SSL certificate error when using Lightspeed

[Cha835]

Description:

Dear reader,

We and our clients have been experiencing an issue with the safe exam browser platform for quite some time now and are hoping that you can assist us in resolving this problem. The main issue arises when attempting to integrate a critical piece of software that many of our clients utilise on a daily basis, that software is called Lightspeed.

Lightspeed is an imperative piece of software for educational institutions to have as its main duties are to filter out inappropriate content for students while they are carrying out their daily tasks. Lightspeed software has been around since 1999 and are a huge player in the world of content filtering and have been recognized for their excellence by hundreds of educational bodies and general districts. As you can see from their success that many institutions rely on LightSpeeds software for safe and secure web browsing for students and staff alike.

Describe the Bug:

Once Lightspeed is installed on a machine it will then create a unique SSL certificate that is unique to that one machine. Once SEB is ran on the computer, LightSpeed will then force the SEB browser to use its certificate as the root certificate which will fail with the certification error that I have described below.

We wrote a program to incorporate the LightSpeed certificate ‘the certificate being unique to each machine it’s installed onto’ into the SEB file, enabling the LightSpeed certificate as a trustable root source. This endeavour worked as a temporary solution to the issue but only for a single instance on a machine. Clients of ours are requesting that multiple machines be able to run SEB using a single SEB configuration file that can be shared as a shortcut over the network, while at this time is not possible due to the issue above.

We would be grateful if you could look into the above issue at your earliest convenience and provide some guidance to a resolution.

Steps to Reproduce

To reproduce the problem on your machines, you will need to have the LightSpeed Software installed and then open SEB.

Expected Behavior Expected the certificate to work without the use of external program

Screenshots Screenshot showcasing the error we receive:

Version Information

• OS – Windows 10 pro 64 bit (10.0, Build 18363)
• SEB-Version: 2.3.7181.24738

Additional Context Error message : “the certificate is not trusted because the issuer certificate is not known” This issue was occurring on multiple other PC’s that attempted to replicate the issue.

[danschlet]

You would either need to embed a root CA certificate into the SEB config file, which is valid for all the machines with their individual "LightSpeed" certificates.

Or you generate an individual exam config file for each machine, with the embedded individual certificate.

https://safeexambrowser.org/windows/win_usermanual_en.html#NetworkPaneCertificatesSection

I don't care how long this LightSpeed solution exists and in how many places it is used, it's a highly unusual use case to use an individual SSL certificate for each machine. Maybe they had the glorious idea for this "security" measure before https was standard. I would recommend that company to come up with a security concept which doesn't break modern secure web standards...

[danschlet]

Just to explain my comment about the unusual LightSpeed certificate further: Solutions which perform a Man-in-the-Middle (MITM) attack by using a custom root certificate to deceive web browsers to believe that the https network connection is untempered are not in any way acceptable nowadays. I know that many so called "security solutions" started using such methods (including well known malware scanners from Kaspersky or Bitdefender), but in any of these cases it is a breach of the intended secure channel to any website protected by https, regardless of the intentions of the vendor of the "security solution".

We are strongly advising exam providers not to use any such MITM features and to communicate this to the vendors of such solutions. Maybe then those will stop breaking the security and privacy of their customers and work on better solutions, which actually increase security instead of potentially compromising it.

[Cha835]

Can you please clarify what you mean by "You would either need to embed a root CA certificate into the SEB config file, which is valid for all the machines with their individual "LightSpeed" certificates"

[danschlet]

I don't know if that would even be possible (to use a common root CA certificate which is valid for all machines) but we won't extend support unique SSL certificates for each machine, as we consider this an unusual use of https/SSL. As mentioned in my previous answer, you could implement this use case by generating an individual config file for each SEB client. If this is not feasible, you need to find a solution on the side of your security software. Btw., SEB 3.0 uses the Windows Certificate Store for root certificates by default (due to change of browser engine), so this issue might be solved in SEB 3.0 implicitly.

You would either need to embed a root CA certificate into the SEB config file, which is valid for all the machines with their individual "LightSpeed" certificates.

Or you generate an individual exam config file for each machine, with the embedded individual certificate.

https://safeexambrowser.org/windows/win_usermanual_en.html#NetworkPaneCertificatesSection

I don't care how long this LightSpeed solution exists and in how many places it is used, it's a highly unusual use case to use an individual SSL certificate for each machine. Maybe they had the glorious idea for this "security" measure before https was standard. I would recommend that company to come up with a security concept which doesn't break modern secure web standards...