School Tricks Pupils Into Installing a Root CA 417
First time accepted submitter paddysteed writes "I go to secondary school in the UK. I went digging around the computers there and found that on the schools machines, there was a root CA from the school. I then suspected that the software they instruct windows users to install on their own hardware to gain access to the BYOD network installed the same certificate. I created a windows virtual machine and connected to the network the way that was recommended. Immediately afterwards I checked the list of root CA's, and found my school's. I thought the story posted a few days ago was bad, but what my school has done is install their certificate on people's own machines — which I think is far worse. This basically allows them to intercept and modify any HTTPS traffic on their network. Considering this is a boarding school, and our only method of communicating to the outside world is over their network, I feel this is particularly bad. We were not told about this policy and we have not signed anything which would excuse it. I confronted the IT department and they initially denied everything. I left and within five minutes, the WiFi network was down then as quickly as it had gone down, it was back up. I went back and they confirmed that there was a mistake and they had 'fixed' it. They also told me that the risk was very low and the head of networks told me he was willing to bet his job on it. I asked them to instruct people to remove the bad certificate from their own machines, but they claimed this was unnecessary due to the very low risk. I want to take this further but to get the school's management interested I will need to explain what has happened and why it is bad to non-technical people and provide evidence that what has been done is potentially illegal."
yeah. (Score:5, Interesting)
Just because you have a trusted root installed to use apps or the institutions wireless doesn't mean they were out to spy on you. It was likely the cheapest way to make secured applications run internally, or the easiest way for them to deploy eap without having to have you turn off server cert verification in your supplicant, which is way worse than having a trusted root.
Re:yeah. (Score:4, Insightful)
That's all and good and all, but I think disclosing the information would be preferable so that little conspiracies about doom and gloom didn't come from the discovery of it.
In other words, if there was a valid reason, then it shouldn't be a secret. It should be a valid reason and disclosed in some obvious way.
Re:yeah. (Score:5, Insightful)
Never attribute to malice that which is adequately explained by stupidity.
I've worked with a lot of IT people and sometimes they're just not competent enough to realize what's happening on their network. This sounds like a long time ago someone was sold on the idea that a firewall that scans all network traffic for malware would be a very good thing, and part of the requirements for that would be installing the root CA so the HTTPS traffic can be decrypted and scanned for malware. The staff the submitter dealt with likely never knew this was happening at all, then after the conversation the IT staff might have poked around in their firewall and found some checkbox that said "Scan all HTTPS traffic" and unchecked it. They might not know enough to help everyone remove the root CA.
We Don't Need No Education (Score:5, Funny)
Re: (Score:2)
I think you will find that they will squash you like a bug if you make a fuss. Is this really something worth fighting for?
In their defence. (Score:5, Informative)
I work at a school. Yes, we have all machines on their network trust us as a root CA. We do that with good reason.
Currently in most countries, especially the UK, there is an atmosphere of paranoia bordering on terror anywhere that minors and sex may come within a hundred meters of each other. Even so, teenagers tend to meet their stereotype and display a fascination with sexual imagery. This means that it is absolutely essential that schools maintain a comprehensive internet content filter. This is not an optional extra. Without it, it's only a matter of time (and not much time) before some student happens across Dirty Dave's Scat and Fisting Gallery and shows it off to all his classmates. This in turn results in many terrified parents, legal action against the school for destroying jimmy's innocent little mind, and columns in the Daily Mail demanding the head be fired.
If we could not filter the internet, there would be no option but to forgo it. If we could not filter the ssl sites, there would be no option but to block ssl entirely by blocking all traffic on port 443. There is no possibility of effectively filtering SSL without installing a root CA, and so that is what we have to do for any device on our network that needs SSL connectivity.
Got that? No filtering, no internet. That's just the way it is. I don't like censorship more than anyone else, but this is the real world and sometimes ideology has to take a back seat to practicality and an angry mob of parents. Besides, without effective filtering, the students would spend more time playing flash games, watching the yogscast, listening to music videos and checking facebook than actually doing their work. Giving the students a locked-down and heavily censored internet is still better than giving them no internet at all, which would hold them back academically.
Re:In their defence. (Score:5, Insightful)
How about actually, you know, paying attention to what the kids in class are doing?
