Universities experiences with SSL Decryption?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Universities experiences with SSL Decryption?

L4 Transporter

Greetings all,

 

I'm looking for other admins' experiences with utilizing the SSL Forward Proxy decryption options in a university environment.  General overall experiences would be good but, specifically, I'm wondering about:

 

  • Did you go SSL Decrypt everywhere or only on certain networks (i.e. academic networks but no residence networks for on-campus housing, guest wireless, etc)?
  • What, if anything, did you explicitely set not to decrypt?
  • What was the overall user feedback from the staff/students/faculty/administration?
  • Were the benefits worth it?
  • What hurdles did you face in trying to plan and implement it?

Alternatively, if your site chose not to use it for any reason I'd be curious about points against it as well.

 

In my reading I've already found a few hurdles, including deploying the cert to non-domain computers as well as Firefox's thing of not using the Windows cert store.

 

Thanks!

11 REPLIES 11

Cyber Elite
Cyber Elite

There are a ton of issues that you can run into with this; all of them solvable but some of them will likely need a good lawyer to protect yourself if you are running it on your campus housing. 

 

  • Did you go SSL Decrypt everywhere or only on certain networks (i.e. academic networks but no residence networks for on-campus housing, guest wireless, etc)? -In general I wouldn't run SSL Decryption on a resident network or guest wireless. I tend to only run encryption on devices that I 'care' about. If you actively intercept and decrypt student/guest traffic you are going to need to make that clear either in the captive portal or the aggreements the students sign at the start of the semester. In general I wouldn't want to run the resource draw of implementing this on computers that I really dont' care what they are downloading or anything like that. The PA allows basic insight as is.
  • What, if anything, did you explicitely set not to decrypt? - Banking/Finance websites mainly. 
  • What was the overall user feedback from the staff/students/faculty/administration? Most people will never notice that any decryption is on-going if you set everything up correctly and put the right processes in place.
  • Were the benefits worth it? It's worth it if you are implementing it on your own machines. The process of doing this on a guest network or a student housing network is generally so involved not only in the setup but also maintaining everything that I wouldn't recommend it. 
  • What hurdles did you face in trying to plan and implement it? Generally just the process of keeping everybody happy and making everything as seemless as possible. When you start getting away from Domain computers the troubles associated with implementing this increases drastically. Outside of that it really isn't that difficult and again most people will never notice a difference. 

Thanks for the reply BPry.

 

The non-domain computers definitely are the biggest hurdle I've come across so far (well, that and the previously mentioned issue with the Firefox browser).  I've been trying to figure out a good deployment method here including maybe coming up with some install packages or scripts to assist a user in easily installing the cert in the correct place.  Another option would be a knowledgebase article, should we proceed with this feature.

 

I've also seen some oddities when a website only partially loads.  Amazon.com is one of these as I've added Shopping sites to the list of sites to not decrypt but Amazon has a bunch of files coming from an image server that is categorized as "Content Delivery Networks".  The result is the page tries to load because the top level domain is Shopping and is excluded from SSL Decryption, however, most of the page doesn't load due to content coming from another server that doesn't fall under Shopping.

 

**EDIT** Looks like the oddity that I'm seeing might be because of a combination of having categories of non-decrypt and the Opti-In page enabled.  Amazon would try to load but the Opt-In page hadn't been triggered and accepted so the the images and ads from other servers would not load.  

I've found that a small install package is usually the best way to set these up and it can be included in a login page and it's easy for people to understand. Depending on your operating system and settings scripts are not always the best solution. 

 

If you are selectively decrypting sites based on category then you will likely notice more sites over time that require special care. It's the nature of the beast really. 

I was thinking about this last night and kind of came to the same conclusion... an install package would certainly be easier on the end-users although one could also have support pages online to walk people through the steps manually.  It doesn't seem to matter which way you go, there would be a decent amount of setup work to come up with either instructions for the majority of major operating systems or a series of installers to support the main operating systems.

 

The more I think about this the more I feel like I'd recommend a phased rollout for the feature if it's something that is asked for.  Start off with decryption policies that are limited to networks where you know the clients all have the cert installed and then start moving through the organization doing one network segment at a time to get 100% installation on the stragglers.

 

Agreed on the note about selective dycription behavoir although I definitely think it was made worse when I had the Opt-In page enabled... seems like it would be better as an all or nothing if you're going to give them the Opt-In page option.  I imagine some selective decryption is probably unavoidable in many situations to help alleviate concerns about decrypting banking, credit card, and health information.

In general corporate owned devices or personal ones you're going to want to stay away from intercepting these categories.

 

Medical

Financial

Legal

Government

@Brandon_Wertz but I like violating HIPPA, they always come up with such big numbers for the fines 😉

BPry, did you make an install package for pushing the decrypt certificate to different web browsers (Firefox, Opera, Safari etc) on domain computers? If so, can you share some more details on how you did this?

even I am looking for  similar information ! . How to push for firefox.

@TerjeLundbo I appologize I never actually saw this come across. If you haven't already found it look at Firefox Autoconfig or there is an extension on Firefox itself for building the file, although I can't think of what it's called at this moment. Chrome also has mutiple different extensions and can be built in AD so that is less of an issue. I've never done this for Opera or Safari so ? 

 

@MunitSingla just so you actually see this as well.

 

I'll try and figure out what the package was that I made the Firefox config in, as it was a really easy program to work with that let you setup a bunch of stuff like this. 

Thanks, much appreciated.

 

I don't really care about ssl certificates in university, especially in the intricacies of setting up apache + ssl, I can create and connect a self-signed certificate (fortunately, Google is rich in manuals), but when I decided to try to fasten a real valid certificate, everything went at random.
https://www.domyhomework4me.onl

  • 6126 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!