School wants to install self signed root CA on kids devices

Forums › IT Pro and developers › School wants to install self signed root CA on kids devices

asjohnstone

75 posts

Master Geek
+1 received by user: 28

Topic # 191765 15-Feb-2016 21:20

One person supports this post

As an IT pro, my immediate reaction here is "you've got to be kidding me"

The trusted root certification authority store is the pinnacle of safety, having a certificate in here allows them to resign all other certs without raising a red flag. It allows them to man in the middle absolutely everything. It's apparently required in order to authenticate against their proxy ?

Are others seeing this? Am I being too enterprise paranoid ?

1 | 2 | 3 | 4 | 5 | 6

85 posts

Master Geek
+1 received by user: 20

Reply # 1492891 15-Feb-2016 21:43

6 people support this post

You're immediate reaction is right. This is a very poor and unnecessary solution. I'd be asking whether it's either a) incompetent or b) insidious.

redherring

68 posts

Master Geek
+1 received by user: 31

Reply # 1492895 15-Feb-2016 21:56

4 people support this post

This will be related to N4L https inspection. I'll have to try to make sense of this for at least one school soon, but not with BYOD.

This was sent out late last year:

http://www.n4l.co.nz/clarification-re-misleading-information-surrounding-n4ls-web-filtering/

If there is an alternative to this that works with N4L I'd love to hear about it.

asjohnstone

75 posts

Master Geek
+1 received by user: 28

Reply # 1492900 15-Feb-2016 22:06

Thanks for this RedHerring.

It struck me as slapdash and lazy. The note that came with it was awful, the gist of it was press install 3 times and ignore all the flashing warnings.

Yabanize

2112 posts

Uber Geek
+1 received by user: 529

Reply # 1492905 15-Feb-2016 22:21

Is this the "Trusted root certification authorities" store? CPIT requires students to have a certificate in there in order to RDP in

ScottNoakes

20 posts

Geek
+1 received by user: 10

Linewize

Reply # 1492926 15-Feb-2016 23:48

Hi RedHerring,

N4L sending out the 'misleading info' statement was in response to a mailshot Linewize did to schools comparing our Internet Access Management to the N4L Cisco Scansafe solution.

If you're interested in reading our comparison you can find it here.

Linewize is a Christchurch company that develops an open source firewall and integrated cloud management services.

We're just about to cross over the 150 schools installed mark and believe our solution is far superior at managing network access in an educational environment.

If you're curious to know more then have at look at our website: http://www.linewize.com/

The following pdfs provide a good perspective on how schools use Linewize and the deep integration we do with cloud based services such as Google Apps for Education.

Pt England Case Study here.

GAFE Integration here.

We've already got 25 NZ resellers onboard and would be happy to chat if you're looking for an alternative to N4L.

Cheers Scott.

BTR

1484 posts

Uber Geek
+1 received by user: 443

Reply # 1493190 16-Feb-2016 12:37

I've not heard good things about N4L, people constantly complaining about their content filtering and firewalls. What the school is proposing sounds dodgy.

wasabi2k

2091 posts

Uber Geek
+1 received by user: 848

Reply # 1493220 16-Feb-2016 13:18

6 people support this post

If they want to do HTTPS inspection then they will request a trusted root cert, allowing them to generate and issue *.google.com and *.microsoft.com wildcard certs and MITM all the HTTPS traffic on the devices, without getting SSL warnings in browser.

Webmarshal et al all do the same thing.

I put up a fight at work when they were talking about implementing it. Noone seems to understant MITM-ing all HTTPS is a majorly bad thing. The whole "I can intercept and capture your banking in plain text" seemed to get the point across.

So what they are asking for makes sense technically - if they are trying to inspect and control HTTPS traffic.

I have major technological and ethical problems with what they are doing, but at some point you can either allow it, or be "that parent".

Schools are in the tough position of being expected to provide 100% "safe" internet access to a large number and range of devices. If little Timmy ends up looking at dodgy stuff (even if through his own efforts) that is the school's fault and there will be a ****storm. HTTPS presents an easy way to bypass 99.99% of content filters.

insane

2281 posts

Uber Geek
+1 received by user: 370

Trusted

Subscriber

Reply # 1493259 16-Feb-2016 14:33

This topic is always very polarising, but it's good that it's being discussed as it shows that security professional are waking up to the wave of malware and virus threats which are hidden with other legitimate HTTPS traffic.

