Puffin Academy/ContactLog/2016-07-06 - Revision history

Steve at 15:05, 13 October 2022

2022-10-13T15:05:34Z

← Older revision		Revision as of 16:05, 13 October 2022
Line 1:		Line 1:
	{{Contact Log\|date=2016-07-06\|direction=sent}}		{{Contact Log\|vendor=CloudMosa\|date=2016-07-06\|direction=sent}}

	We supply web filters to schools across the UK, some of whom are also using the Puffin Academy app. I note that you provide a list of IP addresses to allow through the firewall, but it would be preferable if schools did not need to add IP addresses (which may change from time to time) to their firewall.		We supply web filters to schools across the UK, some of whom are also using the Puffin Academy app. I note that you provide a list of IP addresses to allow through the firewall, but it would be preferable if schools did not need to add IP addresses (which may change from time to time) to their firewall.
Line 7:		Line 7:
	1. Some of the HTTPS connections created by the app contain ".flashbrowser.com" as the Server Name Indication (SNI) in the TLS handshake. The SNI is required to match the name of the host it is contacting [RFC 3546], and since ".flashbrowser.com" is not a valid host name (it contains a "*"), filtering systems often reject the connection as a potential security breach. This can be resolved by the app specifying the correct host name in the SNI rather than one containing a wildcard.		1. Some of the HTTPS connections created by the app contain ".flashbrowser.com" as the Server Name Indication (SNI) in the TLS handshake. The SNI is required to match the name of the host it is contacting [RFC 3546], and since ".flashbrowser.com" is not a valid host name (it contains a "*"), filtering systems often reject the connection as a potential security breach. This can be resolved by the app specifying the correct host name in the SNI rather than one containing a wildcard.

	2. Schools increasingly use HTTPS interception in order to protect their students. Schools import their own certification authority certificate into the device's trusted certificate store so that software running on the device can still verify the trustworthiness of the intercepted connections. Unfortunately it appears that when Puffin Academy makes HTTPS connections, it does not verify them against the user defined certificates and therefore rejects them. It is possible for schools to exclude Puffin Academy's connections from being intercepted, but it would be preferable if they didn't have to do this.		2. Schools increasingly use HTTPS interception in order to protect their students. Schools import their own certification authority certificate into the device's trusted certificate store so that software running on the device can still verify the trustworthiness of the intercepted connections. Unfortunately it appears that when Puffin Academy makes HTTPS connections, it does not verify them against the user defined certificates and therefore rejects them. It is possible for schools to exclude Puffin Academy's connections from being intercepted, but it would be preferable if they didn't have to do this.

	Many thanks. If you have any questions, please let me know.		Many thanks. If you have any questions, please let me know.

Steve at 14:47, 13 October 2022

2022-10-13T14:47:00Z

← Older revision		Revision as of 15:47, 13 October 2022
Line 1:		Line 1:
			{{Contact Log\|date=2016-07-06\|direction=sent}}

	We supply web filters to schools across the UK, some of whom are also using the Puffin Academy app. I note that you provide a list of IP addresses to allow through the firewall, but it would be preferable if schools did not need to add IP addresses (which may change from time to time) to their firewall.		We supply web filters to schools across the UK, some of whom are also using the Puffin Academy app. I note that you provide a list of IP addresses to allow through the firewall, but it would be preferable if schools did not need to add IP addresses (which may change from time to time) to their firewall.

	I have analysed the network traffic from Puffin Academy and identified a couple of problems. I hope that you would consider adjusting the app to accommodate them, which would make things easier for your customers:		I have analysed the network traffic from Puffin Academy and identified a couple of problems. I hope that you would consider adjusting the app to accommodate them, which would make things easier for your customers:

	1. Some of the HTTPS connections created by the app contain ".flashbrowser.com" as the Server Name Indication (SNI) in the TLS handshake. The SNI is required to match the name of the host it is contacting [RFC 3546], and since ".flashbrowser.com" is not a valid host name (it contains a "*"), filtering systems often reject the connection as a potential security breach. This can be resolved by the app specifying the correct host name in the SNI rather than one containing a wildcard.		1. Some of the HTTPS connections created by the app contain ".flashbrowser.com" as the Server Name Indication (SNI) in the TLS handshake. The SNI is required to match the name of the host it is contacting [RFC 3546], and since ".flashbrowser.com" is not a valid host name (it contains a "*"), filtering systems often reject the connection as a potential security breach. This can be resolved by the app specifying the correct host name in the SNI rather than one containing a wildcard.

	2. Schools increasingly use HTTPS interception in order to protect their students. Schools import their own certification authority certificate into the device's trusted certificate store so that software running on the device can still verify the trustworthiness of the intercepted connections. Unfortunately it appears that when Puffin Academy makes HTTPS connections, it does not verify them against the user defined certificates and therefore rejects them. It is possible for schools to exclude Puffin Academy's connections from being intercepted, but it would be preferable if they didn't have to do this.		2. Schools increasingly use HTTPS interception in order to protect their students. Schools import their own certification authority certificate into the device's trusted certificate store so that software running on the device can still verify the trustworthiness of the intercepted connections. Unfortunately it appears that when Puffin Academy makes HTTPS connections, it does not verify them against the user defined certificates and therefore rejects them. It is possible for schools to exclude Puffin Academy's connections from being intercepted, but it would be preferable if they didn't have to do this.

	Many thanks. If you have any questions, please let me know.		Many thanks. If you have any questions, please let me know.

Steve: Created page with " We supply web filters to schools across the UK, some of whom are also using the Puffin Academy app. I note that you provide a list of IP addresses to allow through the firewall, but it would be preferable if schools did not need to add IP addresses (which may change from time to time) to their firewall. I have analysed the network traffic from Puffin Academy and identified a couple of problems. I hope that you would consider adjusting the app to accommodate them, wh..."

2022-10-13T14:44:29Z

Created page with " We supply web filters to schools across the UK, some of whom are also using the Puffin Academy app. I note that you provide a list of IP addresses to allow through the firewall, but it would be preferable if schools did not need to add IP addresses (which may change from time to time) to their firewall. I have analysed the network traffic from Puffin Academy and identified a couple of problems. I hope that you would consider adjusting the app to accommodate them, wh..."

New page

We supply web filters to schools across the UK, some of whom are also using the Puffin Academy app. I note that you provide a list of IP addresses to allow through the firewall, but it would be preferable if schools did not need to add IP addresses (which may change from time to time) to their firewall.

I have analysed the network traffic from Puffin Academy and identified a couple of problems. I hope that you would consider adjusting the app to accommodate them, which would make things easier for your customers:

1. Some of the HTTPS connections created by the app contain "*.flashbrowser.com" as the Server Name Indication (SNI) in the TLS handshake. The SNI is required to match the name of the host it is contacting [RFC 3546], and since "*.flashbrowser.com" is not a valid host name (it contains a "*"), filtering systems often reject the connection as a potential security breach. This can be resolved by the app specifying the correct host name in the SNI rather than one containing a wildcard.

2. Schools increasingly use HTTPS interception in order to protect their students. Schools import their own certification authority certificate into the device's trusted certificate store so that software running on the device can still verify the trustworthiness of the intercepted connections. Unfortunately it appears that when Puffin Academy makes HTTPS connections, it does not verify them against the user defined certificates and therefore rejects them. It is possible for schools to exclude Puffin Academy's connections from being intercepted, but it would be preferable if they didn't have to do this.

Many thanks. If you have any questions, please let me know.