Engineering

SSL Decryption without PAC files

/ securlyinc / Leave a comment

ee0ddc_00bc58c839464978bc251e28edd6d777.jpg_srz_634_310_85_22_0.50_1.20_0.00_jpg_srz

If you have endured the pain of deploying Proxy Auto-Configuration (PAC) files, get ready to jump for joy! Beginning May 30th, Securly is pleased to announce the “Death of PAC Files”.

As you may know, Securly was founded on the premise of a simple 5-minute deployment. A web filter for schools that IT admins can truly set and forget. As we have evolved as a company, a major impediment to the realization of this vision has been the use of PAC files for those of our customers who deploy Securly for in-school (DNS based) filtering.

To understand how we ended up here, its helpful to trace through our technical evolution:

  • We first started off as a DNS-to-proxy web-filter. Simply put, we use DNS queries to selectively proxy domains that need to be filtered. In slightly more technical terms, when our DNS server receives a query for a domain like google.com or facebook.com, we “lie” to the client about the resolution and instead point to the IP address of one of our proxies.
  • Our core backend engine uses the industry standard – tried and tested Squid open-source web-proxy. Needless to say, we have had to heavily modify Squid over time to get it to perform all of the magic (Google SSO, per policy filtering, etc) that our customers have come to rely on. An essential and early innovation we introduced on the Squid side was industry-first transparent HTTP and HTTPS proxying. Out of the box, Squid relies on the configuration of an explicit proxy at the browser level. The core Squid engine had to be modified to accept unproxy-ed HTTP and HTTPS traffic.
  • Very soon, we ran into the need to decrypt HTTPS traffic due to the following reasons (i) web-sites that YouTube and Yahoo that need HTTP header/cookie insertion to enforce Safety Mode (ii) web-sites like Facebook and Twitter that needed to be allowed for staff, but blocked for students.
  • We tried and failed very early on to achieve transparent HTTPS decryption (which is quite different from transparent HTTPS proxying). However, the numbers spoke for themselves (500 support tickets over one year re: PAC files alone) when it came to the pain our customers were going through as a result of these PAC files.
  • Although the use of PAC files has becomes the industry norm, we realized that to reduce friction for customers (and to make the product easier to support), we simply had to solve this problem. We engaged the services of a industry leading crypto expert who build transparent HTTPS decryption for us. We are in the process of integrating his work back into our technology.

We believe that completely getting rid of PAC files while retaining SSL decryption abilities is nothing short of magic and are thrilled to announce that our customers will experience this for themselves very soon. 

Should you have any questions about this change, please do not hesitate to contact us at support[AT]securly.com.

Vision Statement & Product Updates

/ securlyinc / Leave a comment

Twitter1copy

This week saw the release of significant changes to the Securly dashboard, UI, and website. Please find our release notes below.

Vision Statement

While it has always been our vision to help schools use web filtering as a means of managing and measuring student achievement, we have now made this positioning more visible on our website and social media pages:

Facebook | Twitter | Google+ | LinkedIn

Since our inception, we have strived to reinvent web filtering for schools through innovation. Rather than focus on “what we can block”, we have always sought to bring a progressive attitude to the industry. Our customer Andrew Schwab’s blog post on “The Power of Positive Web Filtering” nicely captures this sentiment. What follows is a review of events that brought us to where we are today:

  • Opening up student access outside of school. We first moved the needle in favor of student freedom by introducing the concept of “Take-Home Policies”.
  • Bullying and self-harm detection. After successfully funding a Kickstarter campaign in November 2014, we have applied the principles of natural language processing to detect cyber-bullying and attempts at self harm. Read our “flagged social networking posts” section below for more details.
  • Securly for Parents. More recently, we have developed “Securly for Parents“, the first tool to give parents a birdseye view of their child’s life online. An upcoming release will give parents everywhere (not just those in schools using Securly) the ability to manage their child’s screentime on all home devices.

Product Updates

Drill down by policy
You now have the ability via the dashboard to access data by policy. This feature required a complete re-architecture of the use of HTML5 local storage to make for a smooth user experience. Shout-out to Tim White at Webb City R-7, Missouri for suggesting this feature.

Top 25 users
The number of top users and sites accessible via the dashboard is now 25 instead of 5. You can also click on a site or user within the dashboard to drill-down further. Shout-out to Andrew Schwab (again!) at Union SD for suggesting this feature.

Flagged social networking posts
Some of you may have seen the “Flagged Activities” section of our dashboard. As described above, this offering is made possible by months of research and development and the successful completion of a Kickstarter project. All of us at Securly became early believers in the efficacy of our Sentiment Analysis technology, as we were able to catch a troubling student post during our beta-testing phase and immediately alert school officials.

New “Hate” category
A previous category (religion, opinions and ideologies) has been deprecated and replaced by Hate. Lou Moeckler at Solomon Schechter Day School pointed out that schools are unlikely to block pages on religion and hate is a more useful category. Thanks for the insight, Lou!

Block consumer GMail
Two years ago, we pioneered the ability to limit students to their school issued Google logins (personal GMail accounts are blocked). Doing so has the dual advantage of limiting student e-mail use to accounts that can be monitored while reducing classroom confusion around the use of apps that rely on Google SSO. Unfortunately, this feature has remained hidden and we have not done a very good job of letting customers know we support it. We have exposed this via Global Settings in this release. For Chromebooks, no change in configuration is needed to support this feature (all you need is the extension). For our DNS users, you will need to deploy the Securly certificate and proxy setting to enable this.

Create custom messages on blocked page
There is a space in the Global Settings to enter a custom text message that can be displayed on the blocked page. This can be used by school to limit liability in cases when misclassified domains are wrongly blocked by the filter.

Coming soon
  1. Huge updates to Securly for Parents (enabling whole-home protection and auditing via personal GMail).
  2. Introducing URL filtering and Safe Image Search to our Chrome extension.
  3. Our page-scan algorithm uses the “wisdom of crowds” to keep our content database up-to date.

Resolved issues

Audit trail mixup
An edge case caused a small portion of one school’s audit trail to appear in another school’s. This issue has been fixed.

Admin login issues
Sundry fixes have made the Admin login experience more robust.

Duplicate entries
Entries used to appear in both the accessed and blocked views of the audit trail. This led to a confusing user-experience and has been addressed.

Students accessing admin dashboard
Some students were able to access the admin dashboard through a convoluted hack. This issue has been addressed.

A jumbo Chrome extension update focused on evasions

/ securlyinc / Leave a comment

This past week saw the release of significant changes to our Chrome extension that make it resistant to evasion attempts. Please find our release notes from v2.54 below:

1) Killing the extension via Task Manager
One evasion that was reported by several of our customers involved students being able to shut the Chrome extension down via the Chrome Task Manager. Recent changes by Google meant that extensions that are pushed out via the GAfE control panel pop right back up. However, the student did have a few seconds during which they could open up an inappropriate site that is then not filtered retroactively by the filtering extension. The only known solution to this issue (used by competing Chrome extensions) involved renaming the extension to something innocuous sounding (ex: Chromium M). We quickly ruled out this approach since we felt that this constituted Security through Obscurity. We also asked our contacts at Google if they had plans to make any changes to the Chrome architecture that would make certain extensions “un-killable” by less privileged users. We were told that there were no such plans since this approach would introduce security/privacy issues (ex: a keystroke logger extension would be able to run as a privileged process).

Ultimately, our engineering team was able to devise an elegant approach to solving the problem. On start, the Securly Chrome extension blocks inappropriate content on all open tabs. Since the extension pops back up within a second or two after killing it, after a handful of attempts, a student who is trying to evade the extension using this approach will likely get frustrated and stop trying.

We’d like to give a shoutout to customers Lucas Cowden (Park Ridge-Niles School Dist. 64) and Kyle Freise (Batavia Public SD 101) who brought this to our attention.

2) Gaming the address bar for fun and profit
Our customer Phil Feichko brought this evasion to our attention: “Search for anything in omni/URL search box. Then, type site for bypass (maxim.com) in search box at top of browser window. (This is the Google search box with the text still displayed from the previous search.) Then click back arrow in browser. Then click the link for the site in the search results (maxim.com) This gives a one page at a time bypass for sites.”

Thanks Phil! – This issue has been addressed as well.

3) Web-cache based evasion
One of our developers found a way to evade Securly using the Chrome web-cache in certain corner cases. This issue has been addressed in the new release.

4) Initial Accept/Cancel button
This method of evasion was reported around the very first time the student faced an accept/cancel prompt from our extension requesting consent to be initialized. We explored all options available and found an elegant solution that not only fixes the evasion, but also gets rid of the accept/cancel prompt that confused some students. As a bonus, this solution also works offline!

5) Reloading issue
The “Reloading” issue that has affected some of you has now been fixed. We wanted to assure you that this issue did not affect any essential functionality.

Please do let us know if you have any additional questions.

DNS2Everything + Social Texting & Tweeting Monitor

/ securlyinc / 2 Comments

DNS2Everything: Two years ago, when we founded Securly – there were many granular “parental control” solutions on the market but all of those worked only for a specific device.  It was clear that an ideal solution was to come through a “Net Nanny” for K-12 devices but one that could work across a heterogeneous mix of devices across the district, ubiquitously both on and off campus, and with a simple setup process that didn’t explode with the size of the district. Inspired by the simplicity of the OpenDNS setup and the granularity of players such as Palo Alto Networks, we took two pain-staking years to build the patent-pending technology that powers Securly. We started with DNS, and first provided granular GApps based Single-sign-on policing and reporting for students. Next, we achieved powerful granular control and monitoring such as proactively enforcing Google and YouTube’s safety mode, blocking personal @gmail logins while allowing district Google mail logins, and much more – all from a simple DNS based setup.

Monitoring Social-posts: Today, we also released our beta “Social-posts” monitoring addition. We have only released it to our US West-coast customers and will soon make it available to the rest of the customer base. This feature allows IT and Instructional Tech personnel to monitor what high-schoolers are posting on Facebook, Google Plus and Twitter. In many of our schools, admins use a relaxed take-home policy where in-school, every one gets the “lowest-common-denominator” safest policy; however, for home use the take-home 1:1 devices handed out to high-schoolers are given relaxed policies with social-networking frequently left open. Securly makes it possible for educators to monitor online status-posts and tweets of students to shape their online behavior.

Securly's "Social-posts" feature allows educators to shape behavior on social-networks

Securly’s “Social-posts” feature allows educators to shape behavior on social-networks

 

Like like the other granular features of our visual audit trails, this functionality is also not restricted only to Chromebooks or any other specific device, but is available to all devices deployed with Securly.

Please contact support@securly.com for additional details.

Reference Competitive Matrices

Securly vs Other Chrome Extensions:

 

Securly vs Hardware Appliances:

 

Securly vs OpenDNS:

 

Securly Extends Unified Cloud-based K-12 Web Filtering with a Chrome Plugin for 1:1 Chromebook Management

/ securlyinc / Leave a comment

Santa Clara, CA

Silicon Valley based Securly, Inc. – the world’s leading cloud based provider of unified Internet Security for K-12 schools today announced their zero-touch filtering solution for 1:1 Chromebooks. The new offering gives schools a pain-free way to manage student screen-time on Chromebooks as they move between the school and home.

Given their low price-point, high usability and integration with Google’s free Apps for Education suite of tools, Chromebooks have become a platform of choice for schools that are adopting 1:1 initiatives. As of October 2013, these devices were being used by 22% of all US K-12 school districts. While a primary driver of these district-level Chromebook purchases has been online student assessments, the adoption of newer pedagogical models like “Flipped Classroom” has had an impact as well. The latter makes it imperative for Chromebooks to go home with students in order for the district’s 1:1 initiative to have any chance of success. A natural question that is raised by teachers, district leadership and parents alike as Chromebooks are sent home is – “How does one ensure online safety on these devices?” Says Tim White, Director of Technology for Webb City R-VII School District – “Sending a device home without monitoring and content protection would put our students at unnecessary risk and open our institution to significant legal action.”

The status-quo is dominated by appliance-based proxy solutions. This involves the setup and maintenance of an on-premise hardware appliance web filter. The existing approach has a number of disadvantages. First, since each appliance can support a finite number of concurrent connections, larger take-home programs would require districts to acquire and manage multiple appliances. Second, the fact that all of the students’ home traffic is routed back through the school’s network makes IT departments that are already stretched thin responsible for network uptime even during off-hours. This also limits students’ browsing speeds to the school’s uplink capacity which for the most part tends to be a lot lower. Finally, the status-quo’s inability to play well with Google Apps makes for a sub-optimal User Experience.

Securly’s Chrome plugin makes deploying a 1:1 take-home Chromebook filtering solution an easy 5-minute task. The plugin can be pushed out to Chromebooks via the Google Apps Admin Control panel. IT Admins can use the Securly dashboard to assign granular policies to their Google Apps Organizational Units. Securly reports student activity by their Google ID. IT Admins can also use the Securly dashboard to visualize student activity and the Audit Trail to drill deep into an individual student’s screen-time in a matter of minutes.

Said Romeo Community Schools’ Technology Director Mark Nelson of his districts experience working with Securly’s take-home filtering solution – “As our district embarked on a program to send 3300 Chromebooks home with our middle and high school students, we turned to Securly. Their policy editor allows an easy way to set policies by school or grade level. Additionally, Securly’s take-home policy allows sites and categories that might be distracting in the classroom to be accessed when the school day ends and students connect from home networks.”

Securly was the first web-filter to integrate with Google Apps for single sign-on so schools with a heterogeneous mix of iPads, Windows, Macs, and Chromebooks could get granular policies per their organizational units. With today’s offering, Securly allows IT admins to safely pilot and secure their 1:1 Chromebook programs, while reserving the ability to seamlessly expand the filtering to the rest of the district’s devices.

About Securly:

Securly is the world’s leading provider of unified cloud based security for K-12 schools. The founding team has a combined 20+ years of experience in the enterprise network security space. The company is a venture backed startup in Silicon Valley and serves hundreds of schools in North America, Europe and the Asia Pacific region. The Securly for Chromebooks plugin is available immediately by signing up for a free trial from http://www.securly.com and then visiting the Chrome Web Store or via the Google Apps Admin Console.