Intro
Securly is a web-filtering and digital surveillance company that sells its services to schools. They have claimed that their services help to prevent school shootings and save the lives. At of the time of writing this, they purport to have saved the lives of 1596 students who would have otherwise committed suicide.
Many schools embrace Securly’s services and will happily spend tens of thousands of dollars to install it on the devices that they issue to students. Many of these students remain unaware of the resultant privacy implications.
While these devices are mandatory for school use, Securly’s user experience sucks. It frequently blocks educational websites, such as Stack Overflow, which should not be subject to such restrictions. This issue persists despite the company’s use of supposedly “sophisticated AI.".
TLDR: Securly is a digital micromanagement service that compromises user experience.
Overview
Securly offers three filtering “solutions”, all of which can be circumvented without resorting to proxy websites.
The initial filtering solution involves a Chrome extension, which can be bypassed by creating a new browser profile or using a different browser. I’ve decompiled this extension this extension for those interested in its how it works.
The other two solutions, namely “Securly DNS: Selective Proxy Filtering” and “SmartPAC: Global Proxy Filtering”, rely on the trust of an SSL certificate. These methods function as a MITM attack. Instead of utilizing trusted CAs from the root store, the device trusts Securly’s CA and forwards web traffic through Securly’s proxy server. Given that they control the SSL certificate, they can inspect all SSL/TLS traffic, such as login credentials. While this is potentially alarming, they do whitelist well-known services from Google and Microsoft.
Bypassing
The fact that a device has Securly’s CA in its root store doesn’t mean its use is mandatory.
For example, we can use Python’s requests module to send a GET request to any website, irrespective of whether it’s blocked by Securly.
import requests
blocked_url = "http://unsafewebsite.com" #this is a website that securly always blocks
x = requests.get(blocked_url, verify=False)
print(x.text) #will return the HTML of the blocked website
This demonstration is a hint towards the fact that browsers can be configured to use the legitimate SSL certificates instead of Securly’s.
Firefox, with its dedicated certificate root store, is an ideal candidate for this purpose.