School Tricks Pupils Into Installing a Root CA 417
First time accepted submitter paddysteed writes "I go to secondary school in the UK. I went digging around the computers there and found that on the schools machines, there was a root CA from the school. I then suspected that the software they instruct windows users to install on their own hardware to gain access to the BYOD network installed the same certificate. I created a windows virtual machine and connected to the network the way that was recommended. Immediately afterwards I checked the list of root CA's, and found my school's. I thought the story posted a few days ago was bad, but what my school has done is install their certificate on people's own machines — which I think is far worse. This basically allows them to intercept and modify any HTTPS traffic on their network. Considering this is a boarding school, and our only method of communicating to the outside world is over their network, I feel this is particularly bad. We were not told about this policy and we have not signed anything which would excuse it. I confronted the IT department and they initially denied everything. I left and within five minutes, the WiFi network was down then as quickly as it had gone down, it was back up. I went back and they confirmed that there was a mistake and they had 'fixed' it. They also told me that the risk was very low and the head of networks told me he was willing to bet his job on it. I asked them to instruct people to remove the bad certificate from their own machines, but they claimed this was unnecessary due to the very low risk. I want to take this further but to get the school's management interested I will need to explain what has happened and why it is bad to non-technical people and provide evidence that what has been done is potentially illegal."
Re:In their defence. (Score:5, Insightful)
How about actually, you know, paying attention to what the kids in class are doing?
I don't really understand why every time a new technology comes along people think there needs to be new rules. Pornography and inappropriate images were not invented along with the internet. I can remember back when somebody would raid their fathers stash of playboys and bring one into school, and kids would be huddled around it. And, guess what, if a teacher or parents saw all these kids obviously up to no good, they would come over, and there would be hell to pay. Which still didn't stop kids from looking at pornography or doing dirty things.
Besides, why in the world do kids need access to computers in the classroom? When kids are working in a computer lab or something, have someone watching them. If you can't trust them to not look at porn, then they're not mature or old enough to be left alone with a computer.
Re:yeah. (Score:4, Insightful)
That's all and good and all, but I think disclosing the information would be preferable so that little conspiracies about doom and gloom didn't come from the discovery of it.
In other words, if there was a valid reason, then it shouldn't be a secret. It should be a valid reason and disclosed in some obvious way.
Re:Probably not Illegal. (Score:5, Insightful)
This is the UK, totally different wiretap law - this doesn't breach it, its their network and they can intercept what they wish.
Re:It's a ROOT CA they can sign anything (Score:5, Insightful)
Your understanding of what is required is a little off - the root CA holder can indeed "retroactively" sign any certificate they want, and your browser would merrily accept such a signed alternative cert without raising any errors because it would never see the original cert. The very act of installing the root CA in the browser allows them to completely replace any other cert signed by any root CA and not cause errors to occur. The only opportunity they would have however to do this would be if they were proxying the traffic between you and the internet.
Re:In their defence. (Score:5, Insightful)
Don't be quite so complacent in what you think students CAN'T do, especially saying "far beyond what students can do". When I was 16 I was writing assembly language competently, if I were 16 now, I would be (successfully) finding ways to tunnel stuff through normal HTTP traffic via a machine outside the network (it's not hard, certainly easier than learning asm). In a school of any appreciable size you'll have at least one student with the capability to do this.
Re:Root CA is Only for Your School's Apps (Score:4, Insightful)
Not quite true, many of the next gen firewalls transparently intercept sell and proxy only the ssl tunnel information itself, they negotiate with the sever and then with the client ( faking up a valid certificate from the orgs trusted root along the way ) the same symmetric keys are chosen for both sides of the connection so most packets can just be passed form client to server and vice versa; but the ips and content filtering engines still see everything
where are ... (Score:2, Insightful)
Where are all the people who say "it's their network!" when it is snooping in the workplace we are talking about?
This is a freakin school, which is actually supposed to have a watchful protector role over students. In loco parentis, you know.
And a couple of humbling observations:
Re:In their defence. (Score:5, Insightful)
And uni network admin who sits in all the same chat rooms, had the hole plugged within hours of it becoming public. What you think admins are ephermal "great evil"? Most of them are young people who are in the circles.
Some dude flying solo? Sure, will get through. Trying to get everyone to do it so you get lost in the masses? Hole plugged in hours.
Also (Score:3, Insightful)
Re:In their defence. (Score:5, Insightful)
They have low-tech means of circumventing the filter, mostly involving spending an hour going through page after page on google until they find a site not blocked.
Hardly low tech!
I too work in a school, which also implements all sorts of paranoid filtering on the school LAN. (Don't know about root CA certificates, I've never looked.)
Increasingly however, what the school does is utterly irrelevant. Almost all the students have their own completely independent access to the big bad 'net. They have phones with full Internet access, dongles for their laptops, and even laptops with SIMs built in.
It'll be a while before school authorities recognise that they're standing with their fingers in the tiny remains of a dyke, the rest of which has long since been washed away by the incoming tide. Until then, we'll still find ourselves unable to access all sorts of random and silly things in the classroom. I was refused access to the text of Rudyard Kipling's "If" the other day.
Re:yeah. (Score:5, Insightful)
Never attribute to malice that which is adequately explained by stupidity.
I've worked with a lot of IT people and sometimes they're just not competent enough to realize what's happening on their network. This sounds like a long time ago someone was sold on the idea that a firewall that scans all network traffic for malware would be a very good thing, and part of the requirements for that would be installing the root CA so the HTTPS traffic can be decrypted and scanned for malware. The staff the submitter dealt with likely never knew this was happening at all, then after the conversation the IT staff might have poked around in their firewall and found some checkbox that said "Scan all HTTPS traffic" and unchecked it. They might not know enough to help everyone remove the root CA.