For years, I've been a fan of the internet filtering software Net Nanny. I'll explain why in a moment.
However I've just had to uninstall it, and I'm now looking for an alternative. (If you, personally, use something similar, please comment below with any recommendations of products to try or to avoid).
The problem relates to browsing certain sites that use SSL / TLS / https. I'll also, shortly, explain how that problem presents itself. The real purpose of this post is to explain exactly what the problem is and why it occurs. Searching the web for the error messages led me nowhere, and Net Nanny's technical support initially gave me conflicting explanations and advice. Only when I explained the problem to them did they say that this is a known issue. Why they didn't tell me that earlier, I'll never know. I'm hoping that writing up this review will help others who have found the same problem, but who have not found any explanation or solution.
I've had this problem with their software for about a year, but two changes in the internet (again - I'll get there) have meant that these problems are now presenting themselves more frequently. It's reached the point where the product is, sadly, unusable. TL;DR — use something else until they fix this.
Net Nanny — a great parental controls suite
The internet is a great place. It's also a place with dark corners, where dangers lurk. This presents a dilemma for the modern-day parent. We want our children to explore and become proficient in using the internet; we want to protect them from things that are scary, profane, violent, and abusive. If only we could set up their web browser so they could explore the safe areas of the internet happily, whilst being blocked from going onto the nastier areas of it.
Well, NetNanny is just such a piece of software. You can set it up very quickly if you wish. After installing, create an account for each member of the household that will use it. Give it the age of each person, and it will automatically set it up to block the most appropriate categories for them. If Net Nanny is installed on a computer, every user needs to have a Net Nanny account, because all internet traffic is screened. Any adults who don't wish to have filtering (although, given the software is running, may I suggest there are some categories you may wish to block yourself from?) can simply have an account that lets everything through.
If you wish, you can set things up with far more granular control:
- Each webpage is assigned one of about 30 categories by Net Nanny. For each account, you can decide which categories you'll allow through.
- In fact, for any category, as well as "allow" and "block" there's also a category of "warn", which means the end-user sees a warning but can click past it if they wish.
- You can choose to mask swear words within a webpage rather than blocking the entire page.
- You can whitelist particular sites for the whole family, but you can also assign individual domains to any of the given categories yourself. You can create custom categories (for example, I set one up for "video" sites, into which went things like YouTube and Vimeo), and then choose to block or allow them for individual family members.
- You can also control which hours of the day to allow web access for each person.
- If an end-user feels that a page has been incorrectly blocked, they can complete a simple form, which sends an email to the administrator to say so.
It is an extremely powerful suite. By and large, it simply works, even using the quick, out of the box, settings. Which is why it was a shame to hit these new problems.
What the problem is
With some websites that use https / SSL, you see an error when browsing with a computer that has Net Nanny installed. Note that the problem arises when Net Nanny is installed. If your user account is set to allow every website, you'll still get the error.
The error takes the form of a warning that the browser session is not secure.
Your connection is not private. Attackers might be trying to steal your information from www.example.com (for example, passwords, messages, or credit cards). ET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM
Chrome gives you a "read more" link, but it doesn't shed much light on why you're having this problem. It doesn't point to the fact that Net Nanny is the culprit; in fact it suggests that the website may have their SSL incorrectly set up. You're being warned for your own protection.
You can get past the warning by clicking "Advanced" in Chrome, and telling Chrome to go to the webpage anyway. That's a bad idea for two reasons:
- It develops a mindset that security warnings are there to be ignored. They're not. Usually, a warning like that means exactly what it says. If you continue, your traffic is not securely encrypted. Don't train yourself to click past warnings like that. If you see that when you're browsing a website, your response should be to get out of there.
- It fails to distinguish what the problem is. If the problem is solely with Net Nanny's filtering, you would be OK to click past provided it doesn't become a reflex. If the problem was with the website, you would not be OK to click past. The warning doesn't tell you which is which. If you learn to click past warnings on a computer using Net Nanny, the day may come when you click past a warning that was actually about the website and not just about Net Nanny. Cue: The Boy who Cried Wolf.
The problem is actually more subtle. Sometimes, the main domain of the website is fine, but they use a different (sub-) domain for some other content which does get blocked. In this case, the secondary (sub-)domain gets blocked silently, and there's no "Advanced" link to click you past the problem:
- Remembering that Net Nanny is mainly about keeping children safe, some games websites use different (sub-)domains for the flash files that power games. The web page that loads fine, but the flash game silently doesn't work.
