Update on Google Encrypted Services

Note: The original post has been modified to reflect the latest information and status from our conversations with Google.

Disclaimer: this is a long post, but filtering and accessing Google services is a top concern for our customers, so I wanted to explain things clearly and in detail.

Google is actively moving all of its services to being delivered over a fully encrypted (https) connection. Many of these services have been encrypted for some time and we have made it a priority to work with Google to help them move these services to encrypted connections in a way that allows schools the effective web filtering they need. While we work with Google to create these solutions, we have added features to the Web Filter to work around the issue. One example of this is the failsafe feature that is an option in our Web Filter policies.

SNI

As Google began moving more of its offerings to encrypted connections they did make one change to their implementation that made differentiating these services possible. This was to utilize an extension to SSL called SNI (Server Name Indication). Without using SNI, the only information the Web Filter has to evaluate during an encrypted connection is the IP address and the certificate name, which in most cases including Google is a wildcard certificate (*.google.com) identifying the domain name but not the specific host. When SNI is enabled the Web Filter is also provided with specific host that the user is accessing, such as mail.google.com or drive.google.com. This allows a school to apply differentiated policies that will allow, for example, an encrypted connection to Google drive but block the connection to mail.google.com.

For some time this has provided schools with flexibility they were looking for in applying policies on use of Google services. Initially the only limitation to this was the fact that Internet Explorer on Windows XP did not support the SNI extension. This was a decision made by Microsoft to not update the operating system to support this. In response to this problem we added the Google Failsafe feature to our policies. This puts an additional protection in place so that if a user is using IE on Windows XP and they attempt to access an unidentified Google Service, the school can choose to either block or allow this traffic. The school also has the option of installing any other browser on Windows XP (such as Chrome or Firefox) for proper identification of the encrypted connection.

When the primary devices on a school network were desktop and laptops running Windows, Mac OS or Linux, this solution provided a good balance between protection and over blocking. Today schools face new challenges in dealing with Google Services. Google moving more services to encrypted connections, as well as the introduction of mobile devices and specialized apps such as the Google Play Store on Android or the Google Drive app for Windows, limit the use of these options because support for SNI in these specialized apps varies greatly. Some versions of the apps will support this and others will not. For those apps that do not support SNI the connection looks very similar to the IE on Windows XP where the traffic can only be identified as a generic encrypted Google connection and selective policies based on service can’t be applied.

I recently had an opportunity to discuss these difficulties with a Senior Product Manager at Google and he not only recognized that these issues are causing difficulties for schools but he said he will talk to the leaders of all the various product groups to make changes on their side to resolve them.

So what does this mean for school customers? There are three primary options:

Option 1: Find the solutions and services that work best in your district, and use redirects when necessary to point users to your preferred solution.

Option 2: Continue to use the Failsafe option. Schools that have not adopted Google Apps for Education (GAFE) and are not widely using Android-based mobile devices will probably not have any negative impact.

Option 3: Utilize the proxy mode in the Web Filter. By running the Lightspeed Systems Rocket as a trusted Man-In-The-Middle encrypted proxy, the school will have full access to the URL that the user is accessing and can fully identify the resource and make differentiated policy decisions.


I would also like to point out these issues are not unique to the Lightspeed Systems Web Filter. These challenges will exist in any web filtering solution. At Lightspeed Systems, we are committed to providing schools with effective web filtering solutions-as well as bringing issues such as this to your attention when we discover them. We will continue to advocate for schools whenever we have discussions with Google and other service providers. We will continue to monitor their encrypted implementation for any changes that will make these services more effective for schools and we will make any necessary changes in the Web Filter to support this.

Rob

  • Anonymous says:

    I can’t help but be off-put by the seemingly abrasive attitude of this post. Yes, the internet changes. This is one of the reasons Firefox has a 6-week release cycle because the changes are just that fast paced. Companies need to be able to adjust to the changes as they happen. Google’s refusal to alter their plans in order to accommodate Lightspeed shouldn’t be surprising and Lightspeed should already be researching as well on ways to adapt.

