Slashdot Mirror
School Tricks Pupils Into Installing a Root CA
First time accepted submitter paddysteed writes "I go to secondary school in the UK. I went digging around the computers there and found that on the schools machines, there was a root CA from the school. I then suspected that the software they instruct windows users to install on their own hardware to gain access to the BYOD network installed the same certificate. I created a windows virtual machine and connected to the network the way that was recommended. Immediately afterwards I checked the list of root CA's, and found my school's. I thought the story posted a few days ago was bad, but what my school has done is install their certificate on people's own machines — which I think is far worse. This basically allows them to intercept and modify any HTTPS traffic on their network. Considering this is a boarding school, and our only method of communicating to the outside world is over their network, I feel this is particularly bad. We were not told about this policy and we have not signed anything which would excuse it. I confronted the IT department and they initially denied everything. I left and within five minutes, the WiFi network was down then as quickly as it had gone down, it was back up. I went back and they confirmed that there was a mistake and they had 'fixed' it. They also told me that the risk was very low and the head of networks told me he was willing to bet his job on it. I asked them to instruct people to remove the bad certificate from their own machines, but they claimed this was unnecessary due to the very low risk. I want to take this further but to get the school's management interested I will need to explain what has happened and why it is bad to non-technical people and provide evidence that what has been done is potentially illegal."
Just because you have a trusted root installed to use apps or the institutions wireless doesn't mean they were out to spy on you. It was likely the cheapest way to make secured applications run internally, or the easiest way for them to deploy eap without having to have you turn off server cert verification in your supplicant, which is way worse than having a trusted root.
All in all, it's just another brick in the firewall
I work at a school. Yes, we have all machines on their network trust us as a root CA. We do that with good reason.
Currently in most countries, especially the UK, there is an atmosphere of paranoia bordering on terror anywhere that minors and sex may come within a hundred meters of each other. Even so, teenagers tend to meet their stereotype and display a fascination with sexual imagery. This means that it is absolutely essential that schools maintain a comprehensive internet content filter. This is not an optional extra. Without it, it's only a matter of time (and not much time) before some student happens across Dirty Dave's Scat and Fisting Gallery and shows it off to all his classmates. This in turn results in many terrified parents, legal action against the school for destroying jimmy's innocent little mind, and columns in the Daily Mail demanding the head be fired.
If we could not filter the internet, there would be no option but to forgo it. If we could not filter the ssl sites, there would be no option but to block ssl entirely by blocking all traffic on port 443. There is no possibility of effectively filtering SSL without installing a root CA, and so that is what we have to do for any device on our network that needs SSL connectivity.
Got that? No filtering, no internet. That's just the way it is. I don't like censorship more than anyone else, but this is the real world and sometimes ideology has to take a back seat to practicality and an angry mob of parents. Besides, without effective filtering, the students would spend more time playing flash games, watching the yogscast, listening to music videos and checking facebook than actually doing their work. Giving the students a locked-down and heavily censored internet is still better than giving them no internet at all, which would hold them back academically.
I don't see the problem with the tech itself. If you have a "BYOD's allowed" policy, that also usually states that "if you put your own device in, here are the rules". Rules may state installing the network owner's root CA and allowing for traffic to be inspected.
In most cases, this is intended to be benevolent - it's kind of hard to run threat detection algorithms on an encrypted connection. In business environments, DLP and similar can of course be used too.
Now, in here I think the key issue was that the users were not told about the practice, and were not asked to agree to these stipulations. And of course, the old adage about not attributing to malice what can be explained by incompetence also applies here - if the issue got "fixed" then it might have been simply just that, incompetence. Somebondy enabled the same SSL interception on the student network that they are using for faculty, or similar.
One problem is that the school's IT "specialists" are not specialists. They're basically going to be inexpensive IT flunkies and one IT admin. You'd have to get up to the level of a school district before they start hiring people more like what you'd expect in a large corporation.
Per the subject - that root ca only covers your school's applications. If you go to https://www.yourschool.com/ it ensures that your computer can vet out the complete certificate trust chain. However, if you can establish a connection to https://www.xhamster.com/ your school will not be able to peer into the encrypted contents of the connection unless you're connecting via a proxy that they control.
