
Ask HN: College hijacking all SSL certificates? - libeclipse
So I&#x27;m in college right now, and I noticed on my phone while connected to the college WiFi that all sites with SSL were failing to load because of a certificate error. When opening the certificate information, every single site had the same cert: issued by sw-5400-bingle<p>Same on the computers, only it has a green padlock here.<p>I know why it&#x27;s possible and why it&#x27;s red on phone and green on computers, but what I don&#x27;t know is what the implications are. Can the college view confidential information? Can they change information in transit? At what point in the network is the hijack happening?<p>Is this legal&#x2F;ethical?
======
drakenot
If it is on machines that the university controls, they can install a root
certificate of their own and then MITM the encrypted web traffic.

I've seen this a few times at large companies. All work provided machines will
have the company's root cert installed and this allows them to intercept and
monitor all the traffic.

I'm not a lawyer but I assume that this is legal. The company is monitoring
their own network and their own machines. The employees may have even signed
some document during their on-boarding which further stated that the company
is allowed to monitor any activity on their own equipment.

I consider this an ethically grey area. It starts to become _unethical_ in my
mind if the users of the network are not explicitly told in plain language
that all of their web traffic will be monitored.

------
jenkstom
They can view and change information in transit, yes. Don't login to
_anything_ on their network because they see (and possibly log) it all. The
workaround would be some sort of VPN, but my guess is that they've done their
best to prevent that.

I would discuss it with administration at your school. Get them to give you an
answer "in writing" about why or even if they do it. Then take that to some
professors. Maybe you could find some that would be offended by this whole
thing, and maybe they could do something about it.

Alternatively, take it to the student newspaper. If that falls through you
could try other news outlets. That could be a big win, or it just go nowhere.
Hard to say.

But I would definitely let people know about it. There are people exposing
information that they probably don't want to. Not only are there privacy
concerns, but there could be concerns such as HIPAA, credit card security and
possible political and safety issues for students communicating with friends
or family in other countries.

------
jneumann004
If you are at a state school, you can submit a FOIA for information on the
project. With a FOIA request you should be able to get the RFP and any other
pertaining documents for the networking at your school. You could probably get
other relevant information with a little bit of research, but I'm not sure
what you would look for without a little bit of research.

~~~
libeclipse
RFP?

~~~
jneumann004
Request for Proposal

------
brudgers
My default assumption for public WiFi is that someone is listening. Since I've
got a GSM access point in my pocket, I always tether that instead -- sure it
can be spoofed and my carrier can behave badly, but spoofing is less likely
and my carrier could hit me with a drone strike anyway. Anyway, using my phone
is easier because configuration is consistent, the price is the latency of
establishing a new connection.

In regard to a university network, there are lots of smart people who could
have black or grey hacked the system. Or the university could just be
exercising their position of power.

In answer to the larger question, yes a Man in the Middle [MTM] attack on
SSL/TLS allows eavsdropping.

Good luck.

~~~
libeclipse
I'm using tor on my phone, and it seems to have restored order, but since
they're technically still intercepting traffic, could they mitm the tor
connection?