There are ways to work around these more subtle annoyances. But they're 5 or 10 clicks to do, and require some knowledge of the source code for a webpage and how to use Chrome Developer Tools. Even if you wanted to train your 4 year old to skip past browser security warnings, we're now beyond the technical abilities of a 4 year old.
So why are these warnings appearing? Well, it's all to do with how SSL works:
How SSL works, and why it makes filtering tricky
This is an extremely simplified explanation of what happens when you browse a webpage with the https protocol. Fuller explanations are available online if you're interested; I'll explain enough to explain the problem.
When you browser a normal webpage, that starts "http://", all the traffic between your browser and the web server is en clair, unencrypted, plain text. Web traffic needs routing, which means it passes through about 10 intermediate servers / routers on its way. At any point, conceivably, someone could have installed software to inspect the content of the traffic. What is sent to your browser could be read, and data you send to the server could be read. Most concerningly, the session cookies that authenticate you as a logged in user could be sniffed out, which would then allow someone else to browse that website using your login.
For this reason, where security matters, you want to have that traffic encrypted, so that only you and the web server can understand it. To do this, you use a website with "https://" instead. Here (remember, over-simplified) is what happens:
The web server sends your computer it's SSL certificate. This contains a key that will allow you and the web server to communicate in private.
The important thing is that the certificate is also signed. This is another piece of encrypted data that confirms who issued the certificate. Why do you need to know the issuer? Well:…
I could set up a fake server that claims to run Facebook. I'm hoping to trick your computer to visit my server instead of a real Facebook one, that you'll log in, and so I can steal your password. To do that, I could create myself a certificate to let you browse facebook.com. But I'd have to sign it myself. Your web browser won't trust my certificate, because it's not signed by someone trustworthy.
But what about the real facebook.com? How does your web browser know to trust its certificates? They get those certificates signed by a company who is trustworthy and who has verified that the request comes from the real Facebook. Their certificate is, maybe, signed by someone else. But sooner rather than later, you end up with one signed by a "root" certificate — one of only a small number of universally trusted certificates. Your operating system (Windows, MacOS, Linux, Android) comes with a preinstalled list of trusted "root certificates". Anything that can be traced back to these is OK.
SSL creates a challenge for filtering software like Net Nanny. Net Nanny sits between your operating system and the big wide internet. It is one of those packet sniffing tools that I just mentioned. Only this one is not malicious. It's on your computer, not some third party router, and it's there to perform a filtering function you want it to do. That's all fine for good ol' http:// websites. But https:// websites are encrypted by your web browser, and only the web server has the key to decrypt that traffic. Net Nanny will not be able to read any of your https:// traffic, which means it won't be able to filter it.
How Net Nanny filters SSL traffic
How does Net Nanny get round this problem?
The answer is, it installs itself as a proxy between you and the webserver. It runs a little process in the background on your computer, a bit like a mini web server. If your computer needs to access a website, it doesn't go to the website. It asks the Net Nanny proxy, which then asks the webserver, before passing the answer back.
This is technically called a "man in the middle". Usually, you want to avoid these. You want your encryption to be end-to-end. Only in this case, once again, you do want this. It's not some third party MITM attack; it's a piece of software you've installed to do some filtering. With SSL websites, however, Net Nanny can't simply sniff the packets of data passing between you and the internet. It actually has to decrypt them.
So, your browser makes a request, which it encrypts with (what it thinks is) the encryption key for the website your visiting. The Net Nanny proxy decrypts that request, and then encrypts it with (what really is) the encryption key for the website. The website then encrypts the response and sends it back to Net Nanny, which is able to decrypt it. Finally, having filtered, it re-encrypts the response to send it back to your browser.
The conversation between Net Nanny's proxy and the web server is easy. Net Nanny simply has to act like any other web browser on a computer that doesn't have filtering software. It requests the SSL certificate for the web server, checks that it's signed by someone trustworthy, and then uses the key it's been passed to encrypt the request, and finally uses that same key to decrypt the result.
The tricky bit is the traffic between the web browser and the Net Nanny proxy. And here is where things go wrong.
Traffic between the Web Browser and Net Nanny's proxy
The Net Nanny proxy has to give your browser an SSL certificate for the domain you're trying to browse. This certificate has to contain a public key that can be used to start the encrypted conversation. But it has to be a public key for which the Net Nanny proxy holds the private key, otherwise the proxy cannot hold that conversation. Only the website's server holds the private key that corresponds to the public key in their actual SSL certificate. It's called a private key for a reason. So Net Nanny cannot use the website's actual SSL certificate.
