Jump to content

Recommended Posts

Posted

My company (a large education corporation) decided today that it will no longer allow web-based email or instant messaging access from any of its networks. That means blocking everything from GMail and Hotmail to AOL Instant Messenger and Windows Messenger. The decision came from the corporation legal team, amidst growing concerns over outside attacks and malware.

 

I was surprised to learn that this is a growing concern for companies. I had been under the impression that malware was on the decline. Between anti-virus programs, pop-up blockers and anti-spyware products, I can't remember the last time I had malicious code on any of my half-dozen computers. I have seen malware running on some of my students computers, but I usually dismiss that as being due to a lack of basic vigilence on the part of the user.

 

But this issue actually extends past the simple malware concern. One of the reasons stated for the move was the ability by corporate employees to easily release company secrets via these methods. I can see their point -- it's pretty darn easy to open a browser window and paste text into a Hotmail. But is cutting off Hotmail actually going to stop that? Can't they just paste it into a text file and stick it on a thumb drive?

 

This also strikes me as a very retro move, like something out of the late 1990s. Didn't we stop doing this sort of thing because of the inconvenience it was causing users?

 

What do you all think? How are your companies and campuses doing? Are they increasing or decreasing these kinds of controls? And what impact is that having on users?

Posted

My campus dosen't allow email access though POP or IMAP so we have to use webmail. but other than that they don't really care what we do.

Posted
  ecoli said:
can't you set up a proxy server to get around this anyway?

 

This is one of the things I've been wondering. This company used to implement web site filtering, but it was very easy to get around it using proxy sites. They seemed to figure that out and eventually dropped the filtering. What I'm wondering is if new technology has come along that is impervious to filtering controls.

 

In short, can they actually prevent someone from accessing Hotmail, Gmail, etc?

Posted

Malware is most certainly on the rise now. The current trend is not the traditional virus that wipes your hard drive but botnets that use your computer to send spam, and some botnets are estimated to consist of several million computers.

Posted

If you use something like Gmail, just use https://mail.google.com instead. Secure sites cannot be filtered.

 

However, this talk is in violation of our own rules and we'd probably better stop :P

Posted
Do you know how they do it, swansont, or if it can be circumvented?

 

Block list at the main firewall, I think. I suspect that you could route to it if you could connect to some other site first, that's on the outside.

 

If you use something like Gmail, just use https://mail.google.com instead. Secure sites cannot be filtered.

 

I don't think that's true. I get a message that https://blahblahblah can't be found (and not because it's not a real address :) ). https still goes to a URL, but out a different port, and you can still set up a control list AFAIK.

Posted

I think you could stop *ALL* secure traffic by just blocking all https requests, couldn't you?

 

That's interesting about addressing. I guess it makes sense, though -- you've still got to get DNS name resolution somehow.

Posted
https:// requests, unless they decrypt them, don't reveal the website you're requesting. They may block IP addresses directly, since secure sites have to have their own unique IP.
ssh is the best way to go. It works like a proxy so the ip/domain isn't revealed AND all the data is encrypted.
Posted

I know it doesn't reveal the destination address to the client, but surely it has to reveal it to the DNS server or you wouldn't be able to get address resolution and thereby reach the destination page. And since the first DNS server you typically contact is a local one, possibly owned by your employer, that suggests to me that a piece of software could interfere with that resolution at that time, based on a filter.

 

But maybe I'm missing something here.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.