SSL Inspection enables granular filtering of web content that is distributed via HyperText Transfer Protocol Secure (HTTPS). To enable SSL Inspection, Secure Sockets Layer (SSL) certificates must be installed on all user devices. Should schools or kura wish to enable SSL Inspection, they should work with their internal IT lead or their external IT provider. Based on a school’s arrangement, they may incur costs if engaging an external provider.
The case for SSL Inspection: HTTP vs HTTPS
Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP; the protocol used to send data between your browser and the website that you are connected to. The 'S' at the end of HTTPS stands for 'Secure' and confirms that all communication between your browser and the website is encrypted. HTTPS traffic utilises a different port to traditional HTTP and is designed to enhance the protection of content being distributed (see the image below). While encryption enhances the security of the data being securely transferred it also increases the complexity of web filtering - as content filters cannot view inside the data packets being sent via HTTPS.
Figure 1: HTTP vs HTTPS (2017, May 15)
It is possible to block an entire encrypted site, however if schools want to filter content within HTTPS websites they will need to implement additional measures to ensure they are maintaining a safe environment for staff and students.
Implementing SSL Inspection
N4L Web Filtering can inspect and decrypt HTTPS traffic once trust is formed with the end user devices. To create this relationship SSL certificates need to be installed on all end user devices. Once installed it is then up to the school to choose “what” to inspect.
The benefits of SSL Inspection
- SSL Inspection helps improve protection against malicious content such as malware and viruses
- Gives you the ability to block websites if a specified keyword is mentioned on the site (e.g. block websites when ‘gambling’ is found on the page). This can be useful if you want to stop students searching for specific terms.
- Provides you with more in-depth information on students website and application use (e.g. ability to
see the specific page a student visited on reddit, not just reddit.com) and can also tell if a student has seen a specific image on a website. - Allows better detection and blocking of VPNs
The drawbacks of SSL Inspection
- It can be onerous to manage and deploy SSL certificates
- Certain applications will not work with SSL Inspection and will need to be bypassed
FAQs
What effect does the installed SSL certificate have outside the school network?
- The SSL certificate is only active while the device is being used on the school network. N4L’s Web Filtering presents the SSL certificate to the end user device while inspecting traffic only - the certificate is not used in any other situation.
What information is available for reporting on HTTPS websites through N4L Web Filtering?
- For privacy reasons only the domain name portion of the URL is recorded for reporting. For example, if someone opens "https://www.example.com/?pass=password" in their web browser, the information after the question mark will be discarded from reporting.
Does Web Filtering still work without SSL Inspection?
- N4L’s Web Filtering can still see the initial request a browser makes to a website and allow or block this traffic. For example, students can open Google in their browsers when N4L Web Filtering is allowing access. However, once the page is open, N4L Web Filtering will not be able to take action on their Google activity like blocking certain keywords from being searched.
There are some considerations to take into account when deciding if HTTPS Inspection is right for your school. You can contact our Customer Support team on 0800 LEARNING for further assistance and information regarding this.
References
