Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

School Tricks Pupils Into Installing a Root CA

timothy posted about 5 months ago | from the never-thought-it-would-happen-to-me dept.

United Kingdom 417

First time accepted submitter paddysteed writes "I go to secondary school in the UK. I went digging around the computers there and found that on the schools machines, there was a root CA from the school. I then suspected that the software they instruct windows users to install on their own hardware to gain access to the BYOD network installed the same certificate. I created a windows virtual machine and connected to the network the way that was recommended. Immediately afterwards I checked the list of root CA's, and found my school's. I thought the story posted a few days ago was bad, but what my school has done is install their certificate on people's own machines — which I think is far worse. This basically allows them to intercept and modify any HTTPS traffic on their network. Considering this is a boarding school, and our only method of communicating to the outside world is over their network, I feel this is particularly bad. We were not told about this policy and we have not signed anything which would excuse it. I confronted the IT department and they initially denied everything. I left and within five minutes, the WiFi network was down then as quickly as it had gone down, it was back up. I went back and they confirmed that there was a mistake and they had 'fixed' it. They also told me that the risk was very low and the head of networks told me he was willing to bet his job on it. I asked them to instruct people to remove the bad certificate from their own machines, but they claimed this was unnecessary due to the very low risk. I want to take this further but to get the school's management interested I will need to explain what has happened and why it is bad to non-technical people and provide evidence that what has been done is potentially illegal."

cancel ×

417 comments

Probably not Illegal. (0)

Anonymous Coward | about 5 months ago | (#46438445)

I'd look real hard at the documentation that came with that software they had you install. I'd bet there's plenty of CYA in there along the lines of "By installing this software you agree, ect ect.

Re:Probably not Illegal. (1)

Sun (104778) | about 5 months ago | (#46438525)

Even if it's legal to install the CA, it is almost certainly not legal to intercept the traffic (wiretapping laws etc).

So, probably illegal, but IANAL.

Shachar

Re:Probably not Illegal. (5, Insightful)

Richard_at_work (517087) | about 5 months ago | (#46438629)

This is the UK, totally different wiretap law - this doesn't breach it, its their network and they can intercept what they wish.

Re:Probably not Illegal. (0)

Anonymous Coward | about 5 months ago | (#46438639)

It's not their network if it's the users personal laptop and they take it home over the holidays.

Re:Probably not Illegal. (1)

mrbester (200927) | about 5 months ago | (#46438697)

No, they really can't. Read the text of RIPA for why, and that's just for starters.

Re:Probably not Illegal. (-1)

Anonymous Coward | about 5 months ago | (#46438679)

"ect ect"...

Oh look - an AMERICAN.

It's
"etc."

short for the Latin "et cetera" (which means "and the rest").

You American idiot.

Re:Probably not Illegal. (1)

Anonymous Coward | about 5 months ago | (#46438705)

Any fule kno parent haz never read Molesworth and cannot be regarded as tru Englishman chiz.

Re:Probably not Illegal. (-1)

Anonymous Coward | about 5 months ago | (#46438715)

Do you know the main reason we left Europe was to get away from jagoff's like you? They may have called it 'religeous' freedom or some other such formality, but the truth is we can't stand you self-righteous smug little assholes in your little pissant European countries that are barely the size of our small cities.

So go on then, staty over there with your piss warm beer and your kings and gas taxes and teeny little cars and smelly cheese and women with hairy armpits.

God I fucking hate Euroweenies like you.

Re: Probably not Illegal. (-1)

Anonymous Coward | about 5 months ago | (#46438747)

and then someone had to go and invent the Internet and turn your every day into a nightmare again with Europeans lurking on every public forum. Sucks to be you, tosspot!

Re:Probably not Illegal. (1, Troll)

mab (17941) | about 5 months ago | (#46438749)

They went to America because they didn't like religious freedom.

Re:Probably not Illegal. (0)

Anonymous Coward | about 5 months ago | (#46438759)

They went to America because they didn't like religious freedom.

This is true, it is interesting how many today think it was the opposite.

yeah. (5, Interesting)

Anonymous Coward | about 5 months ago | (#46438447)

Just because you have a trusted root installed to use apps or the institutions wireless doesn't mean they were out to spy on you. It was likely the cheapest way to make secured applications run internally, or the easiest way for them to deploy eap without having to have you turn off server cert verification in your supplicant, which is way worse than having a trusted root.

Re:yeah. (3, Insightful)

sumdumass (711423) | about 5 months ago | (#46438571)

That's all and good and all, but I think disclosing the information would be preferable so that little conspiracies about doom and gloom didn't come from the discovery of it.

In other words, if there was a valid reason, then it shouldn't be a secret. It should be a valid reason and disclosed in some obvious way.

We Don't Need No Education (5, Funny)

Travis Mansbridge (830557) | about 5 months ago | (#46438453)

All in all, it's just another brick in the firewall

Re:We Don't Need No Education (1)

coastwalker (307620) | about 5 months ago | (#46438699)

I think you will find that they will squash you like a bug if you make a fuss. Is this really something worth fighting for?

sneaky but..... (0)

obscured_dude (884855) | about 5 months ago | (#46438457)

i guess because you are using their network, you have to abide by their rules/tos/t&c... i bet theres something in there somewhere that allows them to do this! :/ if not... SUE SUE SUE! :P jks... FIRST POST! :P

Re:sneaky but..... (1)

MrDoh! (71235) | about 5 months ago | (#46438579)

The top bods at the school might not know (understand), but perhaps the techs were being creepy? Well worth escalating.

