Connection not private warnings with Net Nanny

Thu, 08/02/2018 - 13:11 -- James Oakley
Net Nanny and SSL

For years, I've been a fan of the internet filtering software Net Nanny. I'll explain why in a moment.

However I've just had to uninstall it, and I'm now looking for an alternative. (If you, personally, use something similar, please comment below with any recommendations of products to try or to avoid).

The problem relates to browsing certain sites that use SSL / TLS / https. I'll also, shortly, explain how that problem presents itself. The real purpose of this post is to explain exactly what the problem is and why it occurs. Searching the web for the error messages led me nowhere, and Net Nanny's technical support initially gave me conflicting explanations and advice. Only when I explained the problem to them did they say that this is a known issue. Why they didn't tell me that earlier, I'll never know. I'm hoping that writing up this review will help others who have found the same problem, but who have not found any explanation or solution.

I've had this problem with their software for about a year, but two changes in the internet (again - I'll get there) have meant that these problems are now presenting themselves more frequently. It's reached the point where the product is, sadly, unusable. TL;DR — use something else until they fix this.

Net Nanny — a great parental controls suite

The internet is a great place. It's also a place with dark corners, where dangers lurk. This presents a dilemma for the modern-day parent. We want our children to explore and become proficient in using the internet; we want to protect them from things that are scary, profane, violent, and abusive. If only we could set up their web browser so they could explore the safe areas of the internet happily, whilst being blocked from going onto the nastier areas of it.

Well, NetNanny is just such a piece of software. You can set it up very quickly if you wish. After installing, create an account for each member of the household that will use it. Give it the age of each person, and it will automatically set it up to block the most appropriate categories for them. If Net Nanny is installed on a computer, every user needs to have a Net Nanny account, because all internet traffic is screened. Any adults who don't wish to have filtering (although, given the software is running, may I suggest there are some categories you may wish to block yourself from?) can simply have an account that lets everything through.

If you wish, you can set things up with far more granular control:

  • Each webpage is assigned one of about 30 categories by Net Nanny. For each account, you can decide which categories you'll allow through.
  • In fact, for any category, as well as "allow" and "block" there's also a category of "warn", which means the end-user sees a warning but can click past it if they wish.
  • You can choose to mask swear words within a webpage rather than blocking the entire page.
  • You can whitelist particular sites for the whole family, but you can also assign individual domains to any of the given categories yourself. You can create custom categories (for example, I set one up for "video" sites, into which went things like YouTube and Vimeo), and then choose to block or allow them for individual family members.
  • You can also control which hours of the day to allow web access for each person.
  • If an end-user feels that a page has been incorrectly blocked, they can complete a simple form, which sends an email to the administrator to say so.

It is an extremely powerful suite. By and large, it simply works, even using the quick, out of the box, settings. Which is why it was a shame to hit these new problems.

What the problem is

With some websites that use https / SSL, you see an error when browsing with a computer that has Net Nanny installed. Note that the problem arises when Net Nanny is installed. If your user account is set to allow every website, you'll still get the error.

The error takes the form of a warning that the browser session is not secure.

Your connection is not private. Attackers might be trying to steal your information from www.example.com (for example, passwords, messages, or credit cards). ET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM

A certificate warning in your browser

Chrome gives you a "read more" link, but it doesn't shed much light on why you're having this problem. It doesn't point to the fact that Net Nanny is the culprit; in fact it suggests that the website may have their SSL incorrectly set up. You're being warned for your own protection.

You can get past the warning by clicking "Advanced" in Chrome, and telling Chrome to go to the webpage anyway. That's a bad idea for two reasons:

  1. It develops a mindset that security warnings are there to be ignored. They're not. Usually, a warning like that means exactly what it says. If you continue, your traffic is not securely encrypted. Don't train yourself to click past warnings like that. If you see that when you're browsing a website, your response should be to get out of there.
  2. It fails to distinguish what the problem is. If the problem is solely with Net Nanny's filtering, you would be OK to click past provided it doesn't become a reflex. If the problem was with the website, you would not be OK to click past. The warning doesn't tell you which is which. If you learn to click past warnings on a computer using Net Nanny, the day may come when you click past a warning that was actually about the website and not just about Net Nanny. Cue: The Boy who Cried Wolf.

