
Ask HN: Gather proof of MITM on college wifi - deftturtle
My college requires installing certificate profile for accessing wifi in some circumstances.
HTTPS sites and apps that use cert pinning (banking stuff) reject the network without the cert; however, G Maps and HTTP sites work fine w&#x2F;o using cert. I never installed anything, but a guy in IT who did use it confirmed that even with the cert, his banking app rejects the network (due to cert pinning). So, it sounds like the college is doing decryption of everyone&#x27;s traffic, but I need advice on how to prove or dig deeper.<p>The campus website downplays the change as if it&#x27;s related to piracy and stuff, but staff told me it had to do with FBI compliance and subpoenas. I guess the college has enough people using network to be considered an ISP by the gov. And the cert is supposedly only for authorizing students to the network so we don&#x27;t need to enter passwords anymore. <i>But if it&#x27;s only for network auth, why does it break cert pinning?</i> Or is that just a consequence of network auth, where everything breaks? That seems unlikely, but I&#x27;m fairly clueless here. Anyway, what the heck should I do? I&#x27;m somewhat familiar with Wireshark and the Charles proxy but haven&#x27;t grasped using Fiddler very well. Thanks for any tips.
======
tonyle
A lot of corporate companies have a mitm or some form of network monitoring in
place. There are a ton of products out there to do this, for example Microsoft
forefront TMG. I never access personal stuff on corporate internet at work for
this reason.

When I was in school, there was always some acceptable use policy for
accessing the internet. While it didn't prevent some people from watching porn
on the network, etc, It was implied that you should only use it for
educational purpose and I doubt there is much urgency to fix something that is
not school related.

If I were in your shoes, The best way to get it fix is simply raise an issue
to someone in IT that you can't access a certain website/app and ask them to
fix it. Bonus points if you can find a website/app that you need for school.

If there is a mitm in place, I doubt you can get them to remove it. However
maybe you can get them to whitelist gmail, banking sites, etc.

~~~
deftturtle
Inconvenience aside, I'm more concerned about the unconstitutional
surveillance that's probably being performed on all students at the college.
Sure, it'd be nice to check finances, but I can do personal stuff at home if I
need to. If the FBI/college is monitoring stuff in violation of 4th
amendment,it should be exposed to the press. But I don't want to look like an
idiot if it turns out I'm entirely wrong. Is the command line OpenSSL thing
the best way to go? HTTPSeverywhere has the SSL Observatory thing where you
can submit certs; maybe I'll have a look there, too. Thanks for the comment!

------
mschuster91
You can, using openssl on the commandline, retrieve the certificate details
for every site you suspect is MITMed.

If there is any evidence of MITM, go to the ACLU or EFF.

~~~
deftturtle
Thanks! I'll give it a try