Re:sneaky but..... (5, Informative)

Architect_sasyr (938685) | about 5 months ago | (#46438661)

The entire department of education out here (.AU) installs a root CA with the express purpose of intercepting HTTPS to "protect the children". There are secondary certs installed at every school so that 802.1x doesn't crap out when you try to sign in (in point of fact, pretty sure windows installs the profile by default when you bind a machine).

There is the potential for creepy, but pretty sure 99% of the techs at schools aren't actually smart enough to intercept traffic. Being one of the 1% who can (actually not a school tech, a consultant, but anyway) I can say in all honesty that there is better porn available for free on the Internet. I'm only going to look if you kick up a fuss about my ability to look ;)

real or speculation (0)

Anonymous Coward | about 5 months ago | (#46438463)

Post the unedited screencaps or none at all. Otherwise this whole "article" is pure speculation.

Re:real or speculation (1)

SuricouRaven (1897204) | about 5 months ago | (#46438515)

Wouldn't mean much. Screencaps can be trivially faked, anyway. The submitter clearly doesn't want us to know which school this is. I can only say it isn't the one I work at - we use SSL interception on the school computers, but not on the BYOD network, which simply blocks SSL entirely.

In their defence. (5, Informative)

SuricouRaven (1897204) | about 5 months ago | (#46438469)

I work at a school. Yes, we have all machines on their network trust us as a root CA. We do that with good reason.

Currently in most countries, especially the UK, there is an atmosphere of paranoia bordering on terror anywhere that minors and sex may come within a hundred meters of each other. Even so, teenagers tend to meet their stereotype and display a fascination with sexual imagery. This means that it is absolutely essential that schools maintain a comprehensive internet content filter. This is not an optional extra. Without it, it's only a matter of time (and not much time) before some student happens across Dirty Dave's Scat and Fisting Gallery and shows it off to all his classmates. This in turn results in many terrified parents, legal action against the school for destroying jimmy's innocent little mind, and columns in the Daily Mail demanding the head be fired.

If we could not filter the internet, there would be no option but to forgo it. If we could not filter the ssl sites, there would be no option but to block ssl entirely by blocking all traffic on port 443. There is no possibility of effectively filtering SSL without installing a root CA, and so that is what we have to do for any device on our network that needs SSL connectivity.

Got that? No filtering, no internet. That's just the way it is. I don't like censorship more than anyone else, but this is the real world and sometimes ideology has to take a back seat to practicality and an angry mob of parents. Besides, without effective filtering, the students would spend more time playing flash games, watching the yogscast, listening to music videos and checking facebook than actually doing their work. Giving the students a locked-down and heavily censored internet is still better than giving them no internet at all, which would hold them back academically.

Re:In their defence. (1)

paddysteed (2380072) | about 5 months ago | (#46438505)

But installing a root CA on people own hardware, don't you think that is a step too far. It is not as if it is really easy to circumvent anyway. I have ssh running on port 80 and just tunnel everything through that to beat the schools surveillance.

Re:In their defence. (0)

Anonymous Coward | about 5 months ago | (#46438531)

And you would have gotten away with it, too, were it not for the monitoring device we installed while you were asleep. If we catch you in subversive activities again you'll win a trip to the Caribbean were you WILL be protected.

Re:In their defence. (4, Interesting)

SuricouRaven (1897204) | about 5 months ago | (#46438595)

We also have a transparent intercept on port 80. And no, the proxy doesn't accept CONNECT. We even block ICMP, so no ping-tunnels. You should be able to tunnel your way out over HTTP, but it'll take a bit of work - far beyond what students can do.

They have low-tech means of circumventing the filter, mostly involving spending an hour going through page after page on google until they find a site not blocked.

Re:In their defence. (4, Insightful)

Alioth (221270) | about 5 months ago | (#46438655)

Don't be quite so complacent in what you think students CAN'T do, especially saying "far beyond what students can do". When I was 16 I was writing assembly language competently, if I were 16 now, I would be (successfully) finding ways to tunnel stuff through normal HTTP traffic via a machine outside the network (it's not hard, certainly easier than learning asm). In a school of any appreciable size you'll have at least one student with the capability to do this.

Re:In their defence. (5, Interesting)

paddysteed (2380072) | about 5 months ago | (#46438693)

I am that one student, and I always share what I have done with the rest of the school, resulting in everybody being able to beat the filters.

Re:In their defence. (5, Insightful)

Luckyo (1726890) | about 5 months ago | (#46438765)

And uni network admin who sits in all the same chat rooms, had the hole plugged within hours of it becoming public. What you think admins are ephermal "great evil"? Most of them are young people who are in the circles.

Some dude flying solo? Sure, will get through. Trying to get everyone to do it so you get lost in the masses? Hole plugged in hours.

Re:In their defence. (1)

xenobyte (446878) | about 5 months ago | (#46438723)

Don't be quite so complacent in what you think students CAN'T do, especially saying "far beyond what students can do". When I was 16 I was writing assembly language competently, if I were 16 now, I would be (successfully) finding ways to tunnel stuff through normal HTTP traffic via a machine outside the network (it's not hard, certainly easier than learning asm). In a school of any appreciable size you'll have at least one student with the capability to do this.

Ditto. I was also around 15-16 (1981-82) when a friend and I disassembled CP/M completely, removed some stuff we didn't need (mostly related to harddrives), added a simple switcher and turned it into a primitive multitasking system able to run two programs at once (plus some common stuff), all within the 64KB limit on a Z80 processor. So please don't assume anything about students abilities. If you do, they'll end up biting you in the ass - hard.

Also (3, Insightful)

nicobigsby (1418849) | about 5 months ago | (#46438825)

Never underestimate the determination of an adolescent boy in search of porn.