The problem is actually more subtle. Sometimes, the main domain of the website is fine, but they use a different (sub-) domain for some other content which does get blocked. In this case, the secondary (sub-)domain gets blocked silently, and there's no "Advanced" link to click you past the problem:

  • This may affect resources like images, CSS files (which control how a webpage appears) and JavaScript (which makes login and "add to cart" buttons work). This makes the whole webpage look wrong. Think: Everything in Times New Roman, just laid out black text on a white background, each item below the one above in an identical font size, and no buttons or links work.
  • Remembering that Net Nanny is mainly about keeping children safe, some games websites use different (sub-)domains for the flash files that power games. The web page that loads fine, but the flash game silently doesn't work.
  • Other times, it's more annoying if you're trying to work. Most lately, we found that Office 365 online email loaded the list of messages, but the AJAX command to open a message when you click on its subject didn't work. It turns out this relied on some javascript in a blocked resource.

There are ways to work around these more subtle annoyances. But they're 5 or 10 clicks to do, and require some knowledge of the source code for a webpage and how to use Chrome Developer Tools. Even if you wanted to train your 4 year old to skip past browser security warnings, we're now beyond the technical abilities of a 4 year old.

So why are these warnings appearing? Well, it's all to do with how SSL works:

How SSL works, and why it makes filtering tricky

This is an extremely simplified explanation of what happens when you browse a webpage with the https protocol. Fuller explanations are available online if you're interested; I'll explain enough to explain the problem.

When you browser a normal webpage, that starts "http://", all the traffic between your browser and the web server is en clair, unencrypted, plain text. Web traffic needs routing, which means it passes through about 10 intermediate servers / routers on its way. At any point, conceivably, someone could have installed software to inspect the content of the traffic. What is sent to your browser could be read, and data you send to the server could be read. Most concerningly, the session cookies that authenticate you as a logged in user could be sniffed out, which would then allow someone else to browse that website using your login.

For this reason, where security matters, you want to have that traffic encrypted, so that only you and the web server can understand it. To do this, you use a website with "https://" instead. Here (remember, over-simplified) is what happens:

The web server sends your computer it's SSL certificate. This contains a key that will allow you and the web server to communicate in private.

The important thing is that the certificate is also signed. This is another piece of encrypted data that confirms who issued the certificate. Why do you need to know the issuer? Well:…

I could set up a fake server that claims to run Facebook. I'm hoping to trick your computer to visit my server instead of a real Facebook one, that you'll log in, and so I can steal your password. To do that, I could create myself a certificate to let you browse facebook.com. But I'd have to sign it myself. Your web browser won't trust my certificate, because it's not signed by someone trustworthy.

But what about the real facebook.com? How does your web browser know to trust its certificates? They get those certificates signed by a company who is trustworthy and who has verified that the request comes from the real Facebook. Their certificate is, maybe, signed by someone else. But sooner rather than later, you end up with one signed by a "root" certificate — one of only a small number of universally trusted certificates. Your operating system (Windows, MacOS, Linux, Android) comes with a preinstalled list of trusted "root certificates". Anything that can be traced back to these is OK.

SSL creates a challenge for filtering software like Net Nanny. Net Nanny sits between your operating system and the big wide internet. It is one of those packet sniffing tools that I just mentioned. Only this one is not malicious. It's on your computer, not some third party router, and it's there to perform a filtering function you want it to do. That's all fine for good ol' http:// websites. But https:// websites are encrypted by your web browser, and only the web server has the key to decrypt that traffic. Net Nanny will not be able to read any of your https:// traffic, which means it won't be able to filter it.

How Net Nanny filters SSL traffic

How does Net Nanny get round this problem?

The answer is, it installs itself as a proxy between you and the webserver. It runs a little process in the background on your computer, a bit like a mini web server. If your computer needs to access a website, it doesn't go to the website. It asks the Net Nanny proxy, which then asks the webserver, before passing the answer back.

Passing on the request as a proxy

This is technically called a "man in the middle". Usually, you want to avoid these. You want your encryption to be end-to-end. Only in this case, once again, you do want this. It's not some third party MITM attack; it's a piece of software you've installed to do some filtering. With SSL websites, however, Net Nanny can't simply sniff the packets of data passing between you and the internet. It actually has to decrypt them.

Net Nanny handling encrypted traffic as a proxy

So, your browser makes a request, which it encrypts with (what it thinks is) the encryption key for the website your visiting. The Net Nanny proxy decrypts that request, and then encrypts it with (what really is) the encryption key for the website. The website then encrypts the response and sends it back to Net Nanny, which is able to decrypt it. Finally, having filtered, it re-encrypts the response to send it back to your browser.