I don't really understand why every time a new technology comes along people think there needs to be new rules. Pornography and inappropriate images were not invented along with the internet. I can remember back when somebody would raid their fathers stash of playboys and bring one into school, and kids would be huddled around it. And, guess what, if a teacher or parents saw all these kids obviously up to no good, they would come over, and there would be hell to pay. Which still didn't stop kids from looking at pornography or doing dirty things.
Besides, why in the world do kids need access to computers in the classroom? When kids are working in a computer lab or something, have someone watching them. If you can't trust them to not look at porn, then they're not mature or old enough to be left alone with a computer.
Re: (Score:3)
How about actually, you know, paying attention to what the kids in class are doing?
I don't really understand why every time a new technology comes along people think there needs to be new rules. Pornography and inappropriate images were not invented along with the internet. I can remember back when somebody would raid their fathers stash of playboys and bring one into school, and kids would be huddled around it. And, guess what, if a teacher or parents saw all these kids obviously up to no good, they would come over, and there would be hell to pay. Which still didn't stop kids from looking at pornography or doing dirty things.
Oh come now. There has been a sea change, and if you are old enough, you know it. It really was harder to get, harder to get away with, and the curve was skewed toward a 1. quick look at some breasts rather than 2. a jaded wondering what could be harder than hardcore.
Honestly, there will be plenty of time for that when you are an adult ... you aren't missing anything.
Besides, why in the world do kids need access to computers in the classroom? When kids are working in a computer lab or something, have someone watching them. If you can't trust them to not look at porn, then they're not mature or old enough to be left alone with a computer.
Now this, I heartily agree with.
Re:In their defence. (Score:5, Funny)
Honestly, there will be plenty of time for that when you are an adult ... you aren't missing anything.
if you are young and reading this, know :
HE'S LYING.
Re: (Score:3)
if you are young and reading this, know :
HE'S LYING.
If you are young and modded the above funny, you're wrong.
Re: (Score:3)
No, when you're older your judgement won't be much better you will simply have less energy and desire to enjoy yourself thoroughly. There simply isn't time or energy for that later on in life like there is when you're young and the women quickly get fatter. No man ever went to his deathbed saying, "I wish I had slept with fewer women when I was young".
Re: (Score:3)
Yep.
Spend your childhood being a child ... that's what it's for.
Ha! This is the classic example of adults either not remembering or projecting their own ideas about what childhood is/was like. I remember being a kid and having sexual thoughts in maybe 3rd or 4th grade. I've asked other people if they had similar thoughts, and they did. By the time you get to HS, EVERYONE has sexual thoughts and urges. Wanting to look at porn and people fucking is PART of being a child. Your ideas of childhood innocens
Re: (Score:3)
As I've been saying for years, there's a Stupid Gene that turns on when people become parents, which makes them forget what it was like to be a kid.
Being childless, I'm immune. ;)
Re: (Score:3)
It is a boarding school, maybe 35 hours might be spent in a classroom, just a small fraction of the 168 hours they are at the school for during term time. Some might not even go home during the shorter breaks like a weeks half term.
The school has the responsibility for those kids 24/7 most of the year. It may seem a little harsh but these kids are not destined to work in factories or Mcdonalds. Their parents are paying a lot of money to have them study there.
It is a difficult role the school has to take on
Re: (Score:2)
How about actually, you know, paying attention to what the kids in class are doing?
That's what filtering does.
If you want to pay for an internet monitor to look over children's shoulders, I'm sure schools will institute your policies.
Re:In their defence. (Score:5, Funny)
One teacher. Thirty students. Alt-tab.
Re: (Score:2)
So what? If the kids are really young then they should have adult supervision after school is over. Or, if they're older and can actually be trusted, then you just need rules in place. Which will of course be broken (remember the scene in dead poets society where they build a crystal radio and listen to (illegal) rock and roll? a million similar avenues exist for students who want to break outside the firewall, not the least of which is buying a USB 3G stick which can be quite cheap these days).
Re: (Score:2)
Or you could maybe try just explaining that it's both impossible to really effectively filter the internet and respect students privacy. As we are talking boarding school here it is being used for personal communications, probably interacting with financial and medical institutions by many students; things students at day would not need to do.
Parents waive all sorts of things as it is to send children to these schools. Just get the agree that filtering the internet will be less than 100% effective and tha
Re: (Score:2, Interesting)
If we could not filter the ssl sites, there would be no option but to block ssl entirely by blocking all traffic on port 443.