This means they have to create their own, and get it signed. If you've followed me thus far, you'll know this also presents a problem. No trusted certificate signer is going to sign their home-made certificate for, say, facebook.com. So they're going to have to sign their own certificate.
Again, if you've followed me, you'll anticipate the next problem. If they've self-signed their certificate, your browser won't trust it. … Unless you tell it to.
Remember your computer has a store of trusted root certificates? Each user profile in Chrome or Firefox also has a list of trusted root certificates. When you install Net Nanny, it adds their own certificate to the trusted certificates store for your web browser. That's the magic step that makes it all work. (Or not.) You can find the certificate they use at C:\Program Files\ContentWatch\ContentWatch Trusted Root Authority.pem. Sometimes, things go wrong, and Net Nanny Support get you to reinstall that certificate.
Why You get Browser Warnings
So what goes wrong?
There's one more concept to introduce, that of a cipher. To encrypt / decrypt data, you need two things: a cipher, and a pair of keys.
Think of the cipher as the machine that turns the en clair text into encrypted text, and back again. Think of the key as something you plug into the machine when you encrypt, so that the message can only be decrypted when the other key is in the machine. Some key pairs are symmetric (the same key is used to encrypt and decrypt), others are asymmetric (you need a public and a private key that match). Regardless, you need the cipher to do the actual work.
Not all ciphers are equally secure. Picture a fictitious cipher that only uses the first numeric digit in the key when it encrypts data. There would only be 10 truly different keys, and any computer could decrypt anything in at most ten attempts.
When a browser first starts a conversation with a web server about a possible https session, they discuss what ciphers might be used. They will try to find the most secure cipher that both browser and server can understand.
For certain websites (and I've never worked out why it's only some), the Net Nanny proxy (acting as the fake web server) only offers a certificate that has been signed using the encryption cipher SHA-1.
This cipher was OK back in the day. But now that computers have become more powerful, and now that weaknesses have been found in the SHA-1 algorithm, SHA-1 encryption can be cracked. In other words, if the certificate is signed using SHA-1, it's possible that someone malicious has faked the certificate's signature. So Chrome and Firefox, correctly, warn you that traffic using an SHA-1 certificate is insecure.
Sure enough, if you look in Chrome Developer Tools at the certificate that is triggering the warning, you'll see that it was issued by ContentWatch (the parent company for Net Nanny), and uses SHA-1 encryption.
Where exactly does the problem lie?
So, the problem lies within the Net Nanny proxy (and not with the website you're visiting). For some websites, it generates a certificate to allow it to communicate with your web browser. The certificate is signed by a "root" certificate that your computer has been told (by Net Nanny) that it can trust. But the certificate it presents is only an SHA-1 certificate. So a modern browser rejects it with the "certificate error" warning you get.
How can they solve it?
I don't know the details of how Net Nanny works, so I can't give a detailed solution. They need to issue SHA-256 certificates for every website for which they act as a proxy. They already do this for some websites, and I do not know enough about how it works to see why they cannot do it for all.
Why is this problem becoming more apparent now?
There are two recent developments that have made this problem a more frequent one.
First is the increased take-up of SSL. There is a move afoot, supported by Mozilla and Google, to get "https everywhere". Google have indicated that they will rank sites more highly in search results if the website uses https. I believe it has now reached the point where over 50% of web traffic takes place over https.
More SSL websites means more sites that present this problem. Go back two years, when only shopping-type websites really bothered with SSL, and the kinds of websites that most children would use never encountered this.
Second is the vulnerability of SHA-1. The flaw that makes SHA-1 insecure was only discovered in a way that is easily reproduced in February 2017. That led to website owners re-issuing their certificates not to use SHA-1. Browser developers gave a reasonable amount of time for website owners to do this, before releasing new versions that blocked sites using SHA-1 certificates.
So now we have the perfect storm: Lots of sites using SSL (which means more sites using SSL via an SHA-1 certificate through Net Nanny), and browsers actively rejecting those SHA-1 certificates.
Net Nanny is Content Watch's flagship product. But until this is fixed, it's unusable with the modern internet.
Over to you. What parental controls / filtering software have you found to work well? Does it work with, and filter, all https sites? Are there any that you've tried and would advise me to steer clear of?
Please use the comments below to make your suggestions.