The conversation between Net Nanny's proxy and the web server is easy. Net Nanny simply has to act like any other web browser on a computer that doesn't have filtering software. It requests the SSL certificate for the web server, checks that it's signed by someone trustworthy, and then uses the key it's been passed to encrypt the request, and finally uses that same key to decrypt the result.

The tricky bit is the traffic between the web browser and the Net Nanny proxy. And here is where things go wrong.

Traffic between the Web Browser and Net Nanny's proxy

The Net Nanny proxy has to give your browser an SSL certificate for the domain you're trying to browse. This certificate has to contain a public key that can be used to start the encrypted conversation. But it has to be a public key for which the Net Nanny proxy holds the private key, otherwise the proxy cannot hold that conversation. Only the website's server holds the private key that corresponds to the public key in their actual SSL certificate. It's called a private key for a reason. So Net Nanny cannot use the website's actual SSL certificate.

This means they have to create their own, and get it signed. If you've followed me thus far, you'll know this also presents a problem. No trusted certificate signer is going to sign their home-made certificate for, say, facebook.com. So they're going to have to sign their own certificate.

Again, if you've followed me, you'll anticipate the next problem. If they've self-signed their certificate, your browser won't trust it. … Unless you tell it to.

Remember your computer has a store of trusted root certificates? Each user profile in Chrome or Firefox also has a list of trusted root certificates. When you install Net Nanny, it adds their own certificate to the trusted certificates store for your web browser. That's the magic step that makes it all work. (Or not.) You can find the certificate they use at C:\Program Files\ContentWatch\ContentWatch Trusted Root Authority.pem. Sometimes, things go wrong, and Net Nanny Support get you to reinstall that certificate.

Why You get Browser Warnings

So what goes wrong?

There's one more concept to introduce, that of a cipher. To encrypt / decrypt data, you need two things: a cipher, and a pair of keys.

Think of the cipher as the machine that turns the en clair text into encrypted text, and back again. Think of the key as something you plug into the machine when you encrypt, so that the message can only be decrypted when the other key is in the machine. Some key pairs are symmetric (the same key is used to encrypt and decrypt), others are asymmetric (you need a public and a private key that match). Regardless, you need the cipher to do the actual work.

Not all ciphers are equally secure. Picture a fictitious cipher that only uses the first numeric digit in the key when it encrypts data. There would only be 10 truly different keys, and any computer could decrypt anything in at most ten attempts.

When a browser first starts a conversation with a web server about a possible https session, they discuss what ciphers might be used. They will try to find the most secure cipher that both browser and server can understand.

For certain websites (and I've never worked out why it's only some), the Net Nanny proxy (acting as the fake web server) only offers a certificate that has been signed using the encryption cipher SHA-1.

Net Nanny only offers an SHA-1 certificate

This cipher was OK back in the day. But now that computers have become more powerful, and now that weaknesses have been found in the SHA-1 algorithm, SHA-1 encryption can be cracked. In other words, if the certificate is signed using SHA-1, it's possible that someone malicious has faked the certificate's signature. So Chrome and Firefox, correctly, warn you that traffic using an SHA-1 certificate is insecure.

Net Nanny's SHA-1 certificate triggers a browser error

Sure enough, if you look in Chrome Developer Tools at the certificate that is triggering the warning, you'll see that it was issued by ContentWatch (the parent company for Net Nanny), and uses SHA-1 encryption.

Where exactly does the problem lie?

So, the problem lies within the Net Nanny proxy (and not with the website you're visiting). For some websites, it generates a certificate to allow it to communicate with your web browser. The certificate is signed by a "root" certificate that your computer has been told (by Net Nanny) that it can trust. But the certificate it presents is only an SHA-1 certificate. So a modern browser rejects it with the "certificate error" warning you get.

How can they solve it?

I don't know the details of how Net Nanny works, so I can't give a detailed solution. They need to issue SHA-256 certificates for every website for which they act as a proxy. They already do this for some websites, and I do not know enough about how it works to see why they cannot do it for all.

Why is this problem becoming more apparent now?

There are two recent developments that have made this problem a more frequent one.

First is the increased take-up of SSL. There is a move afoot, supported by Mozilla and Google, to get "https everywhere". Google have indicated that they will rank sites more highly in search results if the website uses https. I believe it has now reached the point where over 50% of web traffic takes place over https.

More SSL websites means more sites that present this problem. Go back two years, when only shopping-type websites really bothered with SSL, and the kinds of websites that most children would use never encountered this.