Re:In their defence. (1)

Anonymous Coward | about 5 months ago | (#46438517)

Yep, England is utterly crazed.

Re:In their defence. (0)

Anonymous Coward | about 5 months ago | (#46438519)

I agree that "your network - your rules". So, although I believe it is not a job of IT department to guard teenagers from visiting some "nasty" sites; you've given them the access at the first place and they wouldn't have anything otherwise. So, you can do whatever you want with your network. But please, do not call it Internet access then - it is not anymore! Call it as you did here: "locked-down and heavily censored internet" - put that on posters advertising school wifi network. Call the things right names.

Now how does that sound, huh? Not so eager to do it I bet.

Re:In their defence. (4, Insightful)

KingOfBLASH (620432) | about 5 months ago | (#46438541)

How about actually, you know, paying attention to what the kids in class are doing?

I don't really understand why every time a new technology comes along people think there needs to be new rules. Pornography and inappropriate images were not invented along with the internet. I can remember back when somebody would raid their fathers stash of playboys and bring one into school, and kids would be huddled around it. And, guess what, if a teacher or parents saw all these kids obviously up to no good, they would come over, and there would be hell to pay. Which still didn't stop kids from looking at pornography or doing dirty things.

Besides, why in the world do kids need access to computers in the classroom? When kids are working in a computer lab or something, have someone watching them. If you can't trust them to not look at porn, then they're not mature or old enough to be left alone with a computer.

In the case of TFS... (0)

Anonymous Coward | about 5 months ago | (#46438625)

>How about actually, you know, paying attention to what the kids in class are doing?

Submitter attends a boarding school, which makes the school liable for anything that happens after class as well.

Re:In the case of TFS... (1)

KingOfBLASH (620432) | about 5 months ago | (#46438645)

So what? If the kids are really young then they should have adult supervision after school is over. Or, if they're older and can actually be trusted, then you just need rules in place. Which will of course be broken (remember the scene in dead poets society where they build a crystal radio and listen to (illegal) rock and roll? a million similar avenues exist for students who want to break outside the firewall, not the least of which is buying a USB 3G stick which can be quite cheap these days).

Re:In their defence. (0)

Anonymous Coward | about 5 months ago | (#46438643)

"Why in the world do kids need access to computers in the classroom?"

Because all of the knowledge in the world is there, much of it for free. If the purpose of school was to make people knowledgeable, then you'd give everyone permanent access to the internet. But, as you're saying, the actual purpose of school is to keep children and teenagers ignorant of the very most basic point of being human or even an animal - sex, desire, intimacy, need. These things must be kept secret because ... well you're not allowed to know any reasons, you're supposed to learn "right and wrong" without having reasons and to be so used to them that by the time you're not totally ignorant it's too late for you to change your morals to something rational that DOES have a reason.

Re:In their defence. (2)

cascadingstylesheet (140919) | about 5 months ago | (#46438753)

How about actually, you know, paying attention to what the kids in class are doing?

I don't really understand why every time a new technology comes along people think there needs to be new rules. Pornography and inappropriate images were not invented along with the internet. I can remember back when somebody would raid their fathers stash of playboys and bring one into school, and kids would be huddled around it. And, guess what, if a teacher or parents saw all these kids obviously up to no good, they would come over, and there would be hell to pay. Which still didn't stop kids from looking at pornography or doing dirty things.

Oh come now. There has been a sea change, and if you are old enough, you know it. It really was harder to get, harder to get away with, and the curve was skewed toward a 1. quick look at some breasts rather than 2. a jaded wondering what could be harder than hardcore.

Honestly, there will be plenty of time for that when you are an adult ... you aren't missing anything.

Besides, why in the world do kids need access to computers in the classroom? When kids are working in a computer lab or something, have someone watching them. If you can't trust them to not look at porn, then they're not mature or old enough to be left alone with a computer.

Now this, I heartily agree with.

Re:In their defence. (5, Funny)

richlv (778496) | about 5 months ago | (#46438805)

Honestly, there will be plenty of time for that when you are an adult ... you aren't missing anything.

if you are young and reading this, know :

HE'S LYING.

Re:In their defence. (2)

blackest_k (761565) | about 5 months ago | (#46438773)

It is a boarding school, maybe 35 hours might be spent in a classroom, just a small fraction of the 168 hours they are at the school for during term time. Some might not even go home during the shorter breaks like a weeks half term.

The school has the responsibility for those kids 24/7 most of the year. It may seem a little harsh but these kids are not destined to work in factories or Mcdonalds. Their parents are paying a lot of money to have them study there.

It is a difficult role the school has to take on the role of parent or guardian which does mean filtering the content the kids are exposed to. If a parent wants to provide an unfiltered connection they probably could afford to do so but would be discouraged from doing so. It's a guilded cage for the kids but when they are adults and have their own kids they will probably make the same choice.

Re:In their defence. (1)

gIobaljustin (3526197) | about 5 months ago | (#46438785)

Pornography and inappropriate images

A better idea would be to discard this puritan nonsense and stop pretending that what one person thinks is "inappropriate" is objectively correct.

Re:In their defence. (1)

Anonymous Coward | about 5 months ago | (#46438549)

That's the job of a liability waiver, not a root CA.

Did Jimmy's parents opt in to Jimmy having access to the dangerous internet? Then there's no internet for Jimmy. If you don't want to manage that at a student level, then your limitations are rooted in budget.

From there you throw in some DNS and IP based filtering if you really want to keep your bases covered. Filter the traffic that comes in over HTTP as well, sure. Don't say that you "don't like censorship more than anyone else, but this is the real world". At that point you've bought into the censorship hook, line, and sinker. If your company isn't going to spend the resources on doing things the right way, it becomes the job of your management to equivocate when they get busted for it. That responsibility is not preemptively yours.

