|
Easy Access to Restricted Sites: Port 443
 September
, 2001
Your content filter is finally installed and you're feeling
pretty good about having created a safe environment for the
students in your school. Hold on! It's time you learned about
the latest way to fool your content filter, Port 443 traffic.
| It's time you learned about
the latest way to fool your content filter,
Port 443 traffic. |
|
 |
|
 |
|
Most web traffic uses Port 80. Content filters work on Port
80 web traffic. If a filter encounters a Port 80 address that
is on its restricted list it blocks the user from the site.
Pretty simple, right? Not so fast! A lot of Internet traffic
travels on Port 443. Port 443 is traffic that is encrypted.
Generally, the encryption process is used for doing financial
transactions on the Internet. If you go to Amazon.com and
buy a book, the check out process uses Port 443. Whenever
you see the lock icon on the bottom of your browser screen
you are probably utilizing Port 443. The problem is that most
content filters can not scan the encrypted information contained
on Port 443.
Normally this wouldn't be a problem. Kids are not using the
school's computers to buy anything online. Most of them do
not have credit cards anyway. The problem is that sites such
as Safeweb.com and other, so-called Web "anonymizers" work
by acting as proxies for Web surfers or by rewriting Web pages
that users request. This prevents Web sites from gleaning
any information, such as an Internet Protocol (IP) address,
from the visitor or transmitting cookies to the client hard
drive. The legitimate side of "anonymizer" sites is that they
maintain your privacy. The downside of the "anonymizer" sites
for schools is that they can transform un-encrypted Port 80
to encrypted Port 443 traffic. Once encrypted, students can
go to any site on the Internet without being restricted by
content filters. Oh! By the way, this is not a difficult process.
You go to the "anonymizer" site and type the web address to
which you wish to travel and go there whether or not the site
is blocked by your content filter.
| The downside of the "anonymizer"
sites for schools is that they can transform
un-encrypted Port 80 to encrypted Port 443
traffic. |
|
|
|
|
|
What can you do about this situation? Well, you can enter
the address of the "anonymizer" site into your content filter's
restricted list and bar students from the site. The problem
with this approach is that many of the "anonymizer" sites
are subscription services and change their IP addresses frequently.
Users get e-mails letting them know of the new address. In
the meantime, while the filter is blocking the old address,
students are, once again, free to travel the Internet without
restriction.
Another approach to the problem is to block Port 443 traffic
with the school's firewall. With this approach no Port 443
traffic would be allowed in or out of the firewall. The problem
is that teachers and administrative users may need to perform
transactions online and are prohibited from doing so. The
firewall solution is basically an "all or nothing" approach.
Most schools find that this solution is too restrictive.
There are some new products on the market and some updates
to content filters which offer solutions that un-encrypt Port
443 packets, compare the un-encrypted address with the restricted
list, block the site if necessary or re-encrypt and send the
packet on to its legitimate destination. This process maintains
privacy (no one sees the unencrypted packet) and security
(no Port 443 traffic is passed on to restricted sites). This
provides some measure of success, even if it is not a perfect
solution.
So, you just finished installing the update to your content
filter that has the ability to analyze and restrict Port 443
traffic. You feel pretty good about this, right? Don't get
complacent. There are already new peer to peer "anonymizer"
sites cropping up around the Internet. But that's a story
for another day.
Top
|
