244

My college administration is forcing us to install Cyberoam Firewall SSL certificate so that they can view all the encrypted traffic to "improve our security". If I don't install the certificate than I won't be able to use their network.

What are the ways I can protect my privacy in such a situation? Will using a VPN be enough to hide all my traffic or there are other ways?

svetaketu
  • 2,151
  • 2
  • 9
  • 5
  • 8
    Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/31128/discussion-on-question-by-svetaketu-my-college-is-forcing-me-to-install-their-ss). – schroeder Nov 05 '15 at 05:11
  • 5
    Again, comments aren't for chat. I have removed all comments posted since the original migration to chat. Please go to the chat and comment there for discussion. – Jeff Ferland Nov 05 '15 at 19:41
  • 2
    BTW There are also client certificates which allows a user to log in to a proxy or web service automatically without using a password, and are often confused with SSL certificates. Client certificates don't compromise privacy (except identification and authentication) for future traffic. [Apache Docs](https://httpd.apache.org/docs/2.2/ssl/ssl_howto.html#accesscontrol) – Chloe Nov 06 '15 at 21:50
  • 6
    An easy way to not compromise your computer, use the compromised network and not a lot of effort (like installing a VM): **Install an individual Browser which uses its own certificate store** (not the system store) and install the certificate only in that browser. User that browser only for work in the compromised network, not anything private or any software downloads. – Falco Nov 09 '15 at 11:43
  • 4
    If you do install their cert (e.g., in a VM), and if you use Firefox, I recommend you set [security.cert_pinning.enforcement_level](https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning) in about:config to 2 (strict). This will prevent them from bypassing public key pinning (i.e., prevent them from MITMing sites that have established a public-key pin). See [Mozilla bug 1168603](https://bugzilla.mozilla.org/show_bug.cgi?id=1168603) for explanation why. – D.W. Nov 13 '15 at 00:19
  • 7
    which college do you attend? – zetavolt Nov 14 '15 at 22:58
  • @D.W.: That's going to prevent access to those sites, since the college **is** MITM'ing all connections, including ones to those sites. – R.. GitHub STOP HELPING ICE Nov 16 '15 at 18:55
  • What it means, installing SSL certificate to the device? I know only installing SSL certificate to website. What it means by installing SSL certificates to website? – I am the Most Stupid Person Jan 11 '19 at 10:34
  • Jeez, sue them? I'm not sure. – Hellreaver Dec 06 '19 at 22:37
  • You can create a separate web browser profile that you will use only for websites requiring this untrusted MITM certificate. That's what I am doing when using a tool like mitmproxy. On Firefox, you can create a new profile with the command `firefox -p` and use it with `firefox -p profile-name`. Chromium web browser is not a good solution in this case unless you use it in a container like LXC, since it is using your system's CA certificates. – baptx Dec 25 '20 at 13:48

14 Answers14

231

Don't install their certificate on any device/OS installation which you ever want to use for private activity. Once you do, your traffic is subject to MITM attacks even if you are not using your college's network. Such an attack requires having the private key for the certificate you installed, but in practice this is quite easy because these "security products" are so badly designed, and often use either very weak key generation or use a fixed private key that's the same for all deployments and available to any of their customers. In a comment that's since been moved to chat, TOOGAM wrote:

Specific problem known about this specific vendor's certificate "It is therefore possible to intercept traffic from any victim of a Cyberoam device with any other Cyberoam device - or to extract the key from the device and import it into other DPI devices"

If you don't need resources on their network, just use wifi tethering on your phone or get a dedicated 3G USB dongle or similar for use when you're on campus. Alternatively, if non-HTTP traffic is not subject to the MITM, you may be able to use a VPN without installing the certificate. In this case, just get a cheap VPN provider or VPN to your home network if you have one.

If you do need access to resources that are only available from the campus network, install another OS in a virtual machine with the MITM CA installed only in the VM, and use the browser in the VM for accessing these resources.

