You may have noticed recently that sites and services that used to be on good old Hypertext Transfer Protocol (HTTP) are migrating towards encryption. This technology, initially the preserve of financial institutions, is coming to a site near you, Facebook recently announced that they are slowly opting their users into HTTPS.
Protecting the highly personal information of users from network sniffing tools and lowering the risk of cookie hijack are welcome benefits of encryption. It’s not perfect but it does represent a significant step forward.
But, and you knew there had to be a but, as the web moves increasingly towards Secure Sockets Layer (SSL) this does create problems for schools as they seek to ensure that the content being reached supports their teaching and learning goals. The need to filter the traffic doesn’t change and hence it has to be intercepted and decrypted.
In some cases, schools may face an invidious choice – block an encrypted site completely or undertake an intrusive “Man in the Middle” inspection. The inspection approach is probably fine on the school’s own devices, although there may still be some privacy concerns, but when students bring their own devices it becomes trickier. MitM inspection on mobile devices is far more intrusive both technically and in the perception of the device owner – it’s my device and my traffic, hands off!
There are no simple solutions here. It’s relatively straightforward to work out the ultimate destination of most HTTPS traffic, search engines, social media, information sites, but just knowing the address of the site isn’t enough to make decisions. A great example is forcing safesearch. This is pretty important for schools but in a HTTPS world, without full decryption you don’t get that granularity of control.
As concerns about the security of our online identities grows, the migration to HTTPS is not going to stop. If anything we would expect to see the pace pick up as more and more site owners see their peers doing the same. The only limiting factor is that for large sites the computational overhead of fully encrypted traffic is significant and there’s a cost/benefit question to answer.
At the same time, the demand for providing filtered access to the web is growing stronger. It’s going to be a long, interesting and probably bumpy ride for us all. How are you planning to deal with it?
Author: Tom Newton, product manager, Smoothwall