If you think "Root CA BAAAAD!" then you're not looking deeply enough into ssl or the security concepts behind the certificates to understand their ramifications. Stay in school and dig deeper.
"In the end, there is simply no weapon more devastating than the truth, delivered in just the right way." - tnk1
a) "we have not signed anything which would excuse it" - you can't. You're not able to sign enforceable legal documents.
b) "there was a root CA from the school" - it happens due to
1) WPA-Enterprise and/or NAC relies on keys. Do you use your school credentials for wireless? If so, you require key exchange for it to verify each party.
2) SSL monitoring systems rely on MITM to read the HOST headers. We couldn't give a rat's arse your bragging about banging Sally, however we do mind that it was to a website called HTTPS://www.breakuprevenge.com and both Sally and yourself are under legal age, it may have included a phone camera image, and it was all posted via the School Internet. Federal, State, and School pastoral care policy issues trump most whiny students objections.
c) It happens when at the start of the year. I would have twenty staff ask for different packages to be deployed in the first week of school, and your BYOD package may just happened to end up with a testing cert. Once had an antivirus package that hid all toolbars in Word and Excel - that ex-employee never applied a GPO at domain-level again.
All I'm saying is most school IT departments are asked to perform miracles of pastoral care because parents don't care and Teachers are busy trying to teach. We bare the brunt of school administration trying to enforce pastoral care not just for you, but all those in the school body
I'm sure if you had brought it to most IT departments attention in a courteous way, you might have been treated better.
Most schools have a tech-savvy student who is treated like an offsider, as well as one who has joined the Dark Side and ends up on the Watchlist. (yes, I've had "meetings" with Federal Police over a student's actions). Which one will you be?
"We know what happens to people who stay in the middle of the road. They get run over." - Aneurin Bevan
Those uses would only require a normal CA, a root CA is only needed if you intend to spy on all SSL traffic.
This is the UK, totally different wiretap law - this doesn't breach it, its their network and they can intercept what they wish.
Your understanding of what is required is a little off - the root CA holder can indeed "retroactively" sign any certificate they want, and your browser would merrily accept such a signed alternative cert without raising any errors because it would never see the original cert. The very act of installing the root CA in the browser allows them to completely replace any other cert signed by any root CA and not cause errors to occur. The only opportunity they would have however to do this would be if they were proxying the traffic between you and the internet.
The entire department of education out here (.AU) installs a root CA with the express purpose of intercepting HTTPS to "protect the children". There are secondary certs installed at every school so that 802.1x doesn't crap out when you try to sign in (in point of fact, pretty sure windows installs the profile by default when you bind a machine).
;)
There is the potential for creepy, but pretty sure 99% of the techs at schools aren't actually smart enough to intercept traffic. Being one of the 1% who can (actually not a school tech, a consultant, but anyway) I can say in all honesty that there is better porn available for free on the Internet. I'm only going to look if you kick up a fuss about my ability to look
Me failed English...
FreeBSD over Linux. If my comments seem odd, this may explain...
Their intent may be just fine. For instance, you want want to have an internal CA installed so that you can deploy SSL-enabled services without having to buy certificates from a commercial CA.
Of course it allows SSL traffic interception, which is likely to be illegal, but nothing proves it was done, or even planned. The the real problem here is that the CA framework allows any CA to sign any certificate.
If you fear your SSL traffic is intercepted, install a browser extension that track certificate change. Firefox has certpatrol, for instance.
This is IT. You can have a bag full of certificates and not know what a root cert is. These guys aren't the equivalent of bankers, they're the bank tellers.
.
Assuming you are under 18, your parents' role in this is more significant than yours. If you are over, it gets far more interesting!
I work in schools.
I work in UK schools.
I work in IT in UK schools.
This is normal. Sorry, but there's nothing shocking here.
You join our domain, we get the right to push any and all security measures to your client that we deem necessary. If you don't want to allow it, don't join our domain (which also means we probably won't authorise you to use our Internet connection, etc.)
