Puffin Browser Proxy App on Mobile Devices - Tough to Filter

[Peter Mancer]

I have spend some time today doing packet captures on Puffin Browser on an iPad.  This application was found on a student's iPad at school implementing BYOD and with it he was able to access any web site through the school's filtering system.  Blocking the web sites puffinbrowser.com and cloudmosa.com may prevent the programme being initially installed but once it is running the only way to block it appears to be by using an application signature aware firewall such as the FortiGate.  The application uses HTTPS although does make DNS requests to the sites. Blocking the IP address of the destination HTTPS site only stops it for a short time as it then re-establishes the communication on another IP address and I even blocked the whole class A address but then it uses another range altogether.

Puffin is also available for Android.  I would be interested in any experience that schools have had with this.  It may be possible to block with a proxy server that does HTTPS decryption and I will do some investigation on this.

Kind regards

Peter

[Andy Parker]

Hi Peter,

Have you had any experiences of discussions with schools who have concerns over HTTPS decryption vs trying to ensure students web browsing is safe and meets the school's policies?

We don't support the use if those alternative browsers for the reasons you give, they effectively bypass any organisational decisions made ing access (thinking primary students here mostly)

Andy

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Pete Eaton]

An iOS profile that restricts app purchases by age stops this: those browsers are usually 17+.  This is easy for school owned devices, for personal devices you can make it a policy that parents need to enforce this on the device. You can then check it before allowing on to network.

These are not foolproof, but when used alongside behaviour expectations (this is about honesty and integrity values - shouldn't be a separate set of rules) and with a couple of days of Internet access blocked, should prove enough.

The only other options (as already pointed out) are a transparent proxy with https encrypt/decrypt 'man in the middle' monitoring or by blocking at your DNS.

Pete

Sent from my iPad

[Nathan S]

Sites such as tumblr are all https so cannot be blocked even by watchdog.

 

I am also wondering how schools will manage https filtering.

 

Regards

 

Nathan

omo!

[Pete Eaton]

I've had 2 of the schools I look after talk to me about this.

I don't think that the MOE funded Watchdog (or it's upcoming N4L equivalent) is going to give the sort of granular control most schools are going to want.  Specifically different profiles by VLAN, timed filtering and as discussed here, https/ssl inspection.

The ministry funded option for this is Websense, but it does require a move back to an onsite server.  This is something I wanted to avoid, but will probably end up with.  The alternative is a higher-end appliance, but because the N4L comes with an appliance already this may force it further onto our main networks or nasty dual NAT etc.

Just some thoughts.

Pete

[Stu McGregor]

this of course is just the tip of the iceberg IMHO. give it 3 years or so and most devices are going to be 4G enabled . . . Students will bypass the school filtering easily. 

However the pressing question here is clearly the pastoral one—and I'd love to know the answer to this:

———> What number of instances of objectionable material have been found on BYOD devices in different schools, and what has the net impact been on the pupils affected? 

IF this is negligible or no more than say magazines etc from when I was a lad, then perhaps my initial concerns about all this have been unfounded.

If there is actually a genuine risk (which I suspect there is), then these filtering issues need to be addressed. 

Without opening up discussion on the rights and wrongs of filtering, i'd be interested in some hard data now that we're 2 to 3 years into BYOD being common place.

Stu

definitive

                                             

m:  021 885 783

e:  s...@definitive.co.nz

[Jeffrey Burke]

I thought the moe had stopped any new funding for Websence preferring schools to use watchdog despite it's limitations with stuff like this.  They may support stuff like this on N4L but it will mean they end up with complete control of (and probably access to) your internal IPs and you’ll have to ask permission and probably pay to change any little thing.

 

There are solutions like Smoothwall and previously MS TMG that allow for SSL filtering, it does require an SSL cert on each device but this can be part of the initial device setup when it is brought in.  The filter then takes over encrypting the traffic from the device to it, cracks it open to check it is not dodgy then re-encrypts it using the original sites ssl before sending it out to the internet.  This can be helpful for stuff like google that tries to force https on searches when logged in.  Doing this does require a school user policy change as you are cracking open expected security but it is doable.

 

Jeffrey.

 

 

 

From: Pete Eaton
Sent: ‎Saturday‎, ‎7‎ ‎September‎ ‎2013 ‎3‎:‎30‎ ‎p.m.
To: techies-f...@googlegroups.com

 

I've had 2 of the schools I look after talk to me about this.

I don't think that the MOE funded Watchdog (or it's upcoming N4L equivalent) is going to give the sort of granular control most schools are going to want.  Specifically different profiles by VLAN, timed filtering and as discussed here, https/ssl inspection.

The ministry funded option for this is Websense, but it does require a move back to an onsite server.  This is something I wanted to avoid, but will probably end up with.  The alternative is a higher-end appliance, but because the N4L comes with an appliance already this may force it further onto our main networks or nasty dual NAT etc.

Just some thoughts.

Pete

Click here to report this email as spam.

