Why is the Wi-Fi wack?

Thomas Like, Staff Writer

As many students have noticed, there have been several changes to the school wifi. Many websites and applications appear to be blocked while using a personal device at school. However, in order to access the school WiFi without so many restrictions, you must install a root certificate on your personal device. By installing the root certificate on your personal device, you will be allowed  to access many of the “blocked” websites and applications.

We interviewed Tim Pritchett, MCCSC’s Director of Technology, about the WiFi changes at South.

Q: How do I get access to these “blocked” websites? 

A: For MCCSC owned devices, the content filter root certificate is distributed through the Information Services Department. For obvious reasons, we have no ability to distribute such a certificate to personally owned devices. The end user must install and trust manually. It can be downloaded while on the MCCSC network at https://abl-ckr01.mccsc.edu/ckroot/ckroot.crt

Q: How has the WiFi changed over the summer? 

A: No changes were made to WiFi at South over the summer. The changes occurred with a system upgrade at the content filter level. MCCSC, like all other school corporations accepting federal funding, is required to maintain a CIPA compliant content filter. This summer, MCCSC retired an aging content filter system and installed a new one. With any change like that, years of custom rules and tweaks on a platform have to be rebuilt under the new feature set in the upgraded system.

Q: Why were there changes made to the WiFi?

A: The content filter upgrade was made due to the aging infrastructure and operations of the old system.

Q: Why do websites seem to be blocked on the WiFi? 

A: Certain websites have always been blocked. As noted in the response above, when migrating to a new platform, custom rules have to be rebuilt on an as-needed basis. Each content filter vendor treats categorization differently. Content filtering occurs based on URL categories, not by someone manually visiting every website on the internet and deciding if it is good or bad. Students encountering blocked pages on resources they believe should be available can forward those concerns to a classroom teacher to deliver to the Information Services Department for review. Users encountering a “Your Connection is Not Secure” message on personally owned devices are actually not getting blocked. That is an error message noting that a content filter is in between the device’s connection and the internet but that the device doesn’t trust the content filter (see next response).

Q: What is a root certificate?

A: A root certificate is a public key certificate identifying a trust relationship with a certificate authority. https://en.wikipedia.org/wiki/Root_certificate

Q: Why do you need a root certificate?

A: A root certificate in this context creates a trusted relationship between the endpoint, your phone for example, and the box sitting in between it and the internet, the content filter. Most traffic passing through the content filter travels over https but is not decrypted. When visiting Wikipedia.com, for example, the traffic travels back and forth and the filter either says Wikipedia is an allowed site or it isn’t. When you get into search engines like Google, Yahoo, or YouTube, the sites are inherently allowed, but certain terms that could be searched and the image thumbnails that follow, for example, may not be allowed. Google used to allow redirection to a non-encrypted search term connection but they no longer do. In order to filter for search terms, the content filter has to decrypt the traffic and change it from gibberish to clear text for evaluation. This practice is seamless with the certificate installed on a device, but on a device without it, a warning is thrown essentially saying something is spying on your search terms. This is not false – the content filter is taking the package apart to see what terms were searched then reassembling it to send to Google or returning a block page if the discovered term is in a non-allowed category.