Then that's what you should do. Intercepting an SSL session between (say) a pupil and their bank would potentially be illegal without the permission of both the pupil *and* the bank. And the bank is not going to give this permission. Blocking ssl is the only legally safe solution.
Still, it's your legal risk, up to you.
Re: (Score:2)
The problem with a liability waiver is that you can end up with a situation where a students parents have signed the liability waiver, student accesses something "bad", parents decide to sue despite the waiver and the legal system decides in favor of the parents.
Re: (Score:2)
And even if the waiver holds up, you'd still have to deal with the media circus and damage to reputation.
Re: (Score:2)
You know i think the fundamental problem with the american system is how easy it is to sue.
Re:In their defence. (Score:5, Interesting)
We also have a transparent intercept on port 80. And no, the proxy doesn't accept CONNECT. We even block ICMP, so no ping-tunnels. You should be able to tunnel your way out over HTTP, but it'll take a bit of work - far beyond what students can do.
They have low-tech means of circumventing the filter, mostly involving spending an hour going through page after page on google until they find a site not blocked.
Re:In their defence. (Score:5, Insightful)
Don't be quite so complacent in what you think students CAN'T do, especially saying "far beyond what students can do". When I was 16 I was writing assembly language competently, if I were 16 now, I would be (successfully) finding ways to tunnel stuff through normal HTTP traffic via a machine outside the network (it's not hard, certainly easier than learning asm). In a school of any appreciable size you'll have at least one student with the capability to do this.
Re:In their defence. (Score:5, Interesting)
Re:In their defence. (Score:5, Insightful)
And uni network admin who sits in all the same chat rooms, had the hole plugged within hours of it becoming public. What you think admins are ephermal "great evil"? Most of them are young people who are in the circles.
Some dude flying solo? Sure, will get through. Trying to get everyone to do it so you get lost in the masses? Hole plugged in hours.
Re: (Score:2)
Don't be quite so complacent in what you think students CAN'T do, especially saying "far beyond what students can do". When I was 16 I was writing assembly language competently, if I were 16 now, I would be (successfully) finding ways to tunnel stuff through normal HTTP traffic via a machine outside the network (it's not hard, certainly easier than learning asm). In a school of any appreciable size you'll have at least one student with the capability to do this.
Ditto. I was also around 15-16 (1981-82) when a friend and I disassembled CP/M completely, removed some stuff we didn't need (mostly related to harddrives), added a simple switcher and turned it into a primitive multitasking system able to run two programs at once (plus some common stuff), all within the 64KB limit on a Z80 processor. So please don't assume anything about students abilities. If you do, they'll end up biting you in the ass - hard.
Also (Score:3, Insightful)
Re: (Score:2)
Actually, most of the efforts to get around the filters have nothing to do with porn. Probably because you can't really enjoy porn in school. The main efforts of students are directed at locating music downloads and flash games.
Re: (Score:2)
How about just using the data connection on their phones? Bypasses your filters completely and the mobile service provider's filters are a joke.
Re: (Score:2)
Then it becomes Not My Problem.
Re:In their defence. (Score:5, Insightful)
They have low-tech means of circumventing the filter, mostly involving spending an hour going through page after page on google until they find a site not blocked.
Hardly low tech!
I too work in a school, which also implements all sorts of paranoid filtering on the school LAN. (Don't know about root CA certificates, I've never looked.)
Increasingly however, what the school does is utterly irrelevant. Almost all the students have their own completely independent access to the big bad 'net. They have phones with full Internet access, dongles for their laptops, and even laptops with SIMs built in.
It'll be a while before school authorities recognise that they're standing with their fingers in the tiny remains of a dyke, the rest of which has long since been washed away by the incoming tide. Until then, we'll still find ourselves unable to access all sorts of random and silly things in the classroom. I was refused access to the text of Rudyard Kipling's "If" the other day.
Re:In their defence. (Score:5, Interesting)
Only in North America.
Everywhere else that english is spoken, the word is spelled with a 'y' [grammarist.com]
Re: (Score:2)
I don't know about you, but I have never met a porn site I needed to use SSL on or https. Are those where the really good porn is or something? I mean otherwise, there really isn't a need for a MITM attack to monitor a child's porn habits is there?
So I might think this stuff is used for other things. Perhaps it is to validate their own software or something that simple. Maybe they are MITM attacking when the kids check their bank statements to find who the truley rich and powerful families are in hopes of g
Re: (Score:2)
I don't know about you, but I have never met a porn site I needed to use SSL on or https.
