Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsIT Pro and developersSchool wants to install self signed root CA on kids devices
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6
Batman
Mad Scientist
30014 posts

Uber Geek
+1 received by user: 6217

Trusted
Lifetime subscriber

  #1493666 17-Feb-2016 09:12
Send private message

roobarb:

 

joker97: can you explain why this is a bad thing to install?

 

Browsers show a little padlock to show that a site is trusted and SSL is in use, this in turn allows you to trust doing any banking on the internet because you know that it is truly the bank acting as the server and you have a secure connection preventing eavesdropping by a man in the middle.

 

Being a root CA means you trust it won't sign dodgy certificates for sites that are not who they claim to be, at the very least, that they own the domain name for which an SSL certificate has been signed.

 

SSL inspection by a man in the middle completely removes this trust, and your trust now has to transfer to the filter and who ever is managing the CA and signing these effectively bogus certificates.

 

So if you now go to your bank while on the school network you wont see a certificate signed by Verisign/Thawte etc, you will see it signed by the school, and all your communications with the bank that you thought were confidential are in the clear within the filter system.

 

So you could say, that's okay, I won't do my banking at school, ( will the teachers remember that ? ), there are other scenarios regarding the CA getting compromised and agents other than the school signing certificates.

 

Sony and Lenovo were hauled over the coals for doing exactly this, and in some cases creating signed SSL certificates without even validating the original.

 

 

Pardon me for asking - are MY browsers on my computer now using that certificate to assume everything is ok, or does this happens when I browse on my RDP or when I am using work computer?



roobarb
705 posts

Ultimate Geek
+1 received by user: 658

Trusted

  #1493671 17-Feb-2016 09:21
Send private message

joker97: Pardon me for asking - are MY browsers on my computer now using that certificate to assume everything is ok, or does this happens when I browse on my RDP or when I am using work computer?

 

If you have installed a root CA on your own computer, then your browsers will trust any SSL certificate signed specifically by that CA, or where the CA is at the root of a chain. That CA will be ignored for SSL certificates signed by anybody else.

 

So the risk requires that the CA is compromised and used to maliciously sign rogue certificates and your computer has been tricked by DNS or network routing to go to a different site, both are technically met by the school filtering.

 

 

 

 

insane
3324 posts

Uber Geek
+1 received by user: 1006

ID Verified
Trusted
2degrees
Subscriber

  #1493692 17-Feb-2016 10:02
Send private message

roobarb:

joker97: Pardon me for asking - are MY browsers on my computer now using that certificate to assume everything is ok, or does this happens when I browse on my RDP or when I am using work computer?


If you have installed a root CA on your own computer, then your browsers will trust any SSL certificate signed specifically by that CA, or where the CA is at the root of a chain. That CA will be ignored for SSL certificates signed by anybody else.


So the risk requires that the CA is compromised and used to maliciously sign rogue certificates and your computer has been tricked by DNS or network routing to go to a different site, both are technically met by the school filtering.


 


 



Only IF someone configuring it decided to inspect categories which they are explicitly advised not to. Then on top of that they would have to partake in some devious action all while being logged at every step.

Schools already use other teacher dashboard tools like Hapara that allow teachers to even view what's on their kids screen.

this whole installing root CAs is being blown way out of proportion, this will be comon practice soon and we'll move onto the next contentious issue :)



UHD

UHD
655 posts

Ultimate Geek
+1 received by user: 298
Inactive user


  #1493719 17-Feb-2016 10:08
Send private message

I don't think removing the encryption on communications in order to monitor children's activity is teaching anyone to be or being a responsible digital citizen. I know if this was asked of me I would switch my child exclusively to 4G and make my child aware of the issues that surround a mandatory backdoor of private communications demanded by those in authority.

 

 

 

If the issue is objectionable material on students' devices then that can and should be dealt with on a case by case basis by parents when advised by the schools.

roobarb
705 posts

Ultimate Geek
+1 received by user: 658

Trusted

  #1493730 17-Feb-2016 10:21
Send private message

insane: this whole installing root CAs is being blown way out of proportion, this will be comon practice soon and we'll move onto the next contentious issue :)

 

I hope the opposite happens, where schemes like Let's Encrypt remove the requirement for root CA as long as you own the domain name you claim you are from. Signing your own certificate as if it came from *.google.com should be treated as the deliberate deception that it is.

 

 

wsnz
654 posts

Ultimate Geek
+1 received by user: 204


  #1493855 17-Feb-2016 12:13
Send private message

roobarb:

 

That's just all or nothing. Alternatively how about school determines curriculum and list of sites to support it and allow them using DNS. Anything else is ex-curricula.

 

That can be done at the school WiFi network level, no CAs required.