Re:In their defence. (1)

jonwil (467024) | about 5 months ago | (#46438591)

The problem with a liability waiver is that you can end up with a situation where a students parents have signed the liability waiver, student accesses something "bad", parents decide to sue despite the waiver and the legal system decides in favor of the parents.

Re:In their defence. (1)

gIobaljustin (3526197) | about 5 months ago | (#46438797)

The real problem is that puritan morons can successfully sue someone because their kids accessed something on the Internet that they don't like.

Re:In their defence. (1)

DarkOx (621550) | about 5 months ago | (#46438631)

Or you could maybe try just explaining that it's both impossible to really effectively filter the internet and respect students privacy. As we are talking boarding school here it is being used for personal communications, probably interacting with financial and medical institutions by many students; things students at day would not need to do.

Parents waive all sorts of things as it is to send children to these schools. Just get the agree that filtering the internet will be less than 100% effective and that while viewing explicit material is against the rules and students caught will be disciplined it could happen, and this is better than the alternatives of no internet or no privacy

Re:In their defence. (2, Interesting)

mikechant (729173) | about 5 months ago | (#46438695)

If we could not filter the ssl sites, there would be no option but to block ssl entirely by blocking all traffic on port 443.

Then that's what you should do. Intercepting an SSL session between (say) a pupil and their bank would potentially be illegal without the permission of both the pupil *and* the bank. And the bank is not going to give this permission. Blocking ssl is the only legally safe solution.
Still, it's your legal risk, up to you.

Re:In their defence. (0)

Anonymous Coward | about 5 months ago | (#46438701)

Currently in most countries, especially the UK, there is an atmosphere of paranoia bordering on terror anywhere that minors and sex may come within a hundred meters of each other. Even so, teenagers tend to meet their stereotype and display a fascination with sexual imagery. This means that it is absolutely essential that schools [keep every child in their separate room and under constant video surveillance]. This is not an optional extra. Without it, it's only a matter of time (and not much time) before some student happens [to attempt to touch themselves in inappropriate ways] and shows it off to all his classmates. This in turn results in many terrified parents, legal action against the school for destroying jimmy's innocent little mind, and columns in the Daily Mail demanding the head be fired.

Children curious about naughty bits is inevitable if not natural. Attempting to secretly watch whatever they do in private by e.g. doing a MITM on their private computers is deeply deviant.

Re:In their defence. (1)

sumdumass (711423) | about 5 months ago | (#46438743)

I don't know about you, but I have never met a porn site I needed to use SSL on or https. Are those where the really good porn is or something? I mean otherwise, there really isn't a need for a MITM attack to monitor a child's porn habits is there?

So I might think this stuff is used for other things. Perhaps it is to validate their own software or something that simple. Maybe they are MITM attacking when the kids check their bank statements to find who the truley rich and powerful families are in hopes of getting that new library or something. But porn is relatively simple to find and most filters are relatively easy to surmount.

Re:In their defence. (0)

Anonymous Coward | about 5 months ago | (#46438713)

That's precisely how i used the internet a that age and it didn't make me a psychopath.
They'll have to deal with it, there's a whole lot of anal fisting in the real world.
It makes teaching anal fisting one of the main duties of public schools.

Re:In their defence. (-1)

Anonymous Coward | about 5 months ago | (#46438729)

um.. i'm in the u.s. and we don't filter internet at universities
maybe you should fix things in your stupid country before spouting nonsense like 'sometimes ideology must take a backseat' and 'only option is to forego it', we don't do that here...

Re:In their defence. (1)

gIobaljustin (3526197) | about 5 months ago | (#46438811)

but this is the real world and sometimes ideology has to take a back seat to practicality and an angry mob of parents.

This mentality just makes everything worse, or at any rate, it doesn't improve the situation. In the US, the TSA molests people at airports. If we had more people who cared about freedom and principles, this sort of thing wouldn't happen. Therefore, this 'abandon ideology and surrender to the status quo' mentality is absolutely poisonous.

Re:In their defence. (0)

Anonymous Coward | about 5 months ago | (#46438819)

maybe but its not going to protect the children from porn. I went to a boarding school and by the time we were 11-12yr old the dormitories were awash with porn mags of all varieties. I doubt its any different now excepting they probably bring films in on usb sticks.

Report it. (0)

Anonymous Coward | about 5 months ago | (#46438485)

Your first port if call is ahead of year, them the head teacher, if you are not comfortable with that report it to the school governors as they can demand the head report and take action. Failing any joy it would be the LEA, Local Education Authority and finally with the Information Commissioner's Office.

Re:Report it. (1)

SuricouRaven (1897204) | about 5 months ago | (#46438511)

The school would simply explain that monitoring use of the IT facilities is an essential part of their safeguarding or child protection policy. That's as far as it'll go.

It's one of the big rules of school management. You do *not* question the safeguarding program. No matter how silly it may seem. To do so would risk opening onesself up to accusations of endangering students. No school employee ever lost their job for being too cautious.

one simple question (1)

zimtmaxl (667919) | about 5 months ago | (#46438487)

Just ask management a very simple question: Which policy requires IT to read pupils' communication? DON'T leave out the "policy" - because that is the part management is directly responsible for! Then just watch them boil...

Re:one simple question (1)

SuricouRaven (1897204) | about 5 months ago | (#46438493)

The policy which requires the school protect the children against dangerous* sexual imagery and enforce the school's anti-bullying policy**.