Google images. For most students, the first place they go in search of porn.
Re: (Score:2)
Wow.. I never noticed google images was https.
Thanks for pointing it out. I stand corrected.
Re: (Score:2)
With SSL intercept we can force safesearch on, but with the right terms some things still slip through.
Re: (Score:2)
But you do filter it at your high schools.
Pretty standard BYOD setup (Score:5, Informative)
I don't see the problem with the tech itself. If you have a "BYOD's allowed" policy, that also usually states that "if you put your own device in, here are the rules". Rules may state installing the network owner's root CA and allowing for traffic to be inspected.
In most cases, this is intended to be benevolent - it's kind of hard to run threat detection algorithms on an encrypted connection. In business environments, DLP and similar can of course be used too.
Now, in here I think the key issue was that the users were not told about the practice, and were not asked to agree to these stipulations. And of course, the old adage about not attributing to malice what can be explained by incompetence also applies here - if the issue got "fixed" then it might have been simply just that, incompetence. Somebondy enabled the same SSL interception on the student network that they are using for faculty, or similar.
Re: Pretty standard BYOD setup (Score:2)
Common Problem (Score:2)
This is a common problem in that most users lack the knowledge that you obviously have, and are willing to follow like blind sheeple, even with some very very bad advice.
This is by no means limited to IT. Any profession with specialists (with specialized knowledge) will have similar effects. Were you to go through medical school it's possible you'd disagree more with your doctor, but you simply lack the knowledge. Were you to go through law school, you might decide your lawyer is an idiot (and gives bad
Re: (Score:3)
One problem is that the school's IT "specialists" are not specialists. They're basically going to be inexpensive IT flunkies and one IT admin. You'd have to get up to the level of a school district before they start hiring people more like what you'd expect in a large corporation.
Re: (Score:2)
Which is funny because even a guy driving a forklift is supposed to be licensed. IMHO, problems like this often arise because there is no clear way of judging if a candidate for a job is good or bad. Of course IT is not the only industry with this problem; if we'd made some of those bankers / quants do some sort of qualification maybe the sub prime mess wouldn't of happened. Of course there is also the importance of balance; obviously you don't want to be told you can't use the 1m deep hotel pool because
Re: (Score:3)
This is IT. You can have a bag full of certificates and not know what a root cert is. These guys aren't the equivalent of bankers, they're the bank tellers.
Re: (Score:2)
Licenses and certifications do not really mean squat. Remember back in the day when everyone got the MSCE or MSCA for windows 2000 and you could get it by studying a mail order book and passing 3 or 4 tests without ever having any working knowledge outside the books and the limited test software that came with it. Well, if you don't, it meant that a lot of people sporting a lot of qualifications were almost completely clueless when they had to do something that wasn't spelled out exactly like the book. That
Root CA is Only for Your School's Apps (Score:5, Informative)
Per the subject - that root ca only covers your school's applications. If you go to https://www.yourschool.com/ [yourschool.com] it ensures that your computer can vet out the complete certificate trust chain. However, if you can establish a connection to https://www.xhamster.com/ [xhamster.com] your school will not be able to peer into the encrypted contents of the connection unless you're connecting via a proxy that they control.
If you think "Root CA BAAAAD!" then you're not looking deeply enough into ssl or the security concepts behind the certificates to understand their ramifications. Stay in school and dig deeper.
Re: (Score:2, Informative)
Why are you assuming that we don't know a proxy would be required?
Why are you assuming, for that matter, that a proxy changes anything? Whether they're mandatory proxies or transparent proxies, it doesn't change the fact that the man in the middle has everything he needs.
Re:Root CA is Only for Your School's Apps (Score:5, Informative)
A root ca for an organization cannot interpose itself into the certificate chain of another organization - that's kinda the whole point to the certificate "chain" of trust. His school would have to either use their own root ca and force clients to use their proxy - a very real and frequently implemented setup - or have spoofed a cert on the site as provided by its web server which chains up to his school's root, which is very unlikely and very unwieldy.
In his case, the root ca he's so concerned about will only secure comms with the servers that use a cert derived from that root ca or one of its subordinates. If he goes to https://www.anonymouscowards.c... [anonymouscowards.com] and the cert provided by the server doesn't successfully chain up to his school's root cert he'll receive a giant ssl error saying the connection is untrusted. There's no mitm here unless he goes through a proxy.
