School Tricks Pupils Into Installing a Root CA

First time accepted submitter paddysteed writes "I go to secondary school in the UK. I went digging around the computers there and found that on the schools machines, there was a root CA from the school. I then suspected that the software they instruct windows users to install on their own hardware to gain access to the BYOD network installed the same certificate. I created a windows virtual machine and connected to the network the way that was recommended. Immediately afterwards I checked the list of root CA's, and found my school's. I thought the story posted a few days ago was bad, but what my school has done is install their certificate on people's own machines — which I think is far worse. This basically allows them to intercept and modify any HTTPS traffic on their network. Considering this is a boarding school, and our only method of communicating to the outside world is over their network, I feel this is particularly bad. We were not told about this policy and we have not signed anything which would excuse it. I confronted the IT department and they initially denied everything. I left and within five minutes, the WiFi network was down then as quickly as it had gone down, it was back up. I went back and they confirmed that there was a mistake and they had 'fixed' it. They also told me that the risk was very low and the head of networks told me he was willing to bet his job on it. I asked them to instruct people to remove the bad certificate from their own machines, but they claimed this was unnecessary due to the very low risk. I want to take this further but to get the school's management interested I will need to explain what has happened and why it is bad to non-technical people and provide evidence that what has been done is potentially illegal."

yeah.

[Anonymous Coward]

Just because you have a trusted root installed to use apps or the institutions wireless doesn't mean they were out to spy on you. It was likely the cheapest way to make secured applications run internally, or the easiest way for them to deploy eap without having to have you turn off server cert verification in your supplicant, which is way worse than having a trusted root.

Re:In their defence.

[SuricouRaven]

We also have a transparent intercept on port 80. And no, the proxy doesn't accept CONNECT. We even block ICMP, so no ping-tunnels. You should be able to tunnel your way out over HTTP, but it'll take a bit of work - far beyond what students can do.

They have low-tech means of circumventing the filter, mostly involving spending an hour going through page after page on google until they find a site not blocked.

As an ex-School It Admin...

[fostware]

a) "we have not signed anything which would excuse it" - you can't. You're not able to sign enforceable legal documents.

b) "there was a root CA from the school" - it happens due to
        1) WPA-Enterprise and/or NAC relies on keys. Do you use your school credentials for wireless? If so, you require key exchange for it to verify each party.
        2) SSL monitoring systems rely on MITM to read the HOST headers. We couldn't give a rat's arse your bragging about banging Sally, however we do mind that it was to a website called HTTPS://www.breakuprevenge.com and both Sally and yourself are under legal age, it may have included a phone camera image, and it was all posted via the School Internet. Federal, State, and School pastoral care policy issues trump most whiny students objections.

c) It happens when at the start of the year. I would have twenty staff ask for different packages to be deployed in the first week of school, and your BYOD package may just happened to end up with a testing cert. Once had an antivirus package that hid all toolbars in Word and Excel - that ex-employee never applied a GPO at domain-level again.

All I'm saying is most school IT departments are asked to perform miracles of pastoral care because parents don't care and Teachers are busy trying to teach. We bare the brunt of school administration trying to enforce pastoral care not just for you, but all those in the school body
I'm sure if you had brought it to most IT departments attention in a courteous way, you might have been treated better.
Most schools have a tech-savvy student who is treated like an offsider, as well as one who has joined the Dark Side and ends up on the Watchlist. (yes, I've had "meetings" with Federal Police over a student's actions). Which one will you be?

Re:In their defence.

[paddysteed]

I am that one student, and I always share what I have done with the rest of the school, resulting in everybody being able to beat the filters.

Re:In their defence.

[mikechant]

If we could not filter the ssl sites, there would be no option but to block ssl entirely by blocking all traffic on port 443.

Then that's what you should do. Intercepting an SSL session between (say) a pupil and their bank would potentially be illegal without the permission of both the pupil *and* the bank. And the bank is not going to give this permission. Blocking ssl is the only legally safe solution.
Still, it's your legal risk, up to you.

certpatrol

[manu0601]

If you fear your SSL traffic is intercepted, install a browser extension that track certificate change. Firefox has certpatrol, for instance.

Re:Probably not Illegal.

[Anonymous Coward]

Yes they can, Read the RIPA some time and this time pay attention to this bit.

RIPA can be invoked by government officials specified in the Act on the grounds of national security, and for the purposes of detecting crime, preventing disorder, public safety, protecting public health, or in the interests of the economic well-being of the United Kingdom, that is, any grounds can be covered at will under its exceedingly broad scope.[citation needed]

Re:Probably not Illegal.

[CrudPuppy]

I use zScaler Cloud for my work proxy, and I choose to have them decrypt all traffic using their CA cert that we have to install on all user laptops. This is critical because they are using heuristics to detect activity types (e.g. don't rely on a "list" of anonymizers, detect that anonymizing is being done and block it). Even if they are sitting at home, the proxy is decrypting all their activity. And the analytics are amazing.

The big difference is between this and the OP, though, is that my company owns these laptops. I display banners and let it be known that you have zero expectation of privacy. Hell, I use my personal iPad for personal browsing at work so as not to be tracked.

Re:In their defence.

[mark-t]

The dam that keeps wateer out of low=lying areas is a dike

Only in North America.

Everywhere else that english is spoken, the word is spelled with a 'y' [grammarist.com]