Using Google Apps? Don't block encrypted search

Using Google Apps? Don't block encrypted search

Summary: Many schools have blocked Google secure search to prevent kids from bypassing content filters...they've also managed to prevent students and staff from getting to Google Apps.

SHARE:
TOPICS: Browser, Apps, Cloud, Google
11

Google introduced encrypted search last week, allowing users who accessed https://www.google.com to avoid having their search results intercepted, presumably by wayward Google Streetview vans.  It also allows clever students to see all sorts of naughty search results, thumbnails, etc., if your content filter doesn't scan encrypted traffic.  The solution? Well, some might say, get a content filter that scans secure traffic. Most would just block https://www.google.com. Simple enough, right?

Not so fast. Guess where Google Apps, including Google Apps for Education, live? That's right: subdomains of this secure site.  Even if you set up canonical domains or forwards (e.g., https://mail.yourschool.edu), all Apps traffic ultimately passes through a secured subdomain, folder, or canonical domain of google.com.  San Diego Unified School District users of Google Apps found out last week what happens when their administrators block Google's encrypted search.  According to a Google Certified Teachers listserv (thanks to Joseph Hartman for the  forward),

San Diego Unified has been blocking it since last Thursday. You can block https domains (https://google.com for example), but when signing in to a google account the password is sent over https. Since all Apps for Ed are in Google's domain they are blocked from signing in because they usehttps://google.com to authenticate. So if I take my laptop home, sign in to google and then go on campus I'm golden because I'm not using https at all, my password's already been authenticated. But if I ever sign out on campus I'm locked out again...

We've been without email/docs/calendar and all the rest for over a week now (staff and students) and don't break for summer until the 25th. My principal told all the faculty/staff yesterday to sign up for yahoo or hotmail accounts to use for the rest of the year (and I'll spare you the details of how disruptive this has been for our students, all working on year-end projects just to have them yanked out from underneath them, trying to salvage work with OpenOffice). Ugh.

When I contacted Google about the problem, Kat Eller, Google spokesperson, gave me the following statement:

We’re aware that encrypted search can create difficulties for some educational institutions using other Google services.  We’re very sorry for the inconvenience, and are working to identify a solution as fast as possible.  An imperfect and temporary fix is to enable our SafeSearch lock feature.

The San Diego system administrators have dismissed the SafeSearch lock approach for a lack of scalability. However, this problem, which is certainly not limited to San Diego schools, begs the question: Is this Google's problem or the problem of overly Draconian sys admins?

Properly filtering https traffic can be a heavy burden on the average content filter and raises plenty of privacy concerns. Without it, though, every kid with his salt knows that he or she can access Facebook via https://facebook.com.  And yet, the situation described in San Diego is completely unacceptable. Summer will be here in no time and teachers have come to rely upon Google Apps to do their jobs.  A bit of extra supervision would go a long ways towards ensuring that students aren't abusing secure Google search for the balance of the year while Google finds a permanent solution over the summer.

And Google, you are going to find a permanent solution over the summer, aren't you? Kat Eller said you're working as fast as possible.  I imagine that's true, since schools aren't the only organizations that filter content.  Lots of those enterprise customers that Google is trying to woo to Google Apps also have content filtering hardware, software, and policies in place.

The best incentive, though, for Google to solve this problem quickly comes from that post on the Google Certified Teacher listserv:

"...at this point I'd be lying if I said we weren't investigating a move to Microsoft Live@edu, especially with the Office Web Apps release due later this month."

Topics: Browser, Apps, Cloud, Google

Christopher Dawson

About Christopher Dawson

Chris Dawson is a freelance writer, consultant, and policy advocate with 20 years of experience in education, technology, and the intersection of the two.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

11 comments
Log in or register to join the discussion
  • RE: Using Google Apps? Don't block encrypted search

    This is an epic-win for my blog - the last quote especially :)
    zwhittaker
  • RE: Using Google Apps? Don't block encrypted search

    Root cause:

    1) Google isn't really an enterprise player. Their DNA assumes that their users are empowered to make their own decisions. This is the "libertarian/consumer" market.

    2) Most school districts are prevented by law from empowering the kids - and they don't always trust the teachers! This is the "fascist/IT" market.

    The philosophical stance of Google and schools is incompatible. The only reason schools look at Google is it's free/cheap and their IT capabilities are so underfunded (and sometimes incompetent) that they have to outsource to Google to provide a bare minimum of what students and teachers need to get their job done.

    Microsoft - because it understands the controlling/centralized mindset - can shift schools from premises based email and collaboration to cloud-based solutions. They will get the pricing and packaging in place more quickly than Google will get the enterprise control features in place.
    dstein42
  • Cheers Chris

    Thanks for highlighting this Chris. It's a huge problem for us and I appreciate your taking the time to discuss it on your blog. Honestly, the most frustrating part has been the lack of communication, both from the district and Google. I understand it's a big problem for everyone, but at least let us know if a solution is being pursued or not so we can plan for the future. (Consistent communication is a good lesson for any support technician to learn I suppose). Like I said in the original post, I bleed Google and want nothing more than to continue to support my colleagues and students in their utilization of Google's wonderful products. I'm encouraged to hear Kat's response and hopeful a solution will be found soon. Thanks again. -Joseph
    jlhartman
  • Network administrators trying to be China

    And Google didn't get along well with China in the end, either.