Re:Root CA is Only for Your School's Apps (Score:4, Insightful)
Not quite true, many of the next gen firewalls transparently intercept sell and proxy only the ssl tunnel information itself, they negotiate with the sever and then with the client ( faking up a valid certificate from the orgs trusted root along the way ) the same symmetric keys are chosen for both sides of the connection so most packets can just be passed form client to server and vice versa; but the ips and content filtering engines still see everything
Re: (Score:3)
Yes, but if they have proxy or intelligent firewall, they can rewrite or redirect all connections to something using one of their own certificates derived from their own root instead of the original.
This is why root CAs are "BAAAAD" as you put it. They can intercept everything.
Root CA's can issue any certs (Score:2)
It's a ROOT CA they can sign anything (Score:2)
Root CAs can sign anything, you'd still trust it. Certificates for individual services or even a wildcard cert for *.yourschool.com wouldn't be a root CA certificate. They can intercept all your traffic while you are using their network and so can anyone that has hacked them and got access to their private keys. Regardless of the risk (it's not very low usually in schools) they have been eavesdropping on you without telling you and I believe even the UK has privacy laws that explicitly prohibit that.
Someon
Re: (Score:2)
Root cas can only sign stuff for their own organization, as identified within the certificate. You cannot retroactively sign a cert for https://www.dutchwhizzmandoesn... [dutchwhizz...andssl.com] if that server already has a certificate from a different organization - its existing certificate HAS to chain up to a root - otherwise clients will receive an ssl error. Once the cert is created, the only way to chain it up to a different root ca is to issue it under the new root ca or one of its subordinates, then install that _new_ cert
Re:It's a ROOT CA they can sign anything (Score:5, Insightful)
Your understanding of what is required is a little off - the root CA holder can indeed "retroactively" sign any certificate they want, and your browser would merrily accept such a signed alternative cert without raising any errors because it would never see the original cert. The very act of installing the root CA in the browser allows them to completely replace any other cert signed by any root CA and not cause errors to occur. The only opportunity they would have however to do this would be if they were proxying the traffic between you and the internet.
Re: (Score:2)
The other major use for certificates in Windows is installing software and drivers silently without scary warning messages. I'd be more worried about this package that the school makes them install - does it have a backdoor that lets them remotely install other software, or simply spy on the user via screen capture or webcam?
IANAL - but read this: (Score:2)
not necessarily a problem (Score:2)
Just because a root CA is installed doesn't mean someone's spying on you. In order for it to be used, the service in question would have to have a cert signed by it. In order to do pervasive spying, they'd have to have every tls enabled site on the internet complicit in it. They don't. This cert is likely for their own applications/services. WPA2 enterprise mode uses 802.1x which uses certs.. That's probably what it's for. Same if they use 802.1x for wired authentication. If you're worried about snif
Re: (Score:3)
Those uses would only require a normal CA, a root CA is only needed if you intend to spy on all SSL traffic.
Re: (Score:3)
No a trusted root is a trusted root, your machine trusts decide for any other site. It's reasonably common for orgs to ask you to install a certificat to trust, so you can authenticate their applicants etc, but that isn't going to be root ca. If someone asks you to install a root, it should raise lots red flags because that really does enable them to impersonate anyone else to you.
As an ex-School It Admin... (Score:5, Interesting)
a) "we have not signed anything which would excuse it" - you can't. You're not able to sign enforceable legal documents.
b) "there was a root CA from the school" - it happens due to
1) WPA-Enterprise and/or NAC relies on keys. Do you use your school credentials for wireless? If so, you require key exchange for it to verify each party.
2) SSL monitoring systems rely on MITM to read the HOST headers. We couldn't give a rat's arse your bragging about banging Sally, however we do mind that it was to a website called HTTPS://www.breakuprevenge.com and both Sally and yourself are under legal age, it may have included a phone camera image, and it was all posted via the School Internet. Federal, State, and School pastoral care policy issues trump most whiny students objections.
c) It happens when at the start of the year. I would have twenty staff ask for different packages to be deployed in the first week of school, and your BYOD package may just happened to end up with a testing cert. Once had an antivirus package that hid all toolbars in Word and Excel - that ex-employee never applied a GPO at domain-level again.
