Presentation is loading. Please wait.

Presentation is loading. Please wait.

Is Web Filtering a Dying Technology?

Published byEmma Wright Modified over 6 years ago

Similar presentations

Presentation on theme: "Is Web Filtering a Dying Technology?"— Presentation transcript:

1 Is Web Filtering a Dying Technology?
Phil Smith Head of Product

2 The Secure Web Source: httparchive.org

3 Man in the Middle (MITM)
User Server Web request Site certificate and key signed by Certificate Authority (CA) I recognise that CA, here’s my key, let’s talk

4 Man in the Middle (MITM)
User Proxy Server Web request Site certificate and key signed by Certificate Authority (CA) Site certificate and key signed by Proxy I recognise that CA, here’s my key, let’s talk I recognise that CA, here’s my key, let’s talk CA

5 HTTP Strict Transport Security (HSTS)
User Server HTTP Web request Redirect to HTTPS Forces clients to use HTTPS Protects against MITM attacks which request HTTP connections Not an issue for filters that distribute the MITM self-signed CA OK, if you insist, HTTPS Web request

6 HTTP Strict Transport Security (HSTS)
User Proxy Server HTTP Web request Redirect to HTTPS Forces clients to use HTTPS Protects against MITM attacks which request HTTP connections Not an issue for filters that distribute the MITM self-signed CA OK, if you insist, HTTPS Web request Site certificate and key signed by Certificate Authority (CA) CA Site certificate and key signed by Proxy

7 HTTP Public Key Pinning (HPKP)
User Proxy Server Company Root CA Trust Anchor Intermediary CA Proxy Root CA Trust Anchor Pin doesn’t match example.com certificate Example.com certificate ### Hashed pin Forces clients to use HTTPS Protects against MITM attacks which request HTTP connections Not an issue for filters that distribute the MITM self-signed CA ### Hashed pin CA

8 HTTP Public Key Pinning (HPKP)
User Proxy Server Company Root CA Trust Anchor Intermediary CA Proxy Root CA Trust Anchor Pin doesn’t match example.com certificate Example.com certificate ### Hashed pin Forces clients to use HTTPS Protects against MITM attacks which request HTTP connections Not an issue for filters that distribute the MITM self-signed CA ### Hashed pin It’s OK CA

9 Determine certificate from SNI
Server Name Identification User Proxy Server HTTPS Web request <SNI=example.com> Determine certificate from SNI Example .com certificate and key signed by Certificate Authority (CA) Allows multiple certificates on same IP and port – connection can present different certificates Used for policy generation in filters Sites that don’t use SNI (presumably dedicated IPs) – Gmail… Options Block HTTPS with no SNI header – might be an issue for some applications, Dropbox Monitor valid IPs with no SNI header – again, list Dropbox IPs as valid Grab the domain from the certificate Example.com certificate and key signed by Proxy I recognise that CA, here’s my key, let’s talk I recognise that CA, here’s my key, let’s talk CA

10 Server Name Identification
User Proxy Policies based on: Blocking no-SNI traffic Allowing from known IP list (Dropbox, Google Drive, etc) Domain name from presented certificate HTTPS Web request <No SNI> Allows multiple certificates on same IP and port – connection can present different certificates Used for policy generation in filters Sites that don’t use SNI (presumably dedicated IPs) – Gmail… Options Block HTTPS with no SNI header – might be an issue for some applications, Dropbox Monitor valid IPs with no SNI header – again, list Dropbox IPs as valid Grab the domain from the certificate CA

11 TLS 1.3 TLS 1.2 TLS 1.3 Client Hello Ciphers Client Hello Ciphers, Key
Server Hello Ciphers, Key, Certificate Server Hello Ciphers, Key, Certificate, Finished Key Finished Finished HTTPS Get Not expected to make a difference to MITM Finished HTTPS Get

12 Application-Specific Encryption
Telegram What’s App

13 Blocking = Event Filtering in 2017 URL filtering SSL inspection
Content inspection Content modification Search term filtering Egress filtering Blocking = Event

14 What happens when you can’t filter?
Filtering in 2017 What happens when you can’t filter?

15 Department for Education
Whilst it is essential that governing bodies and proprietors ensure that appropriate filters and monitoring systems are in place; they should be careful that “over blocking” does not lead to unreasonable restrictions as to what children can be taught with regards to online teaching and safeguarding

16 Ofsted Inspection Considers...
…how well the school prepares pupils positively for life in modern Britain and promotes the fundamental British values of democracy, the rule of law, individual liberty and mutual respect for and tolerance of those with different faiths and beliefs and for those without faith… …how well leaders and governors promote all forms of equality and foster greater understanding of and respect for people of all faiths (and those of no faith), races, genders, ages, disability and sexual orientations (and other groups with protected characteristics)…

17 A Path to Good Intentions
Leads to a hellish problem for schools Specified authorities will be expected to ensure children are safe from terrorist and extremist material when accessing the internet in school, including by establishing appropriate levels of filtering. …staff have training that gives them the knowledge and confidence to identify children at risk of being drawn into terrorism… …encourage and support schools to move from locked down to managed [e-safety] systems… A Path to Good Intentions

18 What are the main areas of risk?
Content being exposed to illegal, inappropriate or harmful material Contact being subjected to harmful online interaction Conduct personal behaviour that increases the likelihood of harm “From September 2016 all governing bodies and proprietors should be doing all that they reasonably can to limit children’s exposure to the above risks from the school or colleges IT system. As part of this process you should ensure your school has appropriate filtering and monitoring systems in place”.

