Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

My School Has Tricked Pupils Into Installing a Root CA on Their Laptops

paddysteed (2380072) writes | about 7 months ago

0

paddysteed (2380072) writes "I go to secondary school in the UK. I went digging around the computers there and found that on the schools machines, there was a root CA from the school. I then suspected that the software they instruct windows users to install on their own hardware to gain access to the BYOD network installed the same certificate. I created a windows virtual machine and connected to the network the way that was recommended. Immediately afterwards I checked the list of root CA's, and found my school's.
Screenshot.

I thought the story posted a few days ago was bad but what my school has done is install their certificate on people's own machines which I think is far worse. This basically allows them to intercept and modify any HTTPS traffic on their network. Considering this is a boarding school, and our only method of communicating to the outside world is over their network, I feel this is particularly bad.

We were not told about this policy and we have not signed anything which would excuse it. I confronted the IT department and they initially denied everything. I left and within 5 mins, the WiFi network was down then as quickly as it had gone down, it was back up. I went back and they confirmed that there was a mistake and they had "fixed" it. They also told me that the risk was very low and the head of networks told me he was willing to bet his job on it. I asked them to instruct people to remove the bad certificate from their own machines, but they claimed this was unnecessary due to the very low risk.

I want to take this further but to get the school's management interested I will need to explain what has happened and why it is bad to non technical people and provide evidence that what has been done is potentially illegal."

Link to Original Source

cancel ×

0 comments

Sorry! There are no comments related to the filter you selected.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?