All I'm saying is most school IT departments are asked to perform miracles of pastoral care because parents don't care and Teachers are busy trying to teach. We bare the brunt of school administration trying to enforce pastoral care not just for you, but all those in the school body
I'm sure if you had brought it to most IT departments attention in a courteous way, you might have been treated better.
Most schools have a tech-savvy student who is treated like an offsider, as well as one who has joined the Dark Side and ends up on the Watchlist. (yes, I've had "meetings" with Federal Police over a student's actions). Which one will you be?
Re: (Score:2)
Re: (Score:2)
"SSL monitoring"
We didn't filter anything except VPN and tunnel traffic.
We monitored URLs both HTTP and HTTPS for investigation later.
There was a little QoS applied for non-school traffic.
Re: (Score:3)
No. We logged for investigation later.
We are talking about being able to either prove the student wasn't at that site, or provide evidence the site was visited for the school pastoral care staff to follow up.
Without monitoring, going back and determining a case one way or another is nigh on impossible.
Lastly, these are minors. There are government obligations to report illegal activities in school. Like proving a teacher was browsing porn on the school network.
"Think of the children" has a lot of traction w
Intent may be fine. CA system is to blame. (Score:5, Informative)
Their intent may be just fine. For instance, you want want to have an internal CA installed so that you can deploy SSL-enabled services without having to buy certificates from a commercial CA.
Of course it allows SSL traffic interception, which is likely to be illegal, but nothing proves it was done, or even planned. The the real problem here is that the CA framework allows any CA to sign any certificate.
certpatrol (Score:5, Interesting)
Re: (Score:3)
where are ... (Score:2, Insightful)
Where are all the people who say "it's their network!" when it is snooping in the workplace we are talking about?
This is a freakin school, which is actually supposed to have a watchful protector role over students. In loco parentis, you know.
And a couple of humbling observations:
UK Data Protection Act rights (Score:3)
.
Assuming you are under 18, your parents' role in this is more significant than yours. If you are over, it gets far more interesting!
Normal. (Score:5, Informative)
I work in schools.
I work in UK schools.
I work in IT in UK schools.
This is normal. Sorry, but there's nothing shocking here.
You join our domain, we get the right to push any and all security measures to your client that we deem necessary. If you don't want to allow it, don't join our domain (which also means we probably won't authorise you to use our Internet connection, etc.)
The domain will have a "Default Domain Policy" that almost certainly includes software you don't want (but we insist you have), settings you'd rather not have (but which we will enforce on you) and things like this - installation of a required domain certificate so we can check your not using OUR SCHOOL FILTER to do illegal / illicit things.
Chances are if you read your network acceptable usage policy, it states this. The alternative is you don't get network access. Because we are LEGALLY RESPONSIBLE for what is accessed through the network on our network, as well as the protection of our internal data and services.
Complain all you like. The alternative is that we block SSL site-wide. That means no Facebook at all, by the way. Or GMail. Or Hotmail. Or anything else that uses SSL by default.
We have a legal duty to monitor, record and analyse the logs of Internet traffic to ensure our child-protection policy (a legally-required policy) is followed. Additionally, it's OUR resource. If you want to use your own external 3G connection on your own time, argue for that. Chances are it will fail.
If you want to use the SCHOOL connection on SCHOOL time for NON-SCHOOL business, that's not going to happen. However if you want to use it for SCHOOL BUSINESS then you are required to allow us to apply our domain policy. If that, at any particular place, happens to include SSL certificates, monitoring software (potentially even INVISIBLE monitoring software like Securus, Ranger, etc.) then that's what you get.
Sorry, but as an IT Manager specialising in schools, and working in state, private and boarding schools from primary to further education, this is bog-standard and has happened for years. I believe even places like LGfL (a London-wide, government-backed school IT services supplier) do it.
There's a reason - we are required to protect our systems and protect ALL the children. That means everything gets summarised, logged and monitored. If we then need to dig into detailed logs, we can enable that option and do that too. Because - as in a previous school I worked for many years ago - we get things like members of staff browsing child pornography on school time. Yes, they are that stupid. And yes, they get caught. And, sorry, but our child-protection and data-protection policies take precedence over you going on your private Facebook after hours and we can't spend the time to distinguish hours, locations, staff-types, etc. for everyone.
If you don't like it, do not join your computer to a domain. If you are on the domain, it's literally our DOMAIN. Our rules. Clearly stated. That you would have agreed to.