[Pete Eaton]

I don't really want to get too hung up on it in one sense: the Internet is what the Internet is.  We need to simply teach students that our expectation of behaviour online is the same as onsite during school time.  We don't even really need a "terms of use" or "usage agreement" etc. IMHO.

The grey area for me really is what is our responsibility with respect to "all practicable steps" to provide a safe place for students at school (a Health and Safety Act legal requirement).  Some form of protection needs to be a part of this, but how far do we go? My preference is for minimal, low impact, low maintenance/resource, pretty much low everything really... including cost.

Pete

Sent from my iPad

[Jeffrey Burke]

The terms of use stuff are just there to protect you if you implement stuff like that, it's a legal thing just to inform them that they may be monitored or blocked from certain sites, it is as much to protect the school as enforce policy.

 

Sent from Windows Mail

 

[Andy Parker]

Stu.

The situations I've had to deal with aren't content related any more (of the magazines from when you were a lad genre), but related to social networking sites, ask.fm, formspring etc, and the concerns of parents which are along the lines of parents saying "If I had my way, my child wouldn't have a device, but since your school says that have to have one, I want to know that my child won't be able to access and be influenced by all this nasty stuff"

Parents are hearing the results of surveys such as the University of Auckland survey quoted at http://www.nzherald.co.nz/lifestyle/news/article.cfm?c_id=6&objectid=10906817, which show an increase in self-harm amongst teenagers and worry about a link to social networking sites (proven or otherwise)

With regards to SSL or non-SSL, my understanding is that most solutions should be able to block sites based on the host name requested (eg block https://facebook.com if needed). but without decrypting the URL can't block specific pages or queries sent to that host.

WIth the recent concerns around governments allegedly decrypting data and the privacy  concerns of this, how do we, students and staff feel about this possibly happening inside our own institutions? 

Andy

[hden]

At the moment The only way to block https is via IP and then selecting port 443 if you want to allow http [e.g. for the YouTube Edu filter] . This can be a real pain as several of the sites you may want to block have several - and/or change IP to meet demand etc ...

 

[sigh]

[trevor storr]

Hi,

I've been filtering https by using squidguard in auth mode (ie non-transparent, authenticating against the directory using LDAP calls) for a while now using pfsense, squid and squidguard.  It works just fine.

The RFP for the N4L has a fair bit of detail about what was required at that particular point in time.  I can't imagine that the N4L filtering solution would be worse than we could provide ourselves, as it kind of defeats the point (of the N4L) really.  Recent information about the N4L has emphasised the business case for the N4L and recent due diligence.  It's always been about safe internet.  Why would we get a filtering solution that's a step backwards?  I'm hoping that the N4L filtering solution will be significantly better than I can provide for my school.

--

You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--
cheers

Trevor

Trevor Storr
Director of eLearning, CantaNET http://educo.vln.school.nz
Waimate High School
Waimate
New Zealand

[Tim Harper]

I've put the Puffin browser on my iPad and tried it from my SchoolZone connection.  It didn't work - it just say "reconnecting" - although oddly the network diagnostic test thought it was all ok.  

Like Trevor I have a pfSense box at school that runs in auth mode over our fibre.  I will try it out tomorrow and see what happens.

I can't help but think that the whole point of apps like Puffin or Rover on iPad is to get around the limitations that iOS has with regard to Flash.   If iOS and Apple had a different attitude to Flash or web site developers used eg HTML5 then we wouldn't need apps like Puffin.

With Rover I had to make quite detailed firewall changes to allow it to work from the Education Hub (an independent fibre deployment in Otago/Southland) that uses SINA filtering and a core Juniper firewall.  As it uses the same web filtering as SchoolZone I'd expect it to fail there too.

regards,

Tim Harper


Phone 0800 755 966 option 2 then 3 (SchoolZone)
Phone 03 443 5167 (DDI)
Mobile 027 617 9968
Fax 03 443 9900

t...@mtaspiring.school.nz
www.mtaspiring.school.nz

[Peter Mancer]

Tim

The network diagnostics for Puffin do not seem to test connectivity to the Puffin server as I have noticed the same results as you.  If SZ does block it then it would need to decrypt it at proxy level.  I am a little more skeptical than you in regards to Puffin.  The way that it automatically finds its way around IP address blocks leads me to believe that it is designed to bypass filters - although flash functionality may be a bonus.

I'm sure that pfSense is a very functional solution but unfortunately the vast majority of New Zealand schools do not have the expertise on tap to set it up and support it.

Cheers

Peter

_______________________________________________________

Peter Mancer
CEO & CTO
Watchdog Corporation Ltd
PO Box 314 008
Orewa 
Auckland 0946
New Zealand

Ph: 09-426-1101 x797
Fax: 09-426-1102
Mobile: 021-366-469

www.watchdog.net.nz

peter....@watchdog.net.nz

This email is confidential.  If you received it in error, please notify the sender and delete the email.

Want more flexible or granular filtering? Implementing BYOD? Ask about our new Netflex services for schools.

