Issue with Google secure search on google.com and YouTube for Schools

    A few weeks ago Google changed their search facility to an encrypted one. This meant that Safe search could not be employed due to the encrypted connection. This allows users to then search for any material, including malicious or harmful material which will be displayed without any filtering.

    After some talks with Google they have confirmed that they have made the requested changes. This means DNS (or hosts file) mangling is no longer an absolute requirement in order to block secure search.  Also that Google have now extended secure search to all country codes so rerouting www.google.com is no longer sufficient to block it!

    The method below can now be used to block access to all Google secure search on google.com and all Google country sites whilst retaining the ability to log in to various Google services. 

    Rewrite all CONNECT requests for www.google.com and all www.google.ss.cc over port 443 to nosslsearch.google.com

    nosslsearch.google.com will respond by redirecting the browser to the corresponding http:site.   i.e. if https://www.google.com is requested the browser is redirected to http://www.google.com
    if https://www.google.co.uk is requested the browser is redirected to http://www.google.co.uk etc

    An example regex to do this is "(^www\.google\.[A-Za-z0-9.]*$)" rewrite to "nosslsearch.google.com"

    The old method can than be undone by removing the www.google.com /etc/hosts entry in the final cache.

    This is a much more resilient solution, with http: Google traffic flowing the normal DNS lookup route and just Google https: traffic being re-routed to nosslsearch.google.com with the target IP address being looked in DNS in the normal manner.

    We have successfully tested this on  https://www.google.com, https:/www.google.co.uk and a selection of other country sites.

    YouTube for Schools

    This service was launched last week in the US and is available here in the UK. There were some issues with it, namely students could by pass the filter and go to an unrestricted version of YouTube. Philip Pearce at E2BN has been working on this with his team and they have found a solution. 

    Issue with YouTube for Schools -  as enabled according to Google instructions:
    at  http://support.google.com/youtube/bin/answer.py?hl=en&answer=1686318
    is that students can bypass the YTS filter entirely by going to https://www.youtube.com

    Fix is to specifically block https://www.youtube.com while allowing access via http to the whole of the youtube.com domain. (This does not the affect ability of a user to login to youtube as all youtube logins are now done at  https://accounts.google.com.)

    So to summarise: 

    Replace Google's Step 3  "REMOVE YouTube Domains Blocked" with:

    Block ALL access to  https://www.youtube.com

    Remove any blocks on http access to    youtube.com   ytimg.com and their sub-domains.

    With this revision, it now seems solid and ready for use! 

    If you use Protox filtering system them please see Philip's note below on how they have set it up. You may wish to do similar with your own filtering product.


    Note: Schools are not able to control play lists unless a school-specific edufilter code can be added to their youtube traffic.

    We have registered E2BN as a  'school district' in order to allow global access to YouTube EDU to all Protex users.  With this schools will not be able add videos to the play list directly - they will have to submit them to us to add to the Protex play list or to YouTube directly as a suggestion for adding to the global EDU list.   The restriction only to YouTube EDU access will not apply staff in schools, who with Protex have always had access to YouTube.

    Schools who have a local Protex system will be able register with YouTube and then have direct control via their YouTube admin account of adding videos to be viewed by their pupils.