But the search suggestions use https://clients1.google.com/ and google should let schools know that block that as well. (Or maybe schools block all https except known good ones?)
It sounds to me from the blog post that the change hasn't been made yet.
We’re working hard to address this issue as quickly as possible and in a few weeks we will move encrypted search to a new hostname – so schools can limit access to SSL search without disrupting other Google services, like Google Apps for Education.
So Google made this change to accommodate the schools' inability to filter based on host and https mode. And some of the schools' solution was to block https all together. Basically the schools' filtering is lame, so Google (in the interest of doing things right) solves this by tweaking their side.
Unfortunately, Google didn't have much of a choice. However incompetent or misguided the schools' reaction to blocking encrypted search, it immediately broke Google Docs (and possibly other resources) for many of them. Google probably can't afford to give up this foothold, or to appear unreliable. The schools aren't upset at the existence of encrypted search, they just want a dead easy way to block it on their networks.
It does seem pretty weird that Google would make a change like this that effects everyone just to appease some schools that can't figure out how to properly configure their firewalls.
They did it because it was the easiest way for google to make it easy to filter out encrypted search without breaking their other services. A very simple change for google -vs- a very difficult firewall configuration for a network administrator.
(You can't just block https://www.google.com/ without breaking a whole bunch of other services you may want to be using)
(and you probably don't have the budget & manpower to deploy the type of network you would need to scan & filter HTTPS traffic as an organization if you are a school, either)
It's trivial (but evil) for an organization like a school to set up a proxy for https, since they are in a position to install the necessary root certificates in browsers (classic MITM attack). Devices are already on the market to make this easy to deploy (shudder).
Schools wish to prevent students from accessing certain information. Encrypted search could allow such students to escape detection/punishment if they access that information anyway.
because students try and access blocked content using https, and it is not just for Google. Most blocked websites can be accessed thorough https if supported.
This is the exact reason I hate blacklisting and sense technologies they use in schools and companies. Why not use a proper Firewall else that messing up with DNS entries!
25 comments
[ 4.3 ms ] story [ 66.8 ms ] threadSo I don't really understand what they did here.
Did it return a 200 to you for https://google.com/?
But the search suggestions use https://clients1.google.com/ and google should let schools know that block that as well. (Or maybe schools block all https except known good ones?)
We’re working hard to address this issue as quickly as possible and in a few weeks we will move encrypted search to a new hostname – so schools can limit access to SSL search without disrupting other Google services, like Google Apps for Education.
Presumably schools whitelisted specific sites to allow https, and google was one of them, until it became a problem.
It's not possible to do that. The firewall has no idea what's being communicated because it's encrypted!