    Google, like many US-based tech companies, is facing increased scrutiny abroad given what’s been leaked concerning the NSA and Google is simply reacting accordingly. Is it disappointing? Of course but it’s Lightspeed’s job to adapt as well. Simply saying “sorry guys Google won’t help us so here are 2 terrible options and 1 not great option” is not an attitude that is going to gain any goodwill with your customer base.

    We look forward to hearing what Lightspeed’s research and development team comes up with!

    • Anonymous says:

      Lightspeed doesn’t control what Google does. Lightspeed doesn’t control the OS protocols. Encryption happens at the PC and traffic comes out encrypted. How is Lightspeed supposed to fix that? Lightspeed could chose to have more of a key logger agent which could help but I think people wouldn’t really like that level of spying even if it is intended to keep t he kids safe. The NSA has put all schools in a real bind by the spying. Google is doing what it sees as best for security. CIPA compliance is the other thing that is killing us. So our government has put us in between a rock and a hard place for filtering. Filtering was easy when connections weren’t secured. Now it seems like a proxy is the only way around this, to have a man in the middle. That kind of bites but I don’t see alternatives for LS. – Mike

    • Rob Chambers says:

      I am sorry that you felt this post was seemingly abrasive. That was not my intent. It was rather an attempt to inform our customers of a situation that exists and the options that can be used depending on the specific needs of their individual environments.

      We certainly recognize that the internet is constantly changing and we take pride in our products ongoing ability to adapt to these changes. One area that we take very seriously is providing appropriate access to this ever changing web content in the classrooms around the world. By the design of HTTPS traffic, any non-proxy based web filter cannot see the details of any web activity. While I understand that this presents some challenges for schools this is actually a very good thing. If this were not true we could not trust any online shopping, banking or many other activities. For most web filtering decisions this is not a problem. For instance a district can decide if their local polices allow teachers to browse amazon during the school day. If allowed the school has web activity reports that will inform the administrators if a user is spending too much time browsing shopping. Google is a different challenge. They are not simply offering one service such as shopping or banking but a multitude of services — some that schools may want or need to block and others that they may want or need to allow. Completely within their rights as a software company, they have made decisions that in certain circumstances make it impossible without a trusted proxy to distinguish between these services. Because this situation can cause frustration for customers if they are not aware of these issues, I felt it was in the best interest of our customers to write this post.

      We’ll always been working toward new and smart ways to help our customers adapt to the changing internet and to safely allow access to valuable web resources.

  • Mark Lewandowski says:

    We ended this school year with 2x 10G appliances taking a peak of 5.26G of traffic. so how many proxy (I think lightspeed uses squid) boxes would that be?

  • henry danielson says:

    We use GAFE and the web proxy for our 1:1 iPads grades 6-12. We have not had any issues with GAFE. When will this change occur and what would be our best option? Sorry if I did not understand thanks so much for the advice!

    I posted this and git this error.

    You are posting comments too quickly. Slow down.
    HD

  • Steve says:

    Rob,
    I for one appreciate the frank and candid presentation you gave of what is coming and what our options, bad to best, may be to meet these challenges. We also use GAFE and need to stay abreast of best practice, common sense, content filtering without pinching off needed access to websites for legitimate educational purposes.

    Keep us posted as things develop.
    Thanks,
    Steve Schellenberg
    Snake River Schools

  • Joel Armstrong says:

    Rob,

    I would also like to thank you for a job well done conveying upcoming changes. It is of great value to me when people warn of an upcoming road bump and (just as important) lay out the best options currently available for minimizing impact to our district.

    Thank you,

    Joel Armstrong
    Temple Independent School District

  • Leave a Reply

    Your email address will not be published. Required fields are marked *

    You may use these HTML tags and attributes:

    <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>