*We're talking to parents here - as far as they are concerned, it's dangerous.
**If students are exchanging harsh insults on the school email, we need to know about it.

Re:one simple question (0)

Anonymous Coward | about 5 months ago | (#46438651)

Well they're required to say it's dangerous even if they don't believe it is. But where there's a required answer there is no way to ascertain honesty.

Re:one simple question (1)

Darinbob (1142669) | about 5 months ago | (#46438521)

As the earlier story had posters indicate, there are valid reasons for doing this. A root CA is not always about spying. It is likely part of some proxy software they had or some other application. Of course the IT people didn't know about it, this is just a small school where the IT people are installing external software without running it through a lengthy investigation first.

Duty of Care (0)

Anonymous Coward | about 5 months ago | (#46438489)

K-12 schools have a duty of care to their students, so this is just a case of them protecting themselves. Being your own device, you're still able to bypass your school - just remove the certificate and run through a 3G connection. Right or wrong, as an IT consultant who works with this type of technology in schools on a daily basis, your school management and parents will likely agree with these measures under the guise of protecting you.

Duty of Care (1)

rail (1694740) | about 5 months ago | (#46438491)

K-12 schools have a duty of care to their students, so this is just a case of them protecting themselves. Being your own device, you're still able to bypass your school - just remove the certificate and run through a 3G connection. Right or wrong, as an IT consultant who works with this type of technology in schools on a daily basis, your school management and parents will likely agree with these measures under the guise of protecting you.

Not Illegal - Fix It Instead of Being An Ass (0)

Anonymous Coward | about 5 months ago | (#46438499)

There are valid reasons for the school to have people install their certificate. It's also likely that the software was designed to be used for school computers and no one thought to adjust it for home use. Finally, WiFi networks don't go up or down slowly...

Instead of complaining and being a pain in everyone's side, why don't you write a nice tutorial with screenshots on how to remove the certificate and ask the IT department if you can distribute the flyer for them. This way you're a nice and helpful person instead of making everyone hate you.

Installing root CAs has been standard practice for years. Why are people seemingly suddenly so angry about it?

Re:Not Illegal - Fix It Instead of Being An Ass (0)

Anonymous Coward | about 5 months ago | (#46438829)

Installing root CAs is a sign of incompetence. There is no reason to do so, it's dangerous, and there are legitimate workarounds.

Pretty standard BYOD setup (4, Informative)

Zarhan (415465) | about 5 months ago | (#46438501)

I don't see the problem with the tech itself. If you have a "BYOD's allowed" policy, that also usually states that "if you put your own device in, here are the rules". Rules may state installing the network owner's root CA and allowing for traffic to be inspected.

In most cases, this is intended to be benevolent - it's kind of hard to run threat detection algorithms on an encrypted connection. In business environments, DLP and similar can of course be used too.

Now, in here I think the key issue was that the users were not told about the practice, and were not asked to agree to these stipulations. And of course, the old adage about not attributing to malice what can be explained by incompetence also applies here - if the issue got "fixed" then it might have been simply just that, incompetence. Somebondy enabled the same SSL interception on the student network that they are using for faculty, or similar.

Re: Pretty standard BYOD setup (1)

clickclickdrone (964164) | about 5 months ago | (#46438593)

Indeed. Ever since installing BYOD for work on my tablet, it had an icon in the notification bar warning me all communications are being potentially monitored by a 3rd party.

Common Problem (1)

KingOfBLASH (620432) | about 5 months ago | (#46438513)

This is a common problem in that most users lack the knowledge that you obviously have, and are willing to follow like blind sheeple, even with some very very bad advice.

This is by no means limited to IT. Any profession with specialists (with specialized knowledge) will have similar effects. Were you to go through medical school it's possible you'd disagree more with your doctor, but you simply lack the knowledge. Were you to go through law school, you might decide your lawyer is an idiot (and gives bad advice). Etc.

The difference is that whereas with medicine, bad advice will generate all kinds of law suits and maybe because people will die you have sort of an impetus to ensure your medical care is good (and there are boards to make sure practitioners meet some minimum standards regularly). With IT, probably the idiot who set up the network won't get fired, and because people do not have any real understanding, there will be no law suits, and nothing bad will happen to encourage better security practices.

Re:Common Problem (2)

Darinbob (1142669) | about 5 months ago | (#46438533)

One problem is that the school's IT "specialists" are not specialists. They're basically going to be inexpensive IT flunkies and one IT admin. You'd have to get up to the level of a school district before they start hiring people more like what you'd expect in a large corporation.

Re:Common Problem (1)

KingOfBLASH (620432) | about 5 months ago | (#46438577)

Which is funny because even a guy driving a forklift is supposed to be licensed. IMHO, problems like this often arise because there is no clear way of judging if a candidate for a job is good or bad. Of course IT is not the only industry with this problem; if we'd made some of those bankers / quants do some sort of qualification maybe the sub prime mess wouldn't of happened. Of course there is also the importance of balance; obviously you don't want to be told you can't use the 1m deep hotel pool because you never got your swimming license.

Re:Common Problem (2)

Darinbob (1142669) | about 5 months ago | (#46438741)

This is IT. You can have a bag full of certificates and not know what a root cert is. These guys aren't the equivalent of bankers, they're the bank tellers.

Root CA is Only for Your School's Apps (4, Informative)

joelleo (900926) | about 5 months ago | (#46438547)

Per the subject - that root ca only covers your school's applications. If you go to https://www.yourschool.com/ [yourschool.com] it ensures that your computer can vet out the complete certificate trust chain. However, if you can establish a connection to https://www.xhamster.com/ [xhamster.com] your school will not be able to peer into the encrypted contents of the connection unless you're connecting via a proxy that they control.