Everyone knows that you can do some level of traffic filtering without having to install certificates on devices, that's not disputed, but times have changed, and the lines between education and corporate environments has blurred now that every kid and teacher carries a device or two and connects to the network.

In this case SSL inspection certainly isn't new, all reputable security vendors that I can think of do it the same way by having certificates installed on devices whether it's Check Point, Bluecoat, Juniper, Fortinet, Watchguard, Sonicwall, Zscaler, F5, Cisco etc, and it's common knowledge that you never inspect all traffic, things like internet banking and government services should always be exempt.

I hear some schools do a great job of informing kids about online threats and what they filter, and I'm confident that any school doing SSL inspection is doing it to protect kids and teachers from viruses and malware that really is a threat without it, as opposed to wanting to snoop on users browsing habits.

Have seen quite a number of good articles and videos on this topic surfacing recently like this one and this one. They say that something like 60-65% of all traffic is HTTPS these days, so it's pretty obvious that you can't just keep ignoring the bulk of your traffic and hoping for the best.

freitasm

BDFL - Memuneh
61486 posts

Uber Geek
+1 received by user: 12208

Administrator

Trusted

Geekzone

Lifetime subscriber

Reply # 1493284 16-Feb-2016 15:03

Let's put this in another way. If it's school hardware let them do it. If it's BYOD then you have to make sure that hardware is used at school only or only for school-related things while at school.

No, I don't like it but then there's the balance mentioned before - I am not 100% sure but it's certain they aren't looking at every single packet, but using an automated process to find non-authorised use. Either this or don't have Internet at school because kids will abuse it.

Backblaze cloud backup (personal and business) | Geekzone broadband switch | Amazon (Geekzone aff) | MightyApe (Geekzone aff) |

My technology disclosure | Business Transformation | Enterprise Content Management | Customer Relationship Management

redherring

68 posts

Master Geek
+1 received by user: 31

Reply # 1493285 16-Feb-2016 15:04

One person supports this post

The thing that I can't quote get my head around is - why can't we block HTTPS traffic without inspecting it?

I read somewhere that you can only get the server name from an SSL request. That should be enough for most web requests. Can't we just block HTTP and HTTPS traffic to sites that are on the filter list?

insane

2281 posts

Uber Geek
+1 received by user: 370

Trusted

Subscriber

Reply # 1493289 16-Feb-2016 15:14

One person supports this post

redherring:
The thing that I can't quote get my head around is - why can't we block HTTPS traffic without inspecting it?

I read somewhere that you can only get the server name from an SSL request. That should be enough for most web requests. Can't we just block HTTP and HTTPS traffic to sites that are on the filter list?

Yup that's right you can, and can do it even better if the webservers support SNI, but without doing it you can't filter based on the content of the site without it. Eg YouTube is https, but you wouldn't want to block it outright as there is things on there teachers may want to use. You also don't really want to totally allow it as there are some questionable things on there that I wouldn't want my niece seeing.

It's about separating the bad from the good.

Back when only internet banking was https it was cut and dry.

It's all about being transparent about what you are doing in your corporate policy, at least that is what I was taught when I did a Check Point course on this some years ago.

hio77

'That VDSL Cat'
8889 posts

Uber Geek
+1 received by user: 1942

Trusted

Spark

Subscriber

Reply # 1493300 16-Feb-2016 15:36

ild be utterly against any MITM system for any of my traffic. Given i see the advantages to it but i somewhat have to play devils advocate and look at the cat and mouse game the disadvantages are, forgetting the Potential security risks fornow.

Personally, going back to when i was in school behind filters they were to the point of silly that my login process for each day was open firefox, dump in plugin based ssh client, open ssh tunnel and pipe traffic over that.

to give a few examples, Google images blocked for porn, Google translate blocked for being a proxy, Flikr/shutterstock was even blocked - right on the time an assignment specified images had to be from flikr/shutterstock. After this was queried, ended up being the teacher supplying a proxy service to bypass the filters as IT was not willing to reverse the filter.

Fact is, regardless of what sort of filtering the school puts in place everyone knows of proxys.