Second is the vulnerability of SHA-1. The flaw that makes SHA-1 insecure was only discovered in a way that is easily reproduced in February 2017. That led to website owners re-issuing their certificates not to use SHA-1. Browser developers gave a reasonable amount of time for website owners to do this, before releasing new versions that blocked sites using SHA-1 certificates.

So now we have the perfect storm: Lots of sites using SSL (which means more sites using SSL via an SHA-1 certificate through Net Nanny), and browsers actively rejecting those SHA-1 certificates.

Net Nanny is Content Watch's flagship product. But until this is fixed, it's unusable with the modern internet.

Recommendations?

Over to you. What parental controls / filtering software have you found to work well? Does it work with, and filter, all https sites? Are there any that you've tried and would advise me to steer clear of?

Please use the comments below to make your suggestions.

Blog Category: 

Comments

David Nance's picture
Submitted by David Nance on

I've had the same issue with Net Nanny, and your article helped me to realize that it was the problem! I use Covenant Eyes now (replaced it with Net Nanny, now I'm going back to it). I've never had issues with blocked SSL sites with Covenant eyes, but it can have issues manually blocking https sites (some, not all): it will block the site if it detects something objectionable, but not from the block list. To circumvent this, I block the unblocked sites using the 'hosts' file, then block the 'hosts' file folder using 'folder guard'. It's a complex combo, but it works. Covenant Eyes is the best of the best, despite the expense, and it seems able to adapt to the new internet.

Please email me is you have a question! I'm no expert, but I've got a system that works.

James Oakley's picture
Submitted by James Oakley on

It's very helpful to have a suggested alternative; I'll look into Covenant Eyes.

James Oakley's picture
Submitted by James Oakley on

Thanks for that link

Sadly, it doesn't solve it. That page describes how to import, manually, Net Nanny's root certificate into the trusted certificate store for Firefox. That is something that the Net Nanny installer already does, but sometimes it gets removed and those steps need following. I actually mentioned that in my main post:

Remember your computer has a store of trusted root certificates? Each user profile in Chrome or Firefox also has a list of trusted root certificates. When you install Net Nanny, it adds their own certificate to the trusted certificates store for your web browser. That's the magic step that makes it all work. (Or not.) You can find the certificate they use at C:\Program Files\ContentWatch\ContentWatch Trusted Root Authority.pem. Sometimes, things go wrong, and Net Nanny Support get you to reinstall that certificate.

If that alone solves your problem, then great! It didn't for me, because the problem was not the certificate but the cipher used by the proxy to re-encrypt the SSL traffic as it is passed to the browser.

 

Lisa Hawkins's picture
Submitted by Lisa Hawkins on

I'm considering Net Nanny with a two week trial and found the same problem.  But when I went into my user settings, I discovered that there's an option to toggle off "Filter secure content (SSL/TLS)."  It's under "Additional Settings."

James Oakley's picture
Submitted by James Oakley on

Yes, if you choose that option (i.e., if you chose to turn off "filter secure content"), the problem goes away. The reason it goes away is that it stops filtering https traffic, and only http (non-secured) pageviews get filtered. That means any child of any age could visit any site that was https, without NetNanny applying any of its filtering rules (including domain blacklists).

That was always risky. It's now very risky, because there's a push to have all websites use https. Chrome's next release, in a few weeks time, will mark as "insecure" sites that still use http. So if you "solve" the problem by turning off https filtering, you'll soon be bypassing the filtering system for the vast majority of traffic.

Lisa Hawkins's picture
Submitted by Lisa Hawkins on

Hi James,

Well, that definitely sounds crazy, if I'm reading you right.  If I install NN, and then toggle off the 'filter secure content' that means essentially that the very reason why I installed NN is undone?  Is it really the same as simply uninstalling the program?   I'm going to also contact NN and see what the deal is with this, and I'll report back here what I find.

We used Covenant Eyes for years, but it caused me, the primary user of the computer, no end of trouble.  I work online and CE would randomly and frequently block sites that made no sense to block, like my Blackboard accounts.  I also had to wait forever when turning on my computer for it to start up, crash, and start up again. Regular calls to CE and reinstalling new versions didn't seem to help.  But in fairness, this problem doesn't show up on our other Windows 10 computers (laptops), so that's still a mystery.  With CE, if I need to, you know, WORK, I had to go through the process of uninstalling and restarting and then remembering to install again.  With NN, I have the option to disable, which I love.  I am REALLY hoping that NN can work for me, so I'll pursue this and get back to you if I discover anything.  