If you think "Root CA BAAAAD!" then you're not looking deeply enough into ssl or the security concepts behind the certificates to understand their ramifications. Stay in school and dig deeper.

Re:Root CA is Only for Your School's Apps (2, Informative)

Anonymous Coward | about 5 months ago | (#46438575)

Why are you assuming that we don't know a proxy would be required?

Why are you assuming, for that matter, that a proxy changes anything? Whether they're mandatory proxies or transparent proxies, it doesn't change the fact that the man in the middle has everything he needs.

Re:Root CA is Only for Your School's Apps (4, Informative)

joelleo (900926) | about 5 months ago | (#46438597)

A root ca for an organization cannot interpose itself into the certificate chain of another organization - that's kinda the whole point to the certificate "chain" of trust. His school would have to either use their own root ca and force clients to use their proxy - a very real and frequently implemented setup - or have spoofed a cert on the site as provided by its web server which chains up to his school's root, which is very unlikely and very unwieldy.

In his case, the root ca he's so concerned about will only secure comms with the servers that use a cert derived from that root ca or one of its subordinates. If he goes to https://www.anonymouscowards.c... [anonymouscowards.com] and the cert provided by the server doesn't successfully chain up to his school's root cert he'll receive a giant ssl error saying the connection is untrusted. There's no mitm here unless he goes through a proxy.

Re:Root CA is Only for Your School's Apps (3, Insightful)

DarkOx (621550) | about 5 months ago | (#46438657)

Not quite true, many of the next gen firewalls transparently intercept sell and proxy only the ssl tunnel information itself, they negotiate with the sever and then with the client ( faking up a valid certificate from the orgs trusted root along the way ) the same symmetric keys are chosen for both sides of the connection so most packets can just be passed form client to server and vice versa; but the ips and content filtering engines still see everything

Re:Root CA is Only for Your School's Apps (2)

Carewolf (581105) | about 5 months ago | (#46438827)

Yes, but if they have proxy or intelligent firewall, they can rewrite or redirect all connections to something using one of their own certificates derived from their own root instead of the original.

This is why root CAs are "BAAAAD" as you put it. They can intercept everything.

It's a ROOT CA they can sign anything (1)

dutchwhizzman (817898) | about 5 months ago | (#46438589)


Root CAs can sign anything, you'd still trust it. Certificates for individual services or even a wildcard cert for *.yourschool.com wouldn't be a root CA certificate. They can intercept all your traffic while you are using their network and so can anyone that has hacked them and got access to their private keys. Regardless of the risk (it's not very low usually in schools) they have been eavesdropping on you without telling you and I believe even the UK has privacy laws that explicitly prohibit that.
Someone bet their job on this the OP said. Well, I guess that eavesdropping on students is illegal, so they should quit their job and file a police report describing what they did.

Re:It's a ROOT CA they can sign anything (1)

joelleo (900926) | about 5 months ago | (#46438623)

Root cas can only sign stuff for their own organization, as identified within the certificate. You cannot retroactively sign a cert for https://www.dutchwhizzmandoesn... [dutchwhizz...andssl.com] if that server already has a certificate from a different organization - its existing certificate HAS to chain up to a root - otherwise clients will receive an ssl error. Once the cert is created, the only way to chain it up to a different root ca is to issue it under the new root ca or one of its subordinates, then install that _new_ cert on the server. From there, browsers will receive the new cert chained up to the new root ca. Until then you can have as many root certs as you want and none of them will actually work with the existing certificate with the sole exception of the originating root certificate and any subordinates involved in its issuance.

Re:It's a ROOT CA they can sign anything (4, Insightful)

Richard_at_work (517087) | about 5 months ago | (#46438641)

Your understanding of what is required is a little off - the root CA holder can indeed "retroactively" sign any certificate they want, and your browser would merrily accept such a signed alternative cert without raising any errors because it would never see the original cert. The very act of installing the root CA in the browser allows them to completely replace any other cert signed by any root CA and not cause errors to occur. The only opportunity they would have however to do this would be if they were proxying the traffic between you and the internet.

Re:It's a ROOT CA they can sign anything (0)

Anonymous Coward | about 5 months ago | (#46438733)

Mine wouldn't because I have Perspectives for Firefox installed, which checks digital notary services for the certificate, and also warns whenever a sites certificate or CA signature changes.

But you are right, standard out of the box browsers do nothing to be proactive about certificate verification. There is DANE (RFC6698) but I don't know of even a single browser which implements DANE. DANE is only able to provide protection when the website's DNS servers uses DNSSEC, and the DNS servers you use haven't been similarly backdoored.

There is also OCSP, but that again provides no protection from MiTM, because the OCSP can be removed from the forged certificate, and a fake OCSP server can be setup by the MiTM using the same root CA that is used to launch the MiTM attack. Commercial interception products do all of this, including providing fake DNSSEC entries.

Re:It's a ROOT CA they can sign anything (0)

Anonymous Coward | about 5 months ago | (#46438649)

It's very cute that you accuse others of not understanding this, while in fact it's you who doesn't understand this.

Re:It's a ROOT CA they can sign anything (0)

Anonymous Coward | about 5 months ago | (#46438663)

Many companies have their computers and network doing man in the middle attacks on all SSL traffic, so it's possible.

Remember the apple flaw the other week, that made it possible on all ios devices macs, Apple left out the "host name verification" step.

Not true (1)

vanion (229081) | about 5 months ago | (#46438653)

how'd you know you are connecting directly to https://www.xhamster.com/ [xhamster.com] ? they can simply alter DNS to make everything go through their proxies.