Please, also don't act like your the first person ever that this has happened to. It's been standard practice for at least the last 15 years I've been working IT in schools in the UK.
Re: (Score:2)
Re: (Score:2, Informative)
Just because it is normal doesn't mean it is legal, and if it is legal it doesn't mean it is right or ethical. In most European countries this would be very illegal.
Re: (Score:2)
I am not asking you to break the law or go against explit commands, I am asking you to admit is wrong and protest it. If everyone just accept wrongdoings everyone else will think this is acceptable.
because fifteen years (Score:2)
Your post is constructive right up to phrase "the last 15 years" which apparently justifies how little your network reveals to the surveilled about the actual extent of the surveillance, even to the point of having software installed that they know little to nothing about on their own equipment that could open back doors to the
two points (Score:4, Informative)
First, a school network is not a public network and it can run any policy it wants, including intercepting and monitoring traffic. You don't have to sign anything, using the network is implicit consent to the rules it is run by. The only legal requirement in my country (so your laws may differ) is disclosure of those rules, you must be able to look them up somewhere.
Second, regarding danger. The danger is exactly equivalent of the lowest security among the machine(s) that have a copy of the school root certificate (the private key part). If any of them gets compromised and the attacker gets a copy, he can do everything the school does, including interception and manipulation of traffic. If the school rates that as "low", then it assumes that users of the network don't do anything of personal importance, like online banking.
Re: (Score:3)
First, a school network is not a public network and it can run any policy it wants
Public has nothing to do with it. Public networks can run any policy they want as well, even public as in government funded ones since those are the only ones that are truly 'public networks'.
Second, regarding danger. The danger is exactly equivalent of the lowest security among the machine(s) that have a copy of the school root certificate (the private key part). If any of them gets compromised and the attacker gets a copy, he can do everything the school does, including interception and manipulation of traffic.
No, it isn't. You utterly fail to understand whats going on here or how SSL and PKI in general works.
The PCs have a copy of the schools PUBLIC CERTIFICATE AUTHORITY KEY installed on them, they DO NOT HAVE THE PRIVATE KEY, and there is no reason any PC should ever hold the root CA private key on a hard disk. I keep m
It's their network (Score:2)
Their infrastructure, their rules. (Score:2)
Get over yourself, they aren't spying on you. (Score:2)
I've never been in a large organization that didn't use their own root CA cert, and I've certainly made sure it was done everywhere I've worked.
Has nothing to do with pulling a MITM on you. You aren't worth the fucking time and effort, get over yourself, you aren't special, no one cares what you're doing.
Its more likely they just didn't want to spend several thousand dollars making certs for everything that needs an SSL cert because none of the registered root CAs will let you sign your own domain certs .
Re: (Score:2)
The policy which requires the school protect the children against dangerous* sexual imagery and enforce the school's anti-bullying policy**.
*We're talking to parents here - as far as they are concerned, it's dangerous.
**If students are exchanging harsh insults on the school email, we need to know about it.
Re: (Score:2)
There's a reason a lot of porn utilises school settings. For most people, that was their environment when they first started to show an interest in sex, and so the setting for the first experiences and fantasies. Something like that leaves a lasting impact.
Re: (Score:2)
School employees certainly are. I personally think that exposure to pornography is of very little harm - a few people show an addictive response, but that's no different from television. If I said that publically though, I'd lose my job. It's just something that school employees must never, ever say in public - at least in this country. Privately, there is much derision of the anti-sex brigade - but we know we must comply. Also, gives an excuse to delete all those pictures of Justin Bieber topless.
Re: (Score:2)
As the earlier story had posters indicate, there are valid reasons for doing this. A root CA is not always about spying. It is likely part of some proxy software they had or some other application. Of course the IT people didn't know about it, this is just a small school where the IT people are installing external software without running it through a lengthy investigation first.
Re: (Score:2)
The school would simply explain that monitoring use of the IT facilities is an essential part of their safeguarding or child protection policy. That's as far as it'll go.
It's one of the big rules of school management. You do *not* question the safeguarding program. No matter how silly it may seem. To do so would risk opening onesself up to accusations of endangering students. No school employee ever lost their job for being too cautious.
