Pangloss Posted September 29, 2007 Posted September 29, 2007 My company (a large education corporation) decided today that it will no longer allow web-based email or instant messaging access from any of its networks. That means blocking everything from GMail and Hotmail to AOL Instant Messenger and Windows Messenger. The decision came from the corporation legal team, amidst growing concerns over outside attacks and malware. I was surprised to learn that this is a growing concern for companies. I had been under the impression that malware was on the decline. Between anti-virus programs, pop-up blockers and anti-spyware products, I can't remember the last time I had malicious code on any of my half-dozen computers. I have seen malware running on some of my students computers, but I usually dismiss that as being due to a lack of basic vigilence on the part of the user. But this issue actually extends past the simple malware concern. One of the reasons stated for the move was the ability by corporate employees to easily release company secrets via these methods. I can see their point -- it's pretty darn easy to open a browser window and paste text into a Hotmail. But is cutting off Hotmail actually going to stop that? Can't they just paste it into a text file and stick it on a thumb drive? This also strikes me as a very retro move, like something out of the late 1990s. Didn't we stop doing this sort of thing because of the inconvenience it was causing users? What do you all think? How are your companies and campuses doing? Are they increasing or decreasing these kinds of controls? And what impact is that having on users?
ecoli Posted September 29, 2007 Posted September 29, 2007 can't you set up a proxy server to get around this anyway?
Rakdos Posted September 29, 2007 Posted September 29, 2007 My campus dosen't allow email access though POP or IMAP so we have to use webmail. but other than that they don't really care what we do.
Pangloss Posted September 30, 2007 Author Posted September 30, 2007 can't you set up a proxy server to get around this anyway? This is one of the things I've been wondering. This company used to implement web site filtering, but it was very easy to get around it using proxy sites. They seemed to figure that out and eventually dropped the filtering. What I'm wondering is if new technology has come along that is impervious to filtering controls. In short, can they actually prevent someone from accessing Hotmail, Gmail, etc?
Cap'n Refsmmat Posted September 30, 2007 Posted September 30, 2007 Malware is most certainly on the rise now. The current trend is not the traditional virus that wipes your hard drive but botnets that use your computer to send spam, and some botnets are estimated to consist of several million computers.
swansont Posted September 30, 2007 Posted September 30, 2007 We've had webmail blocked for some time now.
Pangloss Posted October 1, 2007 Author Posted October 1, 2007 Do you know how they do it, swansont, or if it can be circumvented?
Cap'n Refsmmat Posted October 1, 2007 Posted October 1, 2007 If you use something like Gmail, just use https://mail.google.com instead. Secure sites cannot be filtered. However, this talk is in violation of our own rules and we'd probably better stop
swansont Posted October 1, 2007 Posted October 1, 2007 Do you know how they do it, swansont, or if it can be circumvented? Block list at the main firewall, I think. I suspect that you could route to it if you could connect to some other site first, that's on the outside. If you use something like Gmail, just use https://mail.google.com instead. Secure sites cannot be filtered. I don't think that's true. I get a message that https://blahblahblah can't be found (and not because it's not a real address ). https still goes to a URL, but out a different port, and you can still set up a control list AFAIK.
Pangloss Posted October 1, 2007 Author Posted October 1, 2007 I think you could stop *ALL* secure traffic by just blocking all https requests, couldn't you? That's interesting about addressing. I guess it makes sense, though -- you've still got to get DNS name resolution somehow.
Cap'n Refsmmat Posted October 1, 2007 Posted October 1, 2007 https:// requests, unless they decrypt them, don't reveal the website you're requesting. They may block IP addresses directly, since secure sites have to have their own unique IP.
1veedo Posted October 2, 2007 Posted October 2, 2007 https:// requests, unless they decrypt them, don't reveal the website you're requesting. They may block IP addresses directly, since secure sites have to have their own unique IP.ssh is the best way to go. It works like a proxy so the ip/domain isn't revealed AND all the data is encrypted.
Pangloss Posted October 4, 2007 Author Posted October 4, 2007 I know it doesn't reveal the destination address to the client, but surely it has to reveal it to the DNS server or you wouldn't be able to get address resolution and thereby reach the destination page. And since the first DNS server you typically contact is a local one, possibly owned by your employer, that suggests to me that a piece of software could interfere with that resolution at that time, based on a filter. But maybe I'm missing something here.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now