On that basis, i look at any filtering as an absurd waste of money and time. moving into the future with the likes of HTTP/2.0 SSL will simply be everywhere so clearly filtering does get a little more difficult. ontop of proxys being well known, you also have the likes of VPN services being well known. im sure you dont need to be a savy kid to work out, pay 2$ a month for X service, click connect button, unrestricted. Sure okay, you could limit down ports but even then worst case a iodine based service would still pass through utterly unnoticed.

educating kids to be responsible with their access rather than outright limiting it. the naughty bunch can have their toys taken away, rather than a blanket punishment for everyone.

now personally, ild say my methods were positioned in the upper most class of not worth the effort in blocking. While i made a point of bypassing any limitations, i did it from a relatively respectable position. I didnt abuse the system to do anything "wrong" i never used it to excessively make use of the connection (this was back when the Telecom schoolzone connections were 2/2mbit Now that, was painful in its own to even manage the simplest of tasks), i simply went past what i viewed as unrealistic limitations.

Having family members going through schooling at the same place, im shocked to know that now youtube, Facebook, tumblr etc is open game. Even BYOD fully allowed! amazing when i consider how limited things were years ago!

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

Beccara

994 posts

Ultimate Geek
+1 received by user: 160

UberGroup

Reply # 1493305 16-Feb-2016 15:45

5 people support this post

Funny enough I was in the car today when the kid mentioned a form for me to fill in about bringing her IPad to school. Made no mention of any admin tools but I fully expect them to either pull a SSL CA install or a backdoor type app on it. Which i will have no part of, She cant take it to school and do what she likes but the school is not touching the device and if the school throws a fit we can see how much of a fight they want, You only have to look overseas to see what happens when the school has admin/backdoor access to devices kids take home

It's bad enough only IPad's are allowed which creates a visual gap between the haves and the have nots in the school yard but also teaching kids if you want to be in the cool kids club at school you have to give up your right to private data 24/7 is very wrong. If the school see value in kids have devices and want control over them then either supply and control the the devices or dont allow them at all

Most problems are the result of previous solutions...

All comment's I make are my own personal opinion and do not in any way, shape or form reflect the views of current or former employers unless specifically stated

wasabi2k

2091 posts

Uber Geek
+1 received by user: 848

Reply # 1493308 16-Feb-2016 15:51

One person supports this post

redherring:

The thing that I can't quote get my head around is - why can't we block HTTPS traffic without inspecting it?

I read somewhere that you can only get the server name from an SSL request. That should be enough for most web requests. Can't we just block HTTP and HTTPS traffic to sites that are on the filter list?

As has been noted, blacklisting URLs and domains does about 20% of the job. It is a horrible, thankless job trying to filter this stuff and admin students in general.

You are spending a significant amount of time and money trying to stop users that have a lot of motivation and free time.

ScottNoakes

20 posts

Geek
+1 received by user: 10

Linewize

Reply # 1493347 16-Feb-2016 16:39

5 people support this post

At Linewize we reckon there's a better way to approach these issues of student internet behaviour.

Blindly blocking stuff in schools just gives you a false sense of security that all is well, which is rarely the reality.

Instead Linewize provides complete transparency and visibility over student Internet use to allow teachers to educate digital citizenship through conversation.

An example of how this plays out is that in your BYOD or Student Internet Agreement form you add a clause that says 'While on the school network I will not use proxies or other anonymising software'.

Rather than blocking all VPNs/Proxies we identify which students are using VPNs/Proxies and highlight this behaviour to their immediate teacher or staff member responsible for character education.

Teachers can have an immediate and specific conversation with the student and outline their concerns and the reasons for them:

"Jonny you were just using IPVanish.com, as you know this contravenes the Internet agreement you signed. The reason we don't permit these tools is that if you were using them to torrent copyright material on the school network we could be liable for a $15,000 fine due to the 2013 Internet copyright laws. Please refrain from this behaviour or we will restrict your internet access to only education related sites."

Our experience is that this is a much more productive and constructive approach. For example at Mt Albert Grammar they were using N4L to block proxies and VPN's, when we installed Linewize we immediately recognised 20 different proxy services students were using that N4L did not block. Again a completely false sense of security. Transparency and visibility is whats needed here.

The other aspect of what we do is put control over internet access into the hands of the teacher through a simple dashboard. Teachers can limit applications and website use to just the content relevant to the lesson at hand (e.g. just Mathletics). Alternatively they could also relax default policy if its getting in the way of the lesson (e.g. we're studying social media so allow facebook).

The same dashboard shows Teachers what their students are doing and which ones are on-task, off-task or even off-line. This gives teachers who are cautious to embrace eLearning the classroom tools needed to have a sense of confidence and competency around device use in the classroom.

Cheers Scott.

1 | 2 | 3 | 4 | 5 | 6