The domain will have a "Default Domain Policy" that almost certainly includes software you don't want (but we insist you have), settings you'd rather not have (but which we will enforce on you) and things like this - installation of a required domain certificate so we can check your not using OUR SCHOOL FILTER to do illegal / illicit things.
Chances are if you read your network acceptable usage policy, it states this. The alternative is you don't get network access. Because we are LEGALLY RESPONSIBLE for what is accessed through the network on our network, as well as the protection of our internal data and services.
Complain all you like. The alternative is that we block SSL site-wide. That means no Facebook at all, by the way. Or GMail. Or Hotmail. Or anything else that uses SSL by default.
We have a legal duty to monitor, record and analyse the logs of Internet traffic to ensure our child-protection policy (a legally-required policy) is followed. Additionally, it's OUR resource. If you want to use your own external 3G connection on your own time, argue for that. Chances are it will fail.
If you want to use the SCHOOL connection on SCHOOL time for NON-SCHOOL business, that's not going to happen. However if you want to use it for SCHOOL BUSINESS then you are required to allow us to apply our domain policy. If that, at any particular place, happens to include SSL certificates, monitoring software (potentially even INVISIBLE monitoring software like Securus, Ranger, etc.) then that's what you get.
Sorry, but as an IT Manager specialising in schools, and working in state, private and boarding schools from primary to further education, this is bog-standard and has happened for years. I believe even places like LGfL (a London-wide, government-backed school IT services supplier) do it.
There's a reason - we are required to protect our systems and protect ALL the children. That means everything gets summarised, logged and monitored. If we then need to dig into detailed logs, we can enable that option and do that too. Because - as in a previous school I worked for many years ago - we get things like members of staff browsing child pornography on school time. Yes, they are that stupid. And yes, they get caught. And, sorry, but our child-protection and data-protection policies take precedence over you going on your private Facebook after hours and we can't spend the time to distinguish hours, locations, staff-types, etc. for everyone.
If you don't like it, do not join your computer to a domain. If you are on the domain, it's literally our DOMAIN. Our rules. Clearly stated. That you would have agreed to.
Please, also don't act like your the first person ever that this has happened to. It's been standard practice for at least the last 15 years I've been working IT in schools in the UK.
First, a school network is not a public network and it can run any policy it wants, including intercepting and monitoring traffic. You don't have to sign anything, using the network is implicit consent to the rules it is run by. The only legal requirement in my country (so your laws may differ) is disclosure of those rules, you must be able to look them up somewhere.
Second, regarding danger. The danger is exactly equivalent of the lowest security among the machine(s) that have a copy of the school root certificate (the private key part). If any of them gets compromised and the attacker gets a copy, he can do everything the school does, including interception and manipulation of traffic. If the school rates that as "low", then it assumes that users of the network don't do anything of personal importance, like online banking.
Assorted stuff I do sometimes: Lemuria.org
Never underestimate the determination of an adolescent boy in search of porn.
No a trusted root is a trusted root, your machine trusts decide for any other site. It's reasonably common for orgs to ask you to install a certificat to trust, so you can authenticate their applicants etc, but that isn't going to be root ca. If someone asks you to install a root, it should raise lots red flags because that really does enable them to impersonate anyone else to you.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
ah you must be the true Scotsman we keep hearing about.
Ummm... No...
http://en.wikipedia.org/wiki/M...
The Quakers had the same issues and they too migrated to the US to escape religious persecution. Look it up.
So to say it was "religious freedom they were running away from" is totally false.
This is a sig. This is only a sig. Had this been an actual sig you would have been informed where to tune for more sigs.
which OS/Web-browser is so insecure that it accepts a root certificate from the network like this?
All of them? Or none of them, depending on your perspective. You can't just install a root cert over the network. It requires machine admin approval, which is implicit if you've joined a NT domain, or requires you to go through a certificate wizard to add the new root cert to your list of root certs.
The organization is having people add the certificate to their trusted root certificate store manually. This is not automated from a website, though it happens automatically to every machine on an NT domain.
