Slashdot Mirror

← Back to Stories (view on slashdot.org)

School Tricks Pupils Into Installing a Root CA

Posted by timothy on from the never-thought-it-would-happen-to-me dept.

First time accepted submitter paddysteed writes "I go to secondary school in the UK. I went digging around the computers there and found that on the schools machines, there was a root CA from the school. I then suspected that the software they instruct windows users to install on their own hardware to gain access to the BYOD network installed the same certificate. I created a windows virtual machine and connected to the network the way that was recommended. Immediately afterwards I checked the list of root CA's, and found my school's. I thought the story posted a few days ago was bad, but what my school has done is install their certificate on people's own machines — which I think is far worse. This basically allows them to intercept and modify any HTTPS traffic on their network. Considering this is a boarding school, and our only method of communicating to the outside world is over their network, I feel this is particularly bad. We were not told about this policy and we have not signed anything which would excuse it. I confronted the IT department and they initially denied everything. I left and within five minutes, the WiFi network was down then as quickly as it had gone down, it was back up. I went back and they confirmed that there was a mistake and they had 'fixed' it. They also told me that the risk was very low and the head of networks told me he was willing to bet his job on it. I asked them to instruct people to remove the bad certificate from their own machines, but they claimed this was unnecessary due to the very low risk. I want to take this further but to get the school's management interested I will need to explain what has happened and why it is bad to non-technical people and provide evidence that what has been done is potentially illegal."

4 of 417 comments (clear)

  1. yeah. by Anonymous Coward · · Score: 5, Interesting

    Just because you have a trusted root installed to use apps or the institutions wireless doesn't mean they were out to spy on you. It was likely the cheapest way to make secured applications run internally, or the easiest way for them to deploy eap without having to have you turn off server cert verification in your supplicant, which is way worse than having a trusted root.

  2. As an ex-School It Admin... by fostware · · Score: 5, Interesting

    a) "we have not signed anything which would excuse it" - you can't. You're not able to sign enforceable legal documents.

    b) "there was a root CA from the school" - it happens due to
            1) WPA-Enterprise and/or NAC relies on keys. Do you use your school credentials for wireless? If so, you require key exchange for it to verify each party.
            2) SSL monitoring systems rely on MITM to read the HOST headers. We couldn't give a rat's arse your bragging about banging Sally, however we do mind that it was to a website called HTTPS://www.breakuprevenge.com and both Sally and yourself are under legal age, it may have included a phone camera image, and it was all posted via the School Internet. Federal, State, and School pastoral care policy issues trump most whiny students objections.

    c) It happens when at the start of the year. I would have twenty staff ask for different packages to be deployed in the first week of school, and your BYOD package may just happened to end up with a testing cert. Once had an antivirus package that hid all toolbars in Word and Excel - that ex-employee never applied a GPO at domain-level again.

    All I'm saying is most school IT departments are asked to perform miracles of pastoral care because parents don't care and Teachers are busy trying to teach. We bare the brunt of school administration trying to enforce pastoral care not just for you, but all those in the school body
    I'm sure if you had brought it to most IT departments attention in a courteous way, you might have been treated better.
    Most schools have a tech-savvy student who is treated like an offsider, as well as one who has joined the Dark Side and ends up on the Watchlist. (yes, I've had "meetings" with Federal Police over a student's actions). Which one will you be?

    --
    "We know what happens to people who stay in the middle of the road. They get run over." - Aneurin Bevan
  3. Re:In their defence. by paddysteed · · Score: 5, Interesting

    I am that one student, and I always share what I have done with the rest of the school, resulting in everybody being able to beat the filters.

  4. certpatrol by manu0601 · · Score: 5, Interesting

    If you fear your SSL traffic is intercepted, install a browser extension that track certificate change. Firefox has certpatrol, for instance.