Using Google Apps? Don't block encrypted search

Many schools have blocked Google secure search to prevent kids from bypassing content filters...they've also managed to prevent students and staff from getting to Google Apps.
Written by Christopher Dawson, Contributor on

Google introduced encrypted search last week, allowing users who accessed https://www.google.com to avoid having their search results intercepted, presumably by wayward Google Streetview vans.  It also allows clever students to see all sorts of naughty search results, thumbnails, etc., if your content filter doesn't scan encrypted traffic.  The solution? Well, some might say, get a content filter that scans secure traffic. Most would just block https://www.google.com. Simple enough, right?

Not so fast. Guess where Google Apps, including Google Apps for Education, live? That's right: subdomains of this secure site.  Even if you set up canonical domains or forwards (e.g., https://mail.yourschool.edu), all Apps traffic ultimately passes through a secured subdomain, folder, or canonical domain of google.com.  San Diego Unified School District users of Google Apps found out last week what happens when their administrators block Google's encrypted search.  According to a Google Certified Teachers listserv (thanks to Joseph Hartman for the  forward),

San Diego Unified has been blocking it since last Thursday. You can block https domains (https://google.com for example), but when signing in to a google account the password is sent over https. Since all Apps for Ed are in Google's domain they are blocked from signing in because they usehttps://google.com to authenticate. So if I take my laptop home, sign in to google and then go on campus I'm golden because I'm not using https at all, my password's already been authenticated. But if I ever sign out on campus I'm locked out again...

We've been without email/docs/calendar and all the rest for over a week now (staff and students) and don't break for summer until the 25th. My principal told all the faculty/staff yesterday to sign up for yahoo or hotmail accounts to use for the rest of the year (and I'll spare you the details of how disruptive this has been for our students, all working on year-end projects just to have them yanked out from underneath them, trying to salvage work with OpenOffice). Ugh.

When I contacted Google about the problem, Kat Eller, Google spokesperson, gave me the following statement:

We’re aware that encrypted search can create difficulties for some educational institutions using other Google services.  We’re very sorry for the inconvenience, and are working to identify a solution as fast as possible.  An imperfect and temporary fix is to enable our SafeSearch lock feature.

The San Diego system administrators have dismissed the SafeSearch lock approach for a lack of scalability. However, this problem, which is certainly not limited to San Diego schools, begs the question: Is this Google's problem or the problem of overly Draconian sys admins?

Properly filtering https traffic can be a heavy burden on the average content filter and raises plenty of privacy concerns. Without it, though, every kid with his salt knows that he or she can access Facebook via https://facebook.com.  And yet, the situation described in San Diego is completely unacceptable. Summer will be here in no time and teachers have come to rely upon Google Apps to do their jobs.  A bit of extra supervision would go a long ways towards ensuring that students aren't abusing secure Google search for the balance of the year while Google finds a permanent solution over the summer.

And Google, you are going to find a permanent solution over the summer, aren't you? Kat Eller said you're working as fast as possible.  I imagine that's true, since schools aren't the only organizations that filter content.  Lots of those enterprise customers that Google is trying to woo to Google Apps also have content filtering hardware, software, and policies in place.

The best incentive, though, for Google to solve this problem quickly comes from that post on the Google Certified Teacher listserv:

"...at this point I'd be lying if I said we weren't investigating a move to Microsoft Live@edu, especially with the Office Web Apps release due later this month."

Editorial standards