    I, for one, welcome our paranoid infantilising computer use supervisors. Because if I don't then ZDNet won't be hearing from me again any time soon.
    Robert Carnegie 2009
  • Blocked apps

    The issue that the teachers need to be making noise about is the timing of this. Two weeks before school is out? What sysadmin decided that was a good idea. Somebody needs to explain to the administrators that their clients are the students. They could have waited till school was out and then worked out the details over the summer. <br><br>San Diego is a large district. There will be parents out there that will Insist on knowing who, by name, implemented this mess. If there is any impact on a students grades or class standing because they could not access their documents on a schools server there will be hell to pay. Nothing enrages parents as much as somebody messing with their kids.
    lars626
  • I respectfully disagree.

    This is something Google should help address.

    While certainly techincal solutions exist independant of Google, public schools typically do not pay as well as private sector jobs and therefore have less resources to implement such solutions.

    You forget that USA federal laws, such as CIPA, stipulate effective filtering for schools to receive various types of funding. Many states have simliar laws for their funding as well. Schools ignoring the "https backdoor via Google" to bypass their current filtering systems risk losing major sources of funding.

    It seems to me Google has a fairly simple techincal change which would likely let most school filter admins setup a suitable policy.

    1) Use a special URL, such as https://private-search.google.com/, for this feature.

    2) Configure their servers to issue HTTP redirects for https://www.google.com/ to https://private-search.google.com/

    Once Google does this, so the problematic encrypted search feature in the end only uses the "private-search.google.com" URL, school admins can now simply block SSL connections to that URL. Then schools are not risking their funding by ignoring the problem, access to Google apps are not impacted, and none of Google's normal users are impacted since the current URL stilll responds correctly with a redirect to the working address.

    You may not be happy with the funding laws that impact schools on this. Many reasonable people don't agree with such laws. But that is a different issue; schools cannot ignore the laws that impact them.
    mathandmetal
  • RE: Using Google Apps? Don't block encrypted search

    Concerning the statement ?The San Diego system administrators have dismissed the SafeSearch lock approach for a lack of scalability.? Actually not true at all. What became apparent right away was that Google SafeSearch can be turned off using encrypted search. Content filter systems allow for ?enforcing? SafeSearch over standard Google search even if the end user attempts to disable it. With encrypted searches that ability is defeated entirely. Combine that with the elimination key word filtering as well, and returned search results can easily contain illicit content and explicit thumb nail images under video search.
    grantgg@...
  • The reason why Google puts their Google Apps where it is

    is because Google is essentially anti-censorship. There is no money to be made with thousands of "other people's kids" using free software, especially children. Children just take up valuable server space. Children require server-side filtering. By leaving GoogleApps where they are, Google will leverage their anti-censorship pose into either having school districts remove content filtering, or, gain financially by not having children on line using GoogleApps.
    Google doesn't like taxes. Children are "other people's children". Don't expect anything from Google any time soon.
    Mahegan
  • RE: Using Google Apps? Don't block encrypted search

    "Google will leverage their anti-censorship pose into either having school districts remove content filtering" - and who will pay for any lawsuites brought by parents when their children are exposed to images as is only a matter of time before full image search is brought into this regime?<br><br>Anti-censorship is one thing - child safety is another. Would those advocating allowing this encrypted search countenance putting pornographic magazines in the school library?

    Note to Kat at Google - the solution is very simple and has already been identified above so it should not take long to implement. Tomorrow will do!
    john.hackett@...
  • Further Info on This Issue

    http://googleenterprise.blogspot.com/2010/06/update-on-encrypted-web-search-in.html

    I'm surprised. Google appears to have listened.
    dog15bert
  • Why not use safe applications like Gaggle?

    I just read your article and recently attended a school CIO meeting where we heard several schools discussing polar positions on student safety and the wide-open use of the Internet. It seems like half the schools see safety as a big concern and are blocking sites like Google entirely, while others are taking the approach that students need to be taught responsible Internet usage and should be responsible for their actions (a very scary concept to the other side of the issue).<br><br>At Gaggle (www.gaggle.net), we scratch our heads all the time at both of these situations. We have been taking the best aspects of all the social learning, collaboration and communication tools and putting them in a student and teacher-friendly platform while filtering content using a sophisticated algorithm which only blocks inappropriate content at levels that school administration can easily set.<br><br>We like to think we are re-opening the best of the Web for students and staff, and we do so at a fraction of the cost of the milk program for a student! Many of our schools take advantage of the eRate program which provides Federal funding up to 80%+ for schools to purchase Gaggle.<br><br>I'm sorry for this shameless plug, but it really is for the benefit of your readers who may be frustrated by the same situation as San Diego. There are really good options out there that are safe, and Gaggle is one of them. Gaggle has a 10-year legacy of providing safe online learning applications along with the freedom to use the Web again to over 1,000 districts and 2 million students and teachers. <br><br>We truly hope schools will look at safe options for students. Denying safe 21st Century tools to our children, as Mr. LaGace indicated in another interview, is "a crime".
    wood@...