficient time for sites to migrate from the temporary Bess solution to the new integrated MECguard solution. The new implementation of HTTPS filtering on the Joebox will be similar to the method employed by DansGuardian, for any that are familiar with that product. In brief, enabling HTTPS filtering on the Joebox will implicitly block outgoing connections on port 443, which will prevent any direct attempts to access HTTPS web sites. Clients requiring HTTPS access to the Internet will need to be configured to use the Joebox as a proxy server for the HTTPS protocol (either via a system-wide setting on each host or per-browser). This arrangement will allow HTTPS sites to be filtered based on the hostname portion of the URL using the standard MECguard filtering controls. Note that content filtering HTTPS traffic (that is, filtering based on keywords within a web page or URL) is not possible due to the encrypted nature of the traffic involved, so filtering will be limited to the hostname portion of the URL only. Nevertheless, this still represents a significant improvement over the filtering Bess offers for that type of traffic, while eliminating the certificate-related problems of the current MECguard implementation. Be aware that this new MECguard HTTPS filtering implementation will replace the existing one once deployed, so any sites currently using the Joebox for HTTPS filtering will also need to migrate during the aforementioned timeframe.
If you have any questions about this notice, or if you would like to have the Bess HTTPS filtering enabled for your site, please do not hesitate to contact the Helpdesk via one of the methods listed below. The Helpdesk will also be available to assist any sites needing help migrating from one filtering solution to another as part of these changes.
Thank you,
Doretta S. Prior
Networkmaine Support Center Coordinator
Maine School and Library Network
University of Maine System
Communications and Network Services
888-FOR-MSLN