Re: (Score:2)
Wouldn't mean much. Screencaps can be trivially faked, anyway. The submitter clearly doesn't want us to know which school this is. I can only say it isn't the one I work at - we use SSL interception on the school computers, but not on the BYOD network, which simply blocks SSL entirely.
Re: (Score:2)
Even if it's legal to install the CA, it is almost certainly not legal to intercept the traffic (wiretapping laws etc).
So, probably illegal, but IANAL.
Shachar
Re:Probably not Illegal. (Score:5, Insightful)
This is the UK, totally different wiretap law - this doesn't breach it, its their network and they can intercept what they wish.
Re: (Score:3)
The network owner can and should be able to set the terms of service for access to their network and if you don't like a root CA being placed on your system, don't use that network get their own network -that is, a mobile WAN hotspot or adapter assuming these are independently owned devices. Ones owned by the school should be subject to the school's requirements.
Re: (Score:3)
They can also require web filtering and surveillance software, of course. In many schools, this kind of software, web filtering (including filtering of proxies and category of SSL-based websites) is ACTUALLY REQUIRED in the US, for many schools to keep funding under various federal programs -- eg E-rate.
Sure, there are things that may be tweaked by the school, but the are laws setting the basic boundaries for such modifications.
Well, they are perfectly within their rights to provide a policy of "N
Re: (Score:3)
Doing Main-In-The-Middle attacks with the root CA and SSL certificates signed by that root CA is only one of the risks. Once certificates signed by that CA are accepted, they're permanently usable for fake websites, for main-in-the-middle attacks with proxies using those faked SSL certificates for designated websites, and for replacing ordinary SSL signed software or update packages with fake, rootkitted packages. The list of subtler security issues is longer: those are only a few of the leading problems.
I'
Re:Probably not Illegal. (Score:5, Interesting)
I use zScaler Cloud for my work proxy, and I choose to have them decrypt all traffic using their CA cert that we have to install on all user laptops. This is critical because they are using heuristics to detect activity types (e.g. don't rely on a "list" of anonymizers, detect that anonymizing is being done and block it). Even if they are sitting at home, the proxy is decrypting all their activity. And the analytics are amazing.
The big difference is between this and the OP, though, is that my company owns these laptops. I display banners and let it be known that you have zero expectation of privacy. Hell, I use my personal iPad for personal browsing at work so as not to be tracked.
Re: (Score:3)
It's easy enough to check. Surf to any public https secured site, and check the certificate's chain of trust. If the self-signed cert at the top of the chain is the school's cert, they've been pwned.
Re: (Score:3, Funny)
ah you must be the true Scotsman we keep hearing about.
Re: (Score:3, Informative)
Ummm... No...
Re: (Score:3)
But the actual threatening, the actual hostile environment?
Re: (Score:2)
Re:sneaky but..... (Score:5, Informative)
There is the potential for creepy, but pretty sure 99% of the techs at schools aren't actually smart enough to intercept traffic. Being one of the 1% who can (actually not a school tech, a consultant, but anyway) I can say in all honesty that there is better porn available for free on the Internet. I'm only going to look if you kick up a fuss about my ability to look
Re: (Score:2)
So instead of "Just because you're paranoid, doesn't mean they aren't after you.", we now have "They're only after you because you're paranoid."?
Re: (Score:2)
One of the states particularly in my mind intercepts SSL, ostensibly purely for DPI/content Filtering. Knowing their internal structure moderately well, I'd say this is about all their capable of - using McAfee's gateway to do it. A large number of private schools do it, particularly the more wealthy ones, and I've even seen it in a few government departments.
The other comment was more of a fall-over from my days as an exchange admin. Controlling the EXSRV
Re: (Score:2)
Firefox.
Firefox loves CAs. Firefox must have CAs. If your website uses a self signed cert, Firefox will scream unholy murder and frighten most visitors away until you register with a proper, Christian root CA and do thing the way the applied cryptography community believes they should be done.
And all the while, the entire root CA infrastructure is so shoddily implemented that MITM attacks like this are common a
Re: (Score:3)
which OS/Web-browser is so insecure that it accepts a root certificate from the network like this?
All of them? Or none of them, depending on your perspective. You can't just install a root cert over the network. It requires machine admin approval, which is implicit if you've joined a NT domain, or requires you to go through a certificate wizard to add the new root cert to your list of root certs.
The organization is having people add the certificate to their trusted root certificate store manually. This is not automated from a website, though it happens automatically to every machine on an NT domain.