It’s not surprising that online security is a commonly misunderstood and confusing topic to most people. Our news media throws around big words like cyberbullying and cyberattack, so much so that laymen are discouraged from sorting through the madness themselves. But honestly, it may not be their fault. Computer security has only recently become relevant to the average person because so much of our lives have moved onto the Internet. Whether or not humans are prepared to handle the gradual eradication of human interaction is a different matter. As for now, I just want to explain the nature of security and its relation to what happened in 3rd period today. See, the Internet is inherently insecure. Each request you send goes through several computers, all of which can read or alter the data if it wants to. Originally, when networks were used for sending messages from place to place, security wasn’t necessary. Now that we’ve got things like private email and online banking, transnational organizations have created infrastructure to make the Internet somewhat more safe. When I say transnational, I mean that the US (and US corporations) invites a couple of its buddies to watch it make all the decisions. For secure websites like Gmail, there are two goals of security: making sure nobody but you can read what you send/receive, and making sure that you really are sending/receiving data from Google. People who want to sound smart call these encryption and authentication, respectively. Essentially, Google leaves their own little watermark on every package of data that they send. Your internet browser can tell that they are indeed unaltered content directly from Google because the watermark is intact1. Typically, your computer and Google can talk to each other securely without anybody eavesdropping. Now, our school network is a bit different. To make sure students aren’t screwing around on the Internet, they have to check the contents of every page. But because encrypted traffic is unreadable, Webwasher has to take a different approach to this. Instead, Webwasher has to impersonate Google, and every other banking, e-commerce, or secure website on the Internet. Encryption exists, yes. But computers on our school network set up a secure connection with Webwasher first, who then communicates with websites on the internet on your behalf. In this way, Webwasher can still filter out bad content and things. Normally, web browsers would not tolerate this. They would recognize that Google’s usual watermark is distorted and apparently fake. They are supposed to reject the page and warn the user that something is wrong. Webwasher’s solution to this? Compromise the browser. Internet Explorer at school is installed with Webwasher’s certificate, so that it trusts all the traffic from the impersonating man-in-the-middle attack. In their defense, Webwasher says that they use this pervasive method to stop “malware that uses SSL to communicate” and “secure web proxies”. They also say that they get rid of the traffic after they’re done filtering it, so nobody can look at it. This kind of thinking is certainly flawed in grouping websites like Amazon and Google with malware and proxies. Whether the school knows about this, I don’t know. Whether the traffic is really destroyed, I don’t know. It’s not illegal either: you signed an agreement with the school letting the district “access, review, copy, and store” any information, secure or not, that you send over their network. But I think it’s fair to let you know, accessing the Internet at school does not give you the same end-to-end security as doing so at home, or even public places like Starbucks does. It’s very much possible that schools keep records of your email and social networking passwords, for who knows what. Please think about it.
You can read more about their explanation here. I found this a bit ironic: “Legitimate certiﬁcates can be acquired easily by criminals, causing Web users to erroneously believe the information they provide is secure.”
- Actually, SSL Certification is more complicated than this. It involves additional organizations called Certificate Authorities and certain algorithmic concepts in computer science like PK Cryptography and key-exchange mechanisms. ↩︎