 

 

 

 

 

Unfortunately, it can be impractical - another layer of management and general administration is required. There are also some fantastic resources that students often find themselves, and searching the internet for resources is another skill we should also be encouraging.

HP

 
 
 
 

Shop now for HP laptops and other devices (affiliate link).
wsnz
654 posts

Ultimate Geek
+1 received by user: 204


  #1493917 17-Feb-2016 12:18
Send private message

UHD:

 

I don't think removing the encryption on communications in order to monitor children's activity is teaching anyone to be or being a responsible digital citizen. I know if this was asked of me I would switch my child exclusively to 4G and make my child aware of the issues that surround a mandatory backdoor of private communications demanded by those in authority.

 

 

 

If the issue is objectionable material on students' devices then that can and should be dealt with on a case by case basis by parents when advised by the schools.

 

 

 

 

I agree.

 

 

 

IMO the best option in most cases, is to deal with problem at layer 8. Technological solutions aren't always the best, and in the long term students need to understand what is acceptable behaviour and what the consequences can be if they do not.

PhantomNVD
2619 posts

Uber Geek
+1 received by user: 759
Inactive user


  #1494061 17-Feb-2016 14:53
Send private message

But really, this also needs to be managed in a sliding scale... How many 5 year olds can be taught to avoid spelling mistakes that may end them on a "pron" "prawn" "praun" site???

Do you really expect an 8 year old to realise the consequences of downloading 'those' pictures at school😱

All good when you hit 14+ but not applicable at 5-9!

insane
3324 posts

Uber Geek
+1 received by user: 1006

ID Verified
Trusted
2degrees
Subscriber

  #1494098 17-Feb-2016 15:26
Send private message

wsnz:

 

UHD:

 

I don't think removing the encryption on communications in order to monitor children's activity is teaching anyone to be or being a responsible digital citizen. I know if this was asked of me I would switch my child exclusively to 4G and make my child aware of the issues that surround a mandatory backdoor of private communications demanded by those in authority.

 

 

 

If the issue is objectionable material on students' devices then that can and should be dealt with on a case by case basis by parents when advised by the schools.

 

 

 

 

I agree.

 

 

 

IMO the best option in most cases, is to deal with problem at layer 8. Technological solutions aren't always the best, and in the long term students need to understand what is acceptable behaviour and what the consequences can be if they do not.

 

 

Yeah agree with you that is the best approach to teach kids what to not look at in the first place, but this still doesn't take care of the very real threat that is being overlooked. How do you effectively protect users (adults or kids) against all those instances of malware and viruses which are embedded in compromised websites or applications that may be OK for corporate or educational use and not blocked through simple domain name based filtering?

 

Don't get me wrong, I'm all down with this digital citizenship,  but my background has taught me that you can't just ignore threats and hope for the best, this costs businesses loads of money each year, opens schools up to nasty things on their networks, and while I understand the argument to not snoop on users private traffic, I'm yet to see someone here offer up an alternative solution that actually protects users against online threats without decrypting potentially threat laden traffic.

 

I do believe that talking openly about this is a great start!

 

 

 

 

 

 

 

 

roobarb
705 posts

Ultimate Geek
+1 received by user: 658

Trusted

  #1494124 17-Feb-2016 16:12
Send private message

insane: Don't get me wrong, I'm all down with this digital citizenship,  but my background has taught me that you can't just ignore threats and hope for the best, this costs businesses loads of money each year, opens schools up to nasty things on their networks, and while I understand the argument to not snoop on users private traffic, I'm yet to see someone here offer up an alternative solution that actually protects users against online threats without decrypting potentially threat laden traffic.

 

There is no issue at all to school owned hardware being used, and it is fully understood that you have no expectation of privacy when using school equipment. You can do what you like with root CA on those devices. If they are commodity devices and they get compromised then a factory reset or restore from known image will get you going in no time.

 

The issue I see, is due to cost, the school wants parents to buy the devices. If you do bring your own device and install whatever school tells you to install then you should treat the device in the same manner and have no expectation of privacy on it, and then not trust using the device for your own personal purposes.

 

 

 

 

Beccara
1473 posts

Uber Geek
+1 received by user: 517

ID Verified

  #1494153 17-Feb-2016 16:40
Send private message

Interesting events since i posted, Said child is now upset and unhappy as she's the only one in the glass without an ipad and the teacher is excluding her from things kids are doing because of it :/ Not a happy parent here as I'm now in effect forced to buy an ipad 4 or ipad air/2 as these are the devices the school allows (no android)

 

 

 

edit:// Teacher was getting kids to google things and type them down for her to see. Our child was given an dictionary and a list of words to look up and write down their meaning on. Not strictly within the scope of this topic but a fear of mine  before this was how the teacher would integrate tech into their teaching and the answer right now is badly




Most problems are the result of previous solutions...