19 What happens when you can’t filter?
Filtering in 2017 What happens when you can’t filter?

20 Monitoring Context is key Monitoring to Supplement Filtering
Application usage Chain of events: search term to web site to chat app Legitimate transactions: search terms, chat Transactions at source: what is typed into what window and what happened Context is key

21 Monitoring Filtering + Intent Event +
Safeguarding Monitoring Filtering + Intent Event +

22 Filtering & Monitoring
Is There Another Paradigm Shift? Filtering & Monitoring Home School

23 Filtering & Monitoring Filtering & Monitoring Filtering & Monitoring
Is There Another Paradigm Shift? Filtering & Monitoring Filtering & Monitoring Filtering & Monitoring Home School

24 Filtering and Monitoring Open Access & Monitoring
Different Strokes? Primary School Student Whitelist Filtering Only Vulnerable Student Whitelist Filtering and Monitoring SecondarySchool Student Time of Day Policies Further Education Student Open Access & Monitoring Teacher Monitoring Only

25 Some Other Questions What about BYOD? What about guest services?
What about shared devices? How to deal with 1:1 devices (school owned)? What about 1:1 school/home devices (parent owned)? Where’s the crossover between school and home responsibilities? Should parents be running filtering and monitoring services as well as the school? And….where does GDPR fit into this puzzle?

26 Is Web Filtering a Dying Technology?

27 Is Web Filtering a Dying Technology?
It has now become just one tool in a much larger arsenal of systems

Download ppt "Is Web Filtering a Dying Technology?"

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Outcomes By the end of this session, participants will be able to:

Outcomes By the end of this session, participants will be able to:
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.

SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.
KUSD Student Acceptable Use Policy School Board Policy #6633.

KUSD Student Acceptable Use Policy School Board Policy #6633.
Online safety and inspection David Brown Friday 3 July 2015 Child Internet Safety summit.

Online safety and inspection David Brown Friday 3 July 2015 Child Internet Safety summit.
Shawanda Sturdivant The Internet What would we do without the Internet? It gives us the world at our fingertips. Almost anything that we want and need.

Shawanda Sturdivant The Internet What would we do without the Internet? It gives us the world at our fingertips. Almost anything that we want and need.
Ambarvale Public School Technology Committee 20 June 2012.

Ambarvale Public School Technology Committee 20 June 2012.
Blossomfield Values.

Blossomfield Values.
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
Level 2 Safeguarding Training for Schools 2015 /16 Inspecting safeguarding, Ofsted 2015.

Level 2 Safeguarding Training for Schools 2015 /16 Inspecting safeguarding, Ofsted 2015.
Firewalls Nathan Long Computer Science 481. What is a firewall? A firewall is a system or group of systems that enforces an access control policy between.

Firewalls Nathan Long Computer Science 481. What is a firewall? A firewall is a system or group of systems that enforces an access control policy between.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.

Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
Professionalism in teaching. What will this presentation cover  The different identity in you as a student and you as a professional teacher – developing.

Professionalism in teaching. What will this presentation cover  The different identity in you as a student and you as a professional teacher – developing.
McLean 20061 HIGHER COMPUTER NETWORKING Lesson 14 Firewalls & Filtering Comparison of Internet content filtering methods: firewalls, Internet filtering.

McLean HIGHER COMPUTER NETWORKING Lesson 14 Firewalls & Filtering Comparison of Internet content filtering methods: firewalls, Internet filtering.
Safeguarding - LINK GOVERNOR. Safeguarding – Why Section 175 requires school governing bodies, local education authorities and further education institutions.

Safeguarding - LINK GOVERNOR. Safeguarding – Why Section 175 requires school governing bodies, local education authorities and further education institutions.
Radicalisation in Cumbria

Radicalisation in Cumbria
The Prevent Duty Implications for Schools

The Prevent Duty Implications for Schools
The Prevent Duty and its implications for schools leaders.

The Prevent Duty and its implications for schools leaders.
Pertemuan #10 Secure HTTP (HTTPS) Kuliah Pengaman Jaringan.

Pertemuan #10 Secure HTTP (HTTPS) Kuliah Pengaman Jaringan.

Similar presentations

Ads by Google