Read the following to understand SSL basics.
Read our SSL Explained whitepaper in order to learn what SSL does and how it impacts your web browsing and you school’s filtering needs.
SSL in the Real World
Read about real-world uses for SSL decrypting.
Lightspeed’s Web Filter and SSL
By design SSL traffic is fully encrypted. This encryption detects any attempt to decrypt this traffic between the user machine and the server and if any is found it will shutdown the connection. This is a good thing because we all rely on the safety on encrypted transactions every day. Without this safety we would not be able to do things like online banking and online shopping.
What this means from a filtering perspective is that the data in the packets including the full URL is not readable. This does not mean that the Lightspeed Systems Web Filter cannot properly filter SSL (https) traffic; however, this does mean that this traffic is handled differently.
At a minimum during the https handshake phase, the domain name of the host server is shared as part of the SSL certificate. For the majority of websites this provides appropriate policy decisions.
With modern browsers and operating systems the filter not only receives the domain’s name (e.g., .google.com) but also the specific host (e.g., mail.google.com). This allows web filters to make differentiated decisions on host names where multiple services are provided within a single domain. (This ability is very important for appropriate policy decisions with, for example, Google websites.) In order to bypass the issues caused by SSL, we recommend that our users use their Lightspeed Rocket as a Proxy Server in order to decrypt SSL traffic. Learn more about Proxy Servers here.
If you desire full URL detail for SSL sessions, the Lightspeed Systems Web Filter can also provide this capability through the use of an SSL proxy. When an SSL proxy is used the proxy server becomes a trusted man in the middle. Because the proxy server is trusted it is allowed to decrypt the data portion of the packet and allows the web filter to make decisions in exactly the same way that non encrypted traffic is analyzed.
Learn more about SSL Certificates.
Here are 6 things you should know about filtering SSL.
SSL and Google Sites
Schools are increasingly turning to Google services for productivity, collaboration, communication, research, and more. And when they do, the biggest challenge is being able to monitor and filter user activity across that encrypted Google traffic. Once traffic is encrypted (as Google and other services increasingly are), it’s more difficult to get full information on the URLs and activity for your web filtering and reporting. The solution is decrypting Google-bound traffic as a trusted man in the middle proxy.
Read more about SSL and Google Sites here.
In addition, decrypting Google sites can help with:
Utilize the following information to determine which filtering option is best for you.
Block SSL Traffic
Most restrictive but safest options. Will not be able to use Google, YouTube, Khan Academy, and other educational resources.
Default. (Encypt SSL/Decode SSL not selected.)
Decode SSL Traffic
Inspects SSL certificates and SNIs and controls traffic through block/allow lists. Can selectively allow or disallow sites. Can get domain information but not full URL details, so you won’t see what users are searching for or what URLs they’re visiting on a site like YouTube.
Inline Filter – Decode SSL certificates enabled and then put sites in locally blocked/locally allowed category. Link.
Decrypt SSL Traffic
Uses a trusted man-in-the-middle proxy with the Web Filter in Proxy mode. Best option for filtering Google sites and others. You will see exact searches and URLs visited on sites like YouTube.
Enable Decrypt SSL Traffic. Link.
Configure Rocket as a Server. Link.