Adding the certificate to your root certificate store, then allows your browser to trust these certs. The point is that what is happening here is that the organization is telling you tell your browser to trust the organizations certificates completely. At which point your browser does what you've asked it to do.
The browser is functioning EXACTLY as its supposed to, its just being asked to trust these people when it doesn't by default, thats the point of the entire article.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Yes they can, Read the RIPA some time and this time pay attention to this bit.
RIPA can be invoked by government officials specified in the Act on the grounds of national security, and for the purposes of detecting crime, preventing disorder, public safety, protecting public health, or in the interests of the economic well-being of the United Kingdom, that is, any grounds can be covered at will under its exceedingly broad scope.[citation needed]
Doing Main-In-The-Middle attacks with the root CA and SSL certificates signed by that root CA is only one of the risks. Once certificates signed by that CA are accepted, they're permanently usable for fake websites, for main-in-the-middle attacks with proxies using those faked SSL certificates for designated websites, and for replacing ordinary SSL signed software or update packages with fake, rootkitted packages. The list of subtler security issues is longer: those are only a few of the leading problems.
I'd be profoundly concerned that the school is not competent to protect their CA, or other certificates that have already been signed with it. Since they've already demonstrated ignorance among some personnel of their own security practices, and unwillingness to communicate truthfully with students, I'd assume that they've never properly secured the host or network on which they've stored their CA. Unless they have _erased_ the private CA and all copies of it, it can be misused at anytime in the future, especially on the school's own network.
Moreover, if possible before the CA is erased, _all_ of those certificates already signed with the CA need to be revoked, and replaced with a correctly signed one. That's quite expensive, at roughly $200 USD/certificate/year. You can buy get the certificates more cheaply, but that estimate includes the technical time to go replace the old certificates.
I use zScaler Cloud for my work proxy, and I choose to have them decrypt all traffic using their CA cert that we have to install on all user laptops. This is critical because they are using heuristics to detect activity types (e.g. don't rely on a "list" of anonymizers, detect that anonymizing is being done and block it). Even if they are sitting at home, the proxy is decrypting all their activity. And the analytics are amazing.
The big difference is between this and the OP, though, is that my company owns these laptops. I display banners and let it be known that you have zero expectation of privacy. Hell, I use my personal iPad for personal browsing at work so as not to be tracked.
A year spent in artificial intelligence is enough to make one believe in God.
In the case of the Puritans at least, yes, it is accurate. That 'hostile political climate' was the state preventing the Puritans from enforcing religious law on their communities and refusing to do what they wanted. They were entitled bastards who considered inability to persecute to be persecution. You can see their attitude still rampant in US politics, which is probably why it is so important for people to remember them as seeking freedom.
But the actual threatening, the actual hostile environment? Classic 'how dare you curb our freedom to curb other people's freedoms, we follow god!'.
The network owner can and should be able to set the terms of service for access to their network and if you don't like a root CA being placed on your system, don't use that network get their own network -that is, a mobile WAN hotspot or adapter assuming these are independently owned devices. Ones owned by the school should be subject to the school's requirements.
It's easy enough to check. Surf to any public https secured site, and check the certificate's chain of trust. If the self-signed cert at the top of the chain is the school's cert, they've been pwned.
John
They can also require web filtering and surveillance software, of course. In many schools, this kind of software, web filtering (including filtering of proxies and category of SSL-based websites) is ACTUALLY REQUIRED in the US, for many schools to keep funding under various federal programs -- eg E-rate.
Sure, there are things that may be tweaked by the school, but the are laws setting the basic boundaries for such modifications.
Well, they are perfectly within their rights to provide a policy of "No laptops allowed past this point", at the door.
Anything less is a concession on their part. In the case of your physical PERSON, they can't require arbitrary concessions, such as body cavity searches without infringing on people's rights.
With laptops however; they can require arbitrary modifications or standards of their choosing, before the laptop is permitted access.
Fully updated, not running an EOL operating system such as Widnows XP, No infections present and working antimalware, would be some common restrictions.