It doesn't matter whether you control the user environment to covertly install the MITM certificate. You simple notify your network users this is happening with instructions on how to install the certificate.
Either the user installs it or not, it's their choice.
I am in no way advocating this abhorrent system of 'security'. Simply noting that it is obviously done in the workplaces and in many workplaces. That it can also be done here under 'security' pretences.
> It doesn't matter whether you control the user environment to covertly install the MITM certificate. You simple notify your network users this is happening with instructions on how to install the certificate.
Respectfully, I disagree. This is certainly possible, but from an operational perspective this would be a nightmare. Even setting aside the likely backlash that would follow in response to such a sweeping policy change, university networks largely consist of diverse, user-managed devices, and supporting a transition through such a change would have a non-trivial cost.
For what it's worth, at my university, UNC Chapel Hill, there are two networks, one of which requires you to install a custom root certificate, and is the network that the university prefers you connect to. For devices on which this is not possible, there is another network which only requires that you register your device's MAC address to your university id for access.
Regardless of which option you choose, you are required to install another program (unless the OUI of your MAC indicates that it is a device other than a computer) which scans your computer for malware and any software which the university does not allow you to have, such as torrenting applications, and will not allow you to connect to the network until after your machine is cleared. This program must be running the entire time you are connected to the network or you will be disconnected.
As a student who works as tech support in the dorms, it certainly is a nightmare!
Oy. Students at your university certainly have my sympathy.
I've always been leery of the mitm cert, not only from the users' perspective, but also from that of the organization. If a rogue administrator used the cert to set up a "real" mitm for a local bank's site, I think the school would be on the hook for that. That's just one example; one could imagine other variations on that theme. Whereas, if the school simply acted as a normal ISP, that whole class of vulnerabilities simply doesn't apply.
We are, of course, talking in only hypotheticals. Unfortunately, this is a trend that is becoming more popular in the private business sector on their networks. I cannot foresee a indicator that would prevent this trend crossing over to universities.
Individuals at their workplace do also have user managed devices, they also are 'outraged'.
