PSI Secure Browser/ContactLog/2022-03-24

We are an online safety supplier to British schools, providing web filtering and firewalling systems. We have a number of customers who use your PSI Secure Browser software to deliver exams.

The schools have a statutory requirement to do appropriate filtering and monitoring of their internet connections. Unfortunately they have been provided with very little information regarding firewalling / filtering changes needed to allow PSI Secure Browser to work on their networks.

There is a whitelist available here: https://helpdesk.psionline.com/hc/en-gb/articles/360055813952-RPNow-List-of-Websites-to-Whitelist-on-your-Anti-Virus-Applications

Unfortunately this whitelist is not comprehensive (PSI Secure Browser appears to require access to a number of other hosts which are not listed on that website).

The whitelist also recommends whitelisting _all_ content which is hosted through Amazon AWS. Amazon AWS hosts an enormous amount of content for all manner of organisations, including content which is unsafe, and it would be negligent of us to recommend that a school whitelists such a large proportion of the internet.

Whilst a network test service is available (https://systemcheck.rpexams.com/), this does not appear to comprehensively test all of the requirements for the exams, and we therefore have numerous cases of schools believing that everything is set up to work and then only discovering that it doesn't work when the exam starts. There does not seem to be a way to comprehensively test that PSI Secure Browser will work for an exam until the exam is actually in progress.

Last year we spent a considerable amount of time working with our customers to resolve problems with PSI Secure Browser as and when they occurred. In particular we identified a serious bug with the browser and were able to work around it (see below for more detail on this). However, this year our customers are again finding themselves in the same position - despite successfully using PSI Secure Browser last year, some backend things have presumably changed and they are finding that, once again, when an exam starts PSI Secure Browser frequently does not work on their network.

I am writing to you in the hope that we can open a dialogue to work through the technical requirements of PSI Secure Browser in order to ensure that schools are able to successfully provide their exams and that the students do not continue to be adversely impacted.

I look forward to your response. In the meantime, there are details below regarding the bug that we discovered last year:

BACKGROUND

In order to comply with the UK Safer Internet Centre's "Appropriate Filtering" guidelines, UK schools must be able to identify users in order to apply age-appropriate filtering and for safeguarding reports to be able to alert staff as to which students may require safeguarding intervention.

Our systems utilise industry standard protocols to authenticate users: web requests made via the web proxy are initially rejected with a "407 Proxy Authentication Required" response. The user's software then authenticates with the web proxy using Kerberos single-signon authentication.

PROBLEM

PSI Secure Browser sends CONNECT requests through the web proxy and receives the "407 Proxy Authentication Required" response. It successfully authenticates with the web proxy and the connection is established. However, PSI Secure Browser then appears to remain in a broken state indefinitely whereby it cannot actually use the established connection for HTTPS traffic.

WORKAROUND

We have disabled proxy authentication for any browser which presents a User-Agent header containing the string "psi-secure-browser". However, it would obviously be preferable for this bug to be properly fixed in PSI Secure Browser.

Many thanks.