IANAL - but read this: (1)

TiggertheMad (556308) | about 5 months ago | (#46438551)

You should go read up on the Computer Fraud and Abuse Act. What they did might qualify as a violation of that act, in that they might have been intercepting information w/o knowledge or consent. Having worked with digital certs, I can say that most people, (even tech savvy ones) usually don't understand the first thing about CAs and how they work, so 'accidentally' installing a root CA all over the place sounds like a typical n00b maneuver. Hard to say what their intent was. Further, when they changed the network policy, that might qualify as evidence tampering, depending on what they did and how they did it.

Someone (either the cops or the school board) should investigate what the hell was going on.

Re:IANAL - but read this: (1)

torsmo (1301691) | about 5 months ago | (#46438603)

How is the Computer Fraud and Abuse Act relevant in England?

Stupid (0)

Anonymous Coward | about 5 months ago | (#46438565)

Now they know who you are because you are likely the only one who complained.
The safe thing would have been to post this anonymously without ever going to your school IT department.

not necessarily a problem (1)

epyT-R (613989) | about 5 months ago | (#46438573)

Just because a root CA is installed doesn't mean someone's spying on you. In order for it to be used, the service in question would have to have a cert signed by it. In order to do pervasive spying, they'd have to have every tls enabled site on the internet complicit in it. They don't. This cert is likely for their own applications/services. WPA2 enterprise mode uses 802.1x which uses certs.. That's probably what it's for. Same if they use 802.1x for wired authentication. If you're worried about sniffing, make your own tunnel.

Re:not necessarily a problem (2)

Carewolf (581105) | about 5 months ago | (#46438615)

Those uses would only require a normal CA, a root CA is only needed if you intend to spy on all SSL traffic.

First Post (0)

Anonymous Coward | about 5 months ago | (#46438581)

Network Admin probably installed a firewall / network appliance such as a Watchguard etc so they can filter adult content / web proxy servers and such. In my last job I worked in about 30 Primary Schools / Collages here in NZ and its common practice. Maybe you should use your phone and tether if your that paranoid. I think your over reacting and you shouldn't be acting all high and mighty. Your on his network with his terms, you don't have to use it. He's just doing his job and if he didn't filter HTTPS all the kids would be on porn sites all day.

As an ex-School It Admin... (5, Interesting)

fostware (551290) | about 5 months ago | (#46438611)

a) "we have not signed anything which would excuse it" - you can't. You're not able to sign enforceable legal documents.

b) "there was a root CA from the school" - it happens due to
        1) WPA-Enterprise and/or NAC relies on keys. Do you use your school credentials for wireless? If so, you require key exchange for it to verify each party.
        2) SSL monitoring systems rely on MITM to read the HOST headers. We couldn't give a rat's arse your bragging about banging Sally, however we do mind that it was to a website called HTTPS://www.breakuprevenge.com and both Sally and yourself are under legal age, it may have included a phone camera image, and it was all posted via the School Internet. Federal, State, and School pastoral care policy issues trump most whiny students objections.

c) It happens when at the start of the year. I would have twenty staff ask for different packages to be deployed in the first week of school, and your BYOD package may just happened to end up with a testing cert. Once had an antivirus package that hid all toolbars in Word and Excel - that ex-employee never applied a GPO at domain-level again.

All I'm saying is most school IT departments are asked to perform miracles of pastoral care because parents don't care and Teachers are busy trying to teach. We bare the brunt of school administration trying to enforce pastoral care not just for you, but all those in the school body
I'm sure if you had brought it to most IT departments attention in a courteous way, you might have been treated better.
Most schools have a tech-savvy student who is treated like an offsider, as well as one who has joined the Dark Side and ends up on the Watchlist. (yes, I've had "meetings" with Federal Police over a student's actions). Which one will you be?

Re:As an ex-School It Admin... (0)

Anonymous Coward | about 5 months ago | (#46438719)

however we do mind that it was to a website ...

You are excusing surveillance with searching for illegal acitivties. In a proper constitutional state you don't do that. You persue a crime *after* it happened. You don't try to avoid crime by intimidating everybody.

Re:As an ex-School It Admin... (1)

ruir (2709173) | about 5 months ago | (#46438791)

There arent technical solutions for political problems.

Re:As an ex-School It Admin... (0)

Anonymous Coward | about 5 months ago | (#46438821)

I'm a ex small college admin that did not filter traffic.
Xhamster was #1 across all metrics for dorm / wifi traffic.
Had to resist not playing with routing / bandwidth.

it's great! (0)

Anonymous Coward | about 5 months ago | (#46438675)

Finally people start doing something about our CA problem. I'd wish a court forced all system to offer alternative CAs and one could deactivate the normal ones easily.
I'd trust my school a lote more then some unknown strange business company far away, known to work with people that want to hurt my privacy.

I smell a lawsuit coming (0)

Geek Hillbilly (2975053) | about 5 months ago | (#46438683)

In Kentucky,this behavior would get that IT guy 5 years in the state Pen.AT the very least,some need to sue the school and the IT guy for the root CA.That will put a halt to this type of behavior.

More like High Risk (1)

lioc (832312) | about 5 months ago | (#46438691)

"I asked them to instruct people to remove the bad certificate from their own machines, but they claimed this was unnecessary due to the very high risk of legal action if all the parents found out."

Fixed it.

The risk is (0)

Anonymous Coward | about 5 months ago | (#46438707)

It's a smoke screen when they tell you that the risk is small. The fact is that you don't know who had, has and will have access to the root key. You don't know which certificates have, and will be created from that key. Even if they destory that key, you don't know wheter it hasn't been stolen and somebody else might create certificates from it.