[Stu McGregor]

actually, it's not just iOS with no flash support now . . . it's any mobile platform. If anything Adobe conceded they couldn't get it efficient enough to run on mobile devices by stopping development for mobile flash. 

I removed it from my MacBook Air the other week and I have to say I'm getting way more battery life out of it (some people estimate up to 20% improvement—which seems about right to me).

Anyway, what is, is what is. My feeling would be that they're now used to post subversively on social media etc . . . :)

[Keith Craig]

I was told by a filtering company, when you get these tough to filter cases - if your filter allows - let them though but at 1kb/second. This way they can still "phone home" rather than trying to bypass or bash through but the user will give up.

Keith Craig

Systems Administrator

Dilworth School

Mob: +64 21 541549

Office: +64 9 5231060 x843

Sent from my iPhone

<Neflex160.jpg>

Want more flexible or granular filtering? Implementing BYOD? Ask about our new Netflex services for schools.

[Tim Harper]

Hi Peter,

it remains that Puffin doesn't work from behind SZ.  SZ does filter https - and uses Squid/Squidguard just like pfSense.  I suspect it is being blocked by category filtering - but as many browsers fail to return ssl filtering messages (Firefox can display these messages but eg IE or Chrome and - I suspect Puffin - can't) I tell for certain without doing some packet captures too.  "cloudmosa.com" is in the "Software/Hardware" category; "puffinbrowser.com" is in the "Mobile phone" category.

pfSense in transparent mode with Squid/Squidguard fails ssl filtering too - it seems that auth mode is a necessity and that brings its own set of requirements.  And SZ also uses auth.  Running pfSense in transparent mode and doing ssl filtering would require a different approach - eg block all outbound port 443 traffic except for specifically allowed sites, or do man-in-the-middle (yuck), force the use of an explicit ssl proxy or use a pac file.

Agreed - pfSense is a step too far for many schools - but I'd be thinking there are lots of people on this list who would enjoy the challenge and who would succeed too.  I've seen several school techs with no previous Unix/Linux experience succeed with minimal guidance and be very happy with the result.  Especially as there is a great browser interface to work from once the hard part of the installation is completed - and even then the installer guides people through the setups and no one needs to use a CLI.  All it really takes is a desire to learn - and that is just the sort of thing that we want to encourage our kids to do too.  Maybe by putting ourselves in the learning seat for a while we will become better teachers and/or better school techs?

regards,

Tim Harper


Phone 0800 755 966 option 2 then 3 (SchoolZone)
Phone 03 443 5167 (DDI)
Mobile 027 617 9968
Fax 03 443 9900

t...@mtaspiring.school.nz
www.mtaspiring.school.nz

[Jeffrey Burke]

“or do man-in-the-middle (yuck)” it may be ‘yuck’ but it is really the only way to filter it properly and still allow a decent amount of use of anything encrypted without the constant administrative overhead of trying to check everything that can be hidden behind each ssl address.  Blacklists and whitelists are all very well but are reactive rather than proactive.  It really is a case of how much of the internet you want to block because you can’t manually sift through it. 

 

I agree that there should be more of a training and trust approach to teach the students about the risks but this is not just about them, what about the teacher that has a browser open on their projector and messes a search term or goes to a resource site that has been compromised since they checked it, suddenly that teacher is in trouble because there was no safety net for when the internet dropped out from under them and displayed something objectionable to a class load of students.

 

Sent from Windows Mail

 

[Alan at Wadestown School]

On the subject of filtering here's my two cents' worth:

*) the filtering will never be 100% effective so there will always be a need for user agreements (an explicit expectation that the students behave appropriately online).

*) it'll be very interesting to see what the N4L does in terms of filtering because it is a critical feature for schools.

*) in general it doesn't make sense for a small to medium school to run its own 'techie' filtering system just like it doesn't make sense generally for the school to run its own mail server

*) it makes things much easier for lots of apps/applications if there is no authenticating proxy (I mean, for example, the SchoolZone username and password pop-up dialog to access the Internet)

Alan

[trevor storr]

Absolutely.

What I would really like is an authenticating proxy for browsing (so we have an audit trail - while rarely used, the deterrent effect is high), and no proxy for non-browsing traffic (but still filtered).  ie deep packet inspection.  And I'd want to be able to configure different policies for different users and different devices.

With many pupils now having data on their phones though, it's all down to digital citizenship policies.

--

You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Tim Harper]

As expected Puffin fails to work here using pfSense.  It gives a "server Connect Error".  The Network diagnostics again show that connectivity is there.  A packet capture (really easy to do as it is built in to pfSense!) shows Puffin is attempting to use random high ports outbound that are not permitted on the firewall.

regards,

Tim Harper


Phone 0800 755 966 option 2 then 3 (SchoolZone)
Phone 03 443 5167 (DDI)
Mobile 027 617 9968
Fax 03 443 9900

t...@mtaspiring.school.nz
www.mtaspiring.school.nz