HTTPS Decryption FAQs

What is HTTPS Decryption?

Most websites are now encrypted, meaning that, by default, the filtering can only see the domain name (e.g. just www.bbc.co.uk or www.google.com) rather than the full URL (e.g. www.bbc.co.uk/news or www.google.com/search?q=search+terms).

To filter and report on not just the overall website, but the individual pages or search a user is on, the filter needs to decrypt and re-encrypt the session. This requires a certificate to be installed on every device so they can trust the filter. Once the certificate is installed and decryption is turned on in SchoolProtect, the filter will see the full URL details.

Why is it important?

HTTPS decryption is important for several reasons including:

It grants the ability to allow or block individual pages, or areas, of a website. This can be because pages are applied specific categories or if the school adds individual pages to allow/block lists.
It enhances reporting. You will be able to see greater detail on the dashboard and in reports. Of particular interest might be what students are searching.
The Embedded Content feature can allow specific content (e.g Vimeo videos or school-specific social media feeds) where it is embedded on a 'trusted' site such as the school website or educational resource without having to open up the whole platform.
When sites or pages are blocked, you will see the SchoolProtect block page explaining why it has been blocked rather than a browser error message.

Does decryption impact network security?

While decrypting secure traffic might sound like security is weakened, the opposite is true. When you decrypt, the filter can identify and block security threats that it otherwise wouldn't have been able to see.

The decrypted traffic never leaves the proxy server in LGfL's secure data centres. The traffic between the web server (on the internet) and our proxy servers is encrypted and the traffic between the proxy servers and the device in your school is encrypted.

Does decryption expose additional data risks?

The only data that is stored is the full URL and specific metadata (headers). The web page content, information you fill in on a form (like passwords) or files uploaded/downloaded are not stored.