Intent may be fine. CA system is to blame. (4, Informative)

manu0601 (2221348) | about 5 months ago | (#46438727)

Their intent may be just fine. For instance, you want want to have an internal CA installed so that you can deploy SSL-enabled services without having to buy certificates from a commercial CA.

Of course it allows SSL traffic interception, which is likely to be illegal, but nothing proves it was done, or even planned. The the real problem here is that the CA framework allows any CA to sign any certificate.

certpatrol (5, Interesting)

manu0601 (2221348) | about 5 months ago | (#46438735)

If you fear your SSL traffic is intercepted, install a browser extension that track certificate change. Firefox has certpatrol, for instance.

Is it criminal? (0)

Anonymous Coward | about 5 months ago | (#46438737)

Installing their certificate on your machine may well be a criminal offfenc eunder the COmputer MIsues Act, RIPA and various other laws. Talk the a solictor at the local citizens' Advice Bureau, it won't cost you anything.

where are ... (1, Insightful)

cascadingstylesheet (140919) | about 5 months ago | (#46438739)

Where are all the people who say "it's their network!" when it is snooping in the workplace we are talking about?

This is a freakin school, which is actually supposed to have a watchful protector role over students. In loco parentis, you know.

And a couple of humbling observations:

  • You're kids ... honestly, nobody cares enough to snoop on you, except in the most general of policy-ish ways (porn, warez, direct plans to blow people or things up ...).
  • You're kids ... they don't have to give you Internet access at all.

UK Data Protection Act rights (2)

Bruce66423 (1678196) | about 5 months ago | (#46438751)

Read up your rights under that, especially your right to get all the data that they hold about you for £10. If that data includes the history of your web browsing, then certain consequences follow; make sure you're using a proxy even for innocent activity for a while before you submit the request. On the other hand if it doesn't and they subsequently challenge something that you have posted on line, they will be in BIG trouble for failing to reveal that they knew your browsing history. .

.

Assuming you are under 18, your parents' role in this is more significant than yours. If you are over, it gets far more interesting!

Common practice (0)

Anonymous Coward | about 5 months ago | (#46438763)

Pushing your own Root CA certificate to clients for the purpose of intranet services is not newsworthy. The reason the previous case was interesting was that the trust was then exploited for a man-in-the-middle attack when users were connecting to other sites.

Normal. (5, Informative)

ledow (319597) | about 5 months ago | (#46438789)

I work in schools.
I work in UK schools.
I work in IT in UK schools.

This is normal. Sorry, but there's nothing shocking here.

You join our domain, we get the right to push any and all security measures to your client that we deem necessary. If you don't want to allow it, don't join our domain (which also means we probably won't authorise you to use our Internet connection, etc.)

The domain will have a "Default Domain Policy" that almost certainly includes software you don't want (but we insist you have), settings you'd rather not have (but which we will enforce on you) and things like this - installation of a required domain certificate so we can check your not using OUR SCHOOL FILTER to do illegal / illicit things.

Chances are if you read your network acceptable usage policy, it states this. The alternative is you don't get network access. Because we are LEGALLY RESPONSIBLE for what is accessed through the network on our network, as well as the protection of our internal data and services.

Complain all you like. The alternative is that we block SSL site-wide. That means no Facebook at all, by the way. Or GMail. Or Hotmail. Or anything else that uses SSL by default.

We have a legal duty to monitor, record and analyse the logs of Internet traffic to ensure our child-protection policy (a legally-required policy) is followed. Additionally, it's OUR resource. If you want to use your own external 3G connection on your own time, argue for that. Chances are it will fail.

If you want to use the SCHOOL connection on SCHOOL time for NON-SCHOOL business, that's not going to happen. However if you want to use it for SCHOOL BUSINESS then you are required to allow us to apply our domain policy. If that, at any particular place, happens to include SSL certificates, monitoring software (potentially even INVISIBLE monitoring software like Securus, Ranger, etc.) then that's what you get.

Sorry, but as an IT Manager specialising in schools, and working in state, private and boarding schools from primary to further education, this is bog-standard and has happened for years. I believe even places like LGfL (a London-wide, government-backed school IT services supplier) do it.

There's a reason - we are required to protect our systems and protect ALL the children. That means everything gets summarised, logged and monitored. If we then need to dig into detailed logs, we can enable that option and do that too. Because - as in a previous school I worked for many years ago - we get things like members of staff browsing child pornography on school time. Yes, they are that stupid. And yes, they get caught. And, sorry, but our child-protection and data-protection policies take precedence over you going on your private Facebook after hours and we can't spend the time to distinguish hours, locations, staff-types, etc. for everyone.

If you don't like it, do not join your computer to a domain. If you are on the domain, it's literally our DOMAIN. Our rules. Clearly stated. That you would have agreed to.

Please, also don't act like your the first person ever that this has happened to. It's been standard practice for at least the last 15 years I've been working IT in schools in the UK.

two points (3, Informative)

Tom (822) | about 5 months ago | (#46438815)

First, a school network is not a public network and it can run any policy it wants, including intercepting and monitoring traffic. You don't have to sign anything, using the network is implicit consent to the rules it is run by. The only legal requirement in my country (so your laws may differ) is disclosure of those rules, you must be able to look them up somewhere.

Second, regarding danger. The danger is exactly equivalent of the lowest security among the machine(s) that have a copy of the school root certificate (the private key part). If any of them gets compromised and the attacker gets a copy, he can do everything the school does, including interception and manipulation of traffic. If the school rates that as "low", then it assumes that users of the network don't do anything of personal importance, like online banking.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...