Securing GMail for Google Apps for Education

Monitor the safety and security of minors when using electronic mail, chat rooms and other forms of direct electronic communications.”
– Excerpt from the Children’s Internet Protection Act, or CIPA (Source:

The CIPA law is clear in its intent. E-mail sent by students needs to be policed. Since most web-filters lack the ability to do this, schools normally end up blocking e-mail and chat. However, this is no longer an option with many schools turning to the free Google Apps for Education (GAfE) suite as the foundation on which they base their 1:1 initiatives. Part of GAfE is of course GMail, which students will need to use for a truly collaborative experience. The challenge here is that permitting students to use GMail allows them to log in with their consumer, or personal (as opposed to Google Apps) account. Consumer accounts cannot be policed and this opens the school up to liability. The problem is complicated by the fact that all GMail traffic is over SSL. Very few web-filters support the ability to decrypt SSL traffic. Securly recommends the following steps to secure GMail:

  • Intercept and decrypt GMail related SSL traffic. Achieving this normally involves pushing out root certificates provided by your filter vendor out to your end hosts.
  • Add the HTTP header X-GoogApps-Allowed-Domains, whose value is a comma-separated list with allowed domain name(s). Include the domain you registered with Google Apps and any secondary domains you might have added.
  • Archive GMail using an application like Vault (now free for schools). This makes all of the mail sent over your network searchable and keeps your school compliant.

To learn more about blocking consumer/personal GMail, check out our other post here.

Enabling YouTube Safety Mode

YouTube Safety Mode enables safe searching and hides videos that have been flagged for containing inappropriate content

YouTube Safety Mode enables safe search and hides videos that have been flagged for containing inappropriate content. A recent update by Google allows for decoupling safe Google search from Youtube Safety Mode.

So by enabling YouTube for Schools, you’re limiting everyone’s ability to see videos that aren’t tagged as EDU or added to your own allow list. Then the list of people that are allowed to whitelist videos is something that you have to maintain manually.
– I.T. Admin on Forum

There is often a debate in schools about the use of YouTube, with common implementations falling into one of three categories: completely open access, YouTube for EDU, or altogether blocked. Allowing students to access a completely open YouTube can expose them to potentially inappropriate or distracting content. On the other hand, YouTube for EDU tends to be limiting, as teachers and admins are required to add one video at a time to their playlist. With the undeniable importance of YouTube as an educational tool, blocking YouTube altogether is not really a feasible option. The solution we recommend: YouTube Safety Mode.

YouTube Safety Mode is a setting that, similar to Google’s safe search, hides inappropriate content when enabled. Videos that have been flagged as being inappropriate by users for a host of reasons will not be accessible in this mode. The following string will need to be injected into the Cookie header of a YouTube traffic flow in order to enable Safety Mode:

  • PREF=f2=8000000

What follows is a description of how two of our customers are using YouTube Safety Mode to achieve a conducive learning environment.

  • Webb City R-VII School District, MO: Have turned on YouTube Safety mode for in-school filtering. Since the district believes that home is actually a less supervised environment, they turn on YouTube for Schools for their 1200 Chromebooks when they go home.
  • Romeo Community Schools, MI: YouTube Safety mode has been turned on for both school and home for 3300 Chromebooks. The Safety Mode is used in conjunction with URL based keyword blocking to achieve a learning environment that is in line with community standards. Keywords that lead to inappropriate content showing up are blacklisted on an as needed basis.

Note: A recent update to the Google Apps Admin Console allows for decoupling Google safe search from YouTube safety mode.

Improving safe image search with the Creative Commons filter

Google safe image search results for "sxy" with the Creative Commons filter applied

Google safe image search results for “sxy” with the Creative Commons filter applied

Several of our customers have reported the following issue: Image Search is not safe enough with Safe Search turned on. Blocking image search altogether is not a great option since there are legitimate uses for this functionality. Our recommendation in this case is to turn on the “Creative Commons” filter that is supported by all major search engines. The idea here is to filter out all images except those tagged as being distributed under the “Creative Commons” license. We have found based on extensive empirical evidence that images with this license are for the most part appropriate for classroom use. Further, the filter can be turned on for students only while leaving staff unfiltered on image search. The following strings will need to be appended to image search URLs to turn on the Creative Commons filter:

  • Google: &tbs=sur:fmc
  • Bing: &qft=+filterui:license-L2_L3
  • Yahoo: &imgl=ccr

You can test out search results with the Creative Commons filter applied here.

Blocking additional keywords to enhance safe search

Results for "cocaine" with standard Google safe search enabled

Results for “cocaine” with standard Google safe search enabled

Even with safe search turned on, keywords that would normally be inappropriate (ex: those related to drugs or violence) for a K-12 setting are allowed by Google, Bing and Yahoo. To address this issue, we recommend URL based keyword blocking. Securly uses a keyword list of over 1000 keywords that has been carefully culled to avoid False Positives. This list can be built from publically available sources. We also recommend accounting for permutations of those keywords to address evasive behavior. For example, a student could type “h4(k1ng” instead of “hacking” or “a$$” instead of “ass”.

Securly blocks 1000 keywords beyond the standard database used by Google, Bing, and Yahoo safe search.

Securly blocks 1000 keywords beyond the standard database used by Google, Bing, and Yahoo safe search.

Redirecting encrypted Google search with “nosslsearch”

In 2010, Google launched an encrypted version of its search engine that made SSL the default transport for all Google traffic. This was problematic for schools, as the Children’s Internet Protection Act (CIPA) requires that students be blocked and audited when trying to access inappropriate content. Blocking encrypted search was not really a viable option, since Google has become a de-facto tool in the 21st century classroom. Google has instead provided schools with a option. All SSL traffic bound for can be intercepted by the web-filter and re-directed to This ensures a seamless re-direct from HTTPS to HTTP. Additionally, needs to be blocked by the web-filter because the nosslsearch trick does not work for this domain by design.

How to enable safe search for Google, Bing and Yahoo

Results with Google Safe Search enabled

Results with Google Safe Search enabled

Google, Bing and Yahoo support safe search on their respective search engines. A web filter will need to pro-actively enable these safety modes. We recommend enabling safety modes on these three search engines while keeping all other search engines (Ask, Duckduckgo, etc) blocked. The top three search engines give students more than enough freedom to research on their class assignments. Safety mode can be enabled by simply appending a string at the end of the URL, as shown here:

  • Google: ?&safe=active
  • Bing: ?& adlt=strict
  • Yahoo: ?&vm=r

Systems such as Dan’s Guardian and Safe Squid can be used to accomplish the above. Chromebooks can have Google safe search turned on from the Google Apps for Education (GAfE) Admin Console.