Translation Available תרגום זמין Traduction Disponible

לקרוא את הבלוג הזה בעברית, לתרגם הוא בצד הימין Pour traduire ce blog en Français, utiliser le bouton de traduction sur la droite de la page.

Thursday, April 9, 2015

YouTube and Why your filter doesn't work any more....

As you can tell from this post's title, it is going to be a "wee bit" technical.  Sorry about this, but the SSL issue and YouTube is a very important topic.

So, what's the deal?

Well, as members of the consortium - and my blog readers, there is a problem and I need to make you aware of it.  It is one of the reasons to join the consortium after all.... to be made aware of concerns that crop up in the wonderful world of school tech. (yes, another shameless plug for membership - it does have its privileges!)

Google, the owners of YouTube, has taken great measures to secure their web traffic from hackers and Internet Pirates. Those special measures are wreaking havoc with school Internet filters.

The way Google (and banks and credit card companies) protect and encrypt their Internet traffic, is by using SSL - or Secured Socket Layer.  You know, that "https://" that you see before the website name.  It means "httpSECURE."

The way this works is that Google (or the bank, etc.)  issues a security certificate that is placed on the main root servers of the Internet.  So now, whenever a computer wants to send a secured message to Google (SSL), it will be encoded using a special security protocol based on that Certificate.  This allows the sending device to safely encode its data so that no one on the Internet can see it.  The banks do this all the time!!  Technical enough for you?  So what't the big deal??

Well, since the traffic is encoded, the school filter can't take a peek to see what is in it - so it can't be blocked!  Sure, the filter will block access to a main website, but once the website is allowed, it can pass secret, encoded traffic WITHOUT the filter being able to see it.  

For example, let's say that your schools allows the YouTube video on the West Coast Tree Hugging Octopus.  The filter will see the URL and then let it through - after all, it is an allowed URL.  Now, when the student finishes watching YouTube, at the end of the video, a bunch of other videos pop up.  The student can now click on any of those videos and, as the request is fully encoded and can't be seen by the filter, the student can now watch a video that we don't want to let them see! Yes, there are ways to stop the videos from appearing at the end, but that means that you need unencumbered access to the Google website - which means leaving Google search open - and some of the schools don't want to do this.<Have you ever seen the supposedly "safe" images on "safe search???"> Even so, Google now passes this traffic through SSL as well!

Panic... Stop YouTube access!!  RED ALERT!!! Captain Kirk, the parents are going to go warp factor 7!!

Now, hang on a sec - push back the panic...  Google published a work around (that the Consortium School already have available to them) called the "man in middle" procedure.

What we can do is create our own SSL Certificate, load it to the all of the computers and iPads (and iPhones, etc.) that are in the school and so now, when the device requests an encoded session, the "man in the middle" intercepts it and tells the computer to use our SSL Certificate. Since the computer has been told to trust our SSL Certificate (we loaded it, remember?), we can now peek into the Internet transmission (like we used to do before Google went SSL) and everything is good.  Our filter can filter and everyone is happy.

HAPPY?  Uhhhh... no, not really.  Let me put on my "hacker hat" (Black Hat, in hacker terms, means "bad" hacker.  White Hats are "good" hackers...) and explain.  If I were a "black hatter," then I could use this system to hack into major banks, governments, and so on.... doesn't sound too good to me.  And guess what, it doesn't sound so good to banks, governments (and so on) either!!!

So, just when you thought that we had solved the Google/YouTube problem - it rears its ugly head again...  There is a movement to have the way we use SSL Certificates  changed dramatically so that web traffic can be more secure.  This means that our "man in the middle" technique will not work anymore!

So, what is the solution?

Well, there really isn't one right now.  While we currently have a way to filter, it will be disappearing in a year or two.  Now, before it is too late, we need to think about HOW we are going to solve filtering issues like YouTube and, better yet, WHY are we filtering?  Perhaps now is the time for us to start training our students about the necessity to become savvy consumers of information and how to deal with inappropriate videos and images that will (not CAN... believe me... it WILL) come their way.

Caveat Emptor! (buyer beware) and be Semper Paratus (always prepared)

And, now you know why I have grey hair...

Yossie


Yossie Frankel
Director - Consortium for Information and Academic Technologies
Member Schools:
Harkham Hillel Hebrew Academy - yfrankel@hillelhebrew.org
Oakland Hebrew Day School - y.frankel@ohds.org
Shalhevet High School - y.frankel@shalhevet.org
Yeshivat Yavneh - www.yha.org
Arete Preparatory Academy - yfrankel@areteprep.org
Midreshet Emunah V'Omanut - Jerusalem - yfrankel@emunahvomanut.org
Checkout my blog @ technorebbe.blogspot.com
Twitter @yossiefrankel
YouTube Channel: YossieFrankelChannel
LinkedIn: www.linkedin.com/in/yossiefrankel

No comments:

Post a Comment