Friday, 5 September 2014

The Web is Open... But Registration is Closed

Why Stop New Registrations of SafeSearchLock?

To answer this question we need to look at the direction the web is going and what has changed recently. Since the famous scandals concerning 'Prism' and various government agencies around the world snooping on the Internet habbits of their citizens (and those of other countries), there has been a panic over privacy online. This has caused many online service providers to start switching over to http over TLS (Transport Layer Security) also referred to as https. This encrypts the communication between the client (e.g. your web browser) and the server (e.g. the machine delivering the web site).

Web sites such as YouTube and Google now redirect users to the https versions of their sites by default, or even only allow access via https entirely. Google are actively increasing the search rankings of sites which use https over those which don't, no matter what the site is actually used for in a move to make others take their lead. We are seeing this behaviour more and more as other search engines and service providers follow suit.

HTTPS and the Myth of Privacy

Secure web connections using https are often promoted as a way to protect your privacy. This is indeed partly true due to the encryption. Anyone intercepting (or 'sniffing') the traffic will be unable to see what information is being passed. This sounds great BUT there are still two issues with it. The first is that they can still see which web sites you have visited, when and for how long even if they cannot see what information you sent or received from them. The second and most disturbing is that it does not prevent any third parties who have embedded content on the web site from seeing exactly what pages you are visiting and what you are clicking on while you are there. In short, if a web site puts in a tag or two to support things like adverts, analytics or even links to 'Like' this page or share it on social media sites, those companies can still track pretty much everything you do even over https.

A https connection can give a false sense of security for people who think it means they are not being snooped upon. If the web site owner/administrator has put in any content which links to external services then they are basically giving them free reign to monitor where you go on their site and track you if you have been to other sites utilizing the same services.

In conclusion, the move towards https for general web sites and the benefits that are being portrayed by such a move are not all that they seem. Obviously any site or web page which collects personal information or takes payments should always use https and encrypt communications for safety but we should also ensure that they do not contain any content (including links to javascript files or images) hosted by 3rd parties such as advertisers, analytics providers or social media.

Where Does This Leave SafeSearchLock?

The whole concept of SafeSearchLock was based around safety, ethics and doing everything above-board. The software does not send us usage information, there are no backdoors and there is nothing unethical about how it works. We use it ourselves for our own families so would never put their privacy at risk. The way it works is by looking at the URLs and pages you visit and it tweaks various settings and cookies in order to force safe searching (also known as family filters) on. As communication over https is encrypted, SafeSearchLock can only do this when you access these sites over http. Now that sites are increasingly only allowing access over https they can no longer be supported by SafeSearchLock.

There are ways around this. Some 'professional' filtering solutions will intercept the handshaking which occurs when a web browser first talks to a secure web site and the encryption is set up. They can then use techniques such as replacing the certificate of the site with one of its own so the encryption and decryption can be done by itself. When this kind of action is taken without your permission it is known as a 'man in the middle' attack. We class this as unethical, a breach of privacy, a security risk and something which is potentially unsafe. We won't do that.

So, unless there is a u-turn on sites which unnecessarily use https or we can think of an ethical and safe way to enforce safe searching while using a secure connection, the list of supported sites for SafeSearchLock will continue to decrease. The support requests we are receiving related to sites which can no longer be supported are increasing and taking up a lot of our time. This is making the software no longer economically viable. For this reason, and with a very heavy heart, we have decided to no longer accept new registrations. We will still support existing SafeSearchLock users for as long as we can as we have gathered an incredibly supportive customer base.

We have thoroughly enjoyed making SafeSearchLock and helping parents, teachers, guardians and adults all over the world keep their children safer online. Our only regret is that with the current direction that the web is taking, we will no longer be able to help the people who have given us so much praise for the last five years.

Thank you.

No comments:

Post a Comment