All comment's I make are my own personal opinion and do not in any way, shape or form reflect the views of current or former employers unless specifically stated 

 
 
 
 

Shop now for Dell laptops and other devices (affiliate link).
roobarb
705 posts

Ultimate Geek
+1 received by user: 658

Trusted

  #1494182 17-Feb-2016 17:10
Send private message

Beccara:

 

Not a happy parent here as I'm now in effect forced to buy an ipad 4 or ipad air/2 as these are the devices the school allows (no android)

 

 

I can understand the school's problem, non technical staff can't afford to spend all their time sorting out individual connectivity problems. So much for a free education. I'm sure the school will still ask for "donations" and "contributions". 

UHD

UHD
655 posts

Ultimate Geek
+1 received by user: 298
Inactive user


  #1494195 17-Feb-2016 18:09
Send private message

insane:

 

wsnz:

 

UHD:

 

I don't think removing the encryption on communications in order to monitor children's activity is teaching anyone to be or being a responsible digital citizen. I know if this was asked of me I would switch my child exclusively to 4G and make my child aware of the issues that surround a mandatory backdoor of private communications demanded by those in authority.

 

 

 

If the issue is objectionable material on students' devices then that can and should be dealt with on a case by case basis by parents when advised by the schools.

 

 

 

 

I agree.

 

 

 

IMO the best option in most cases, is to deal with problem at layer 8. Technological solutions aren't always the best, and in the long term students need to understand what is acceptable behaviour and what the consequences can be if they do not.

 

 

Yeah agree with you that is the best approach to teach kids what to not look at in the first place, but this still doesn't take care of the very real threat that is being overlooked. How do you effectively protect users (adults or kids) against all those instances of malware and viruses which are embedded in compromised websites or applications that may be OK for corporate or educational use and not blocked through simple domain name based filtering?

 

Don't get me wrong, I'm all down with this digital citizenship,  but my background has taught me that you can't just ignore threats and hope for the best, this costs businesses loads of money each year, opens schools up to nasty things on their networks, and while I understand the argument to not snoop on users private traffic, I'm yet to see someone here offer up an alternative solution that actually protects users against online threats without decrypting potentially threat laden traffic.

 

I do believe that talking openly about this is a great start!

 

 

 

 

 

 

 

 

 

 

 

 

That very real threat is the reason I adblock everything and have a clear conscience. No one has explained to me an alternative to the very real threat of malware-laden advertising being delivered via third party advertising networks and who will pay for the very real damage it can cause. As a side note: a subscription to the websites I visit on a regular basis would bankrupt even a moderately successful New Zealander so I can't fathom that being a solution either but that is a little OT.

 

I will say that the issue is not something that has a simple solution but it is certain that removing encryption is not even a small part of that solution and never should be. An abuse of power like that will certainly be taken advantage of and I would rather the risk of a thousand malware infected networks than a rouge systems administrator snooping on my or anyone else's children's communications with malicious intent.

asjohnstone

76 posts

Master Geek
+1 received by user: 27


  #1494254 17-Feb-2016 20:10
Send private message

I'd actually like N4L to speak about how and where this data is stored *after* it is decrypted. 

 

Do they have access to it, or is it the school ? How is this audited?

 

How long is the data retained for for? How is it securely deleted.

 

Also how do I know what sites you are inspecting ? How can I verify it what you tell me is true?

 

@timslim

deadlyllama
1283 posts

Uber Geek
+1 received by user: 476

Trusted

  #1494638 18-Feb-2016 09:20
Send private message

Beccara:

 

Interesting events since i posted, Said child is now upset and unhappy as she's the only one in the glass without an ipad and the teacher is excluding her from things kids are doing because of it :/ Not a happy parent here as I'm now in effect forced to buy an ipad 4 or ipad air/2 as these are the devices the school allows (no android)

 

 

 

edit:// Teacher was getting kids to google things and type them down for her to see. Our child was given an dictionary and a list of words to look up and write down their meaning on. Not strictly within the scope of this topic but a fear of mine  before this was how the teacher would integrate tech into their teaching and the answer right now is badly

 

 

That's shocking.  I've got friends with kids at a local decile 10 school, but said friends are not well off at all.  No funding for the school to buy devices, so that's $300/kid minimum for a chromebook, thanks...  worse if it was an iPad school.

 


What do you do when you move and shift schools and go from a school with one set of BYOD restrictions to a school with an incompatible set of restrictions?  Buy a new set of devices?

 

<politics>Still, at least we got our tax cuts, right? It's not as if our kids need an education or sick people need hospitals...</politics>

1 | 2 | 3 | 4 | 5 | 6
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright