SSL DECRYPTION (Effective April 9, 2018)

Over the last few years, there has been a seismic shift in how Google, Facebook, and other leading websites handle Internet security—and this shift has enormous implications for school web filtering. The rise of Secure Sockets Layer (SSL) encryption has made it harder to monitor and filter District Internet use effectively. Currently most search programs (Google, YouTube and Yahoo) utilize SSL encryption which prevents the mandated filtering required by state and federal regulations.

  •    
  •    

    In order for the SSL Decryption software to work, each device connecting to the MCS Network will need to have a server certificate installed. This electronic certificate will allow the server to process the Internet traffic from that device. ALL personal devices that connect to the MCS WiFi will be required to have the certificate installed.

       
  • WHAT IS SSL DECRYPTION?

    Across the nation, school districts are adding SSL decryption capabilities into their filtering systems. Without SSL Decryption, the iBoss filter cannot interprete the keywords used in searches. Additionally, without SSL decryption, students easily can use any one of the millions of proxy bypass servers on the Internet, allowing them to slip past most filtering systems undetected. The encrypted session provides no information for the filtering system to detect the activity and block or control it.

  • WHAT EFFECT WILL THIS HAVE ON MCS STAFF AND STUDENTS?

    In order for the SSL Decryption software to work, each device connecting to the MCS Network will need to have a server certificate installed. This electronic certificate will allow the server to process the Internet traffic from that device. ALL personal devices that connect to the MCS WiFi will be required to have the certificate installed.

  • WHAT WEBSITES WILL THE DISTRICT BE DECRYPTING WEB TRAFFIC TO?  

    At the minimum the following websites include:

    • https://www.google.com
    • https://www.youtube.com
    • https://search.yahoo.com/

    Other websites may be added to ensure the network is effective and secure.

  • HOW DOES THE SSL DECRYPTION PROCESS WORK?

    Normal web traffic to http:// web addresses pass through our iBoss filter which looks for specific prohibited URLs and keywords before allowing the traffic to pass through.

    When web traffic heading to a SSL Secure web address (https://) passes through the iBoss, the filter is not able to complete a thorough URL review and it cannot see any keywords.

    graphic showing url filtering

    With a SSL Decryption program in place the traffic flow looks like this:

    • a request to access one of the listed SSL search engines is received by iBoss
    • iBoss looks back at the sending device to verify it is certificated by the District.
    • The certificate on the device replies in the affirmative to the iBoss filter
    • iBoss then decrypts the request, filters the keywords and URLs
    • Assuming the URL and keywords are allowed, iBoss re-encrypts the request and sends it out to the web.

    graphic showing ssl filtering

  • CAN THE MCS SERVER CERTIFICATE BE UNINSTALLED AND REMOVED?

    Yes, the certificate can be easily removed. Directions are included on the webpages linked below for most Android phones and iPhones.