Thanks, by the way, for taking the time to write such a helpful and well-written page.

James Oakley's picture
Submitted by James Oakley on

Yes, it's crazy. The history of this with NN was:

  • Offer filtering only of http pages. https can't be filtered, because NN can't analyse traffic that's encrypted
  • NN invents a way to get round this, by having NN itself decrypt the webpages as they come through, analyse them, and if they're allowed re-encrypt before passing to the computer. (This is done by having NN install its own root certificate, as I've documented in this post)
  • Security analysts discover flaws in some of the earlier cryptographic algorithms. These are fixed, and the fix relies on websites only to allow the newer, safe, methods of encrypting.
  • Eventually, browser developers block the insecure ones. The problem is that, for some reason, NN re-encrypts with insecure cyphers on some websites. Those browsers that block those insecure cyphers therefore block NN-filtered traffic from those sites.

And that's where we're stuck. I opened my first ticket with NN about this well over a year ago. With the incresaing take-up of https for all sites, NN was becoming unusable. so I disabled it in February, then never renewed it in April. A fresh ticket got them, finally, to admit the problem, but they never solved it. From what you're saying, they still haven't. This is a critical flaw at the core of their core product, so I don't know why they haven't pushed this to the top of the pile.

Anyway: I'm glad you found my post helpful! :-). Keep in touch if / when you get anywhere with their support people.

Lisa Hawkins's picture
Submitted by Lisa Hawkins on

I talked with Net Nanny Tech Support, trying my best to sound like I knew what I was talking about so we could hop over the "Did you try uninstalling and reinstalling?" phase.  I was told that the problem was a conflict between my antivirus and Net Nanny, and if I turned off the web shield of the antivirus, all would be well.  I knew this wasn't the case (both because of your tutelage above and my own former troubles with CE when I was also told that a similar problem was the antivirus).  I asked him if, when I toggled off the "Filter secure content," I would still get reports of bad places visited, and he said No.  Just to confirm, I asked him if toggling that off were the same functional thing as either diabling or uninstalling the program, and he said, "Yes."  This is odd to me, since in Net Nanny's Questions Portal, they encourage people to toggle that off if they run into the sorts of trouble we've been running into, without ANY warning of the repercussions.

Anyway, I disabled the antivirus like he said, rebooted the computer for good measure, and you'll never guess... (cue sarcasm): it didn't make any difference.  I still couldn't get on my work site, or that den of danger, National Public Radio.

Back to the drawing board.  For my purposes, accountability is more important than filtering, since this is primarily being used for adults who want help and oversight with their temptations, rather than children who might stumble somewhere unknowingly.  

John Mark's picture
Submitted by John Mark on

Thank you for taking the time to explain these issues with Net Nanny. I have useed the software for years but it is now practically useless. I did contact tech suppport and they told me that they were aware of the issue:

"We were able to replicate the issue on our end with the same site. We apologize for the issue you have experienced. I have had our support group look into this and they are not able to determine what is causing the issue.  In order to find out we would need the help of our development team, but unfortunately they are working on an extremely high priority project and I will not be able to have any one look into this for some time.

 

[When replying to this message, please include all previous correspondence with us. This will help us to serve you better. Thank you.]

 

M... U...

Customer Service Team Lead"

I woud appreciate updates on this or alternatives.  

Mac Pro High Sierra Chrome

James Oakley's picture
Submitted by James Oakley on

Yep - that bottom line was the same one I reached with them once they finally admitted the problem. That was 5 months ago. I simply replied to point out that the project really did need to be a high priority, to take precedence over something that was increasingly going to render their flagship product useless. Meanwhile, the proportion of sites using https continues to rise, and their developers are still working on a higher priority matter.

Hopefully someone will post here once there is progress to report.

Sheridan's picture
Submitted by Sheridan on

Has anyone had any experience with Mobicip?  I've run into the Net Nanny issue after upgrading to High Sierra, and I'm wondering if Mobicip would be a good replacement.  I looked at Covenant Eyes, and it doesn't block porn sites, it just monitors and reports internet activity to an accountability partner that you choose.  My kiddos are young enough that I don't want them stumbling onto something they can't unsee.  

James Oakley's picture
Submitted by James Oakley on

Thanks - that's a new one for me. If you try it out, please come back here and let us all know how you get on. Or if someone else reading this has used it, please add your comments.

Add new comment

Additional Terms