Puffin Academy/ContactLog/2016-07-06

We supply web filters to schools across the UK, some of whom are also using the Puffin Academy app. I note that you provide a list of IP addresses to allow through the firewall, but it would be preferable if schools did not need to add IP addresses (which may change from time to time) to their firewall.

I have analysed the network traffic from Puffin Academy and identified a couple of problems. I hope that you would consider adjusting the app to accommodate them, which would make things easier for your customers:

1. Some of the HTTPS connections created by the app contain "*.flashbrowser.com" as the Server Name Indication (SNI) in the TLS handshake. The SNI is required to match the name of the host it is contacting [RFC 3546], and since "*.flashbrowser.com" is not a valid host name (it contains a "*"), filtering systems often reject the connection as a potential security breach. This can be resolved by the app specifying the correct host name in the SNI rather than one containing a wildcard.

2. Schools increasingly use HTTPS interception in order to protect their students. Schools import their own certification authority certificate into the device's trusted certificate store so that software running on the device can still verify the trustworthiness of the intercepted connections. Unfortunately it appears that when Puffin Academy makes HTTPS connections, it does not verify them against the user defined certificates and therefore rejects them. It is possible for schools to exclude Puffin Academy's connections from being intercepted, but it would be preferable if they didn't have to do this.

Many thanks. If you have any questions, please let me know.