R.. GitHub STOP HELPING ICE
  • 7,813
  • 1
  • 23
  • 34
  • Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/31471/discussion-on-answer-by-r-my-college-is-forcing-me-to-install-their-ssl-certif). – Rory Alsop Nov 12 '15 at 20:17
  • 1
    Is the ability for the college to monitor the communications (on devices with the certificate installed) something specific to this SSL certificate, or something that all certificate providers can do? E.g. Eduroam that is provided by many colleges? – P A N Nov 14 '15 at 18:40
  • 4
    @Winterflags: Any time you install a custom CA certificate, you're telling your browser/system to accept certificates signed by that CA as if they were signed by one of the "real" CAs that are trusted by default. Anyone with the private key for the custom CA can issue forged certificates for any site and your browser will accept them just like it would the real certificates. – R.. GitHub STOP HELPING ICE Nov 14 '15 at 23:37
  • 5
    As far as I can tell, Eduroam has nothing to do with custom CA certs but rather (as one option) uses *client certificates* as an authentication method. However if you're concerned it would be a good idea to open a new question about what Eduroam does rather than discussing it in the comments on this question. – R.. GitHub STOP HELPING ICE Nov 14 '15 at 23:38
145

A VPN is certainly a good solution, provided they don't block that, too.

The best solution for protecting your privacy, though, is probably to try your hardest to get this policy overturned. This is an absolutely abhorrent 'security' policy. It's literally a built-in man-in-the-middle attack against everyone on campus. If their firewall becomes compromised, the attacker can then intercept anything anyone on campus has sent over the Internet, including passwords, credit card numbers, etc.

It turns out that these devices are even worse than they first sounded. As TOOGAM pointed out in a comment, the people at the Tor Project found that, at least as of 2012, all of these devices used the same CA certificate! This means that anyone with access to one of these deep packet inspection devices from Cyberoam or a CA certificate exported from one of them can intercept traffic from anyone who has that root CA certificate installed. Even if this has been remedied in the past 3 years, this casts extreme doubt on the competence of the makers of this device to secure it. This is all the more reason that you should definitely not install this certificate and you should raise as much support for the removal of this device from your campus as you possibly can.

Furthermore, as has been pointed out in comments that have since been cleaned up, use of this device violates the Terms of Service of almost every website on the planet because it discloses your login credentials to a third party (the college.) This means you cannot legally abide by both this policy and the ToS of almost any website.

If this were a public college in the U.S. and they didn't remove this device immediately, for a security hole of this magnitude I would strongly consider contacting my local FBI Cyber Task Force, who should be willing to give the college a very stern talking to. They take this sort of thing very seriously and for good reason.

reirab
  • 2,683
  • 1
  • 13
  • 21
  • 13
    +1 for "if their firewall becomes compromised, the attacker can then intercept anything anyone on campus has sent over the Internet"! This college really needs to change what they are doing! – Numeri Nov 05 '15 at 14:16
  • 1
    Interesting point about the TOS violations. Their legal defense would argue that it's not disclosing the password to a third party since all the decryption and reencryption happens inside the device, as long as that particular data is not stored. The university's TOS is probably written in such a way where the end user assumes all responsibility for how they use the network, including 3rd-party TOS violations. For the record, there are other brands of SSL inspectors which do not have the vulnerability of using the same cert for all devices. – GuitarPicker Nov 05 '15 at 19:35
  • 3
    @GuitarPicker I agree that the liability for violate other TOSs would be on the user, that's why I said you can't legally abide by both the college's TOS and almost any website's TOS (which means either you violate one of them or their Internet connection is pretty much worthless to you anyway.) And, yes, I'm sure there are other manufacturers that hopefully don't use the same certificate for all of their devices. However, any of them, if compromised in any way, destroys data confidentiality for everyone in the network, regardless of manufacturer. – reirab Nov 05 '15 at 19:51
  • @BlacklightShining: you can try to get the FBI involved in anything, as to whether they'll care enough to do anything, that is a different story. – whatsisname Nov 06 '15 at 02:22
  • 17
    @whatsisname True, but the FBI special agents I've talked to in the CTF here actually take large security holes at large institutions (both public and private) rather seriously, as they (rightly, IMO) consider them to be a serious threat to national security. A lot of [APTs](https://en.wikipedia.org/wiki/Advanced_persistent_threat) use compromised domestic systems to stage their more sophisticated attacks, as these will usually be given less scrutiny by intrusion detection systems, especially if the compromised system belongs to a large, reputable organization. – reirab Nov 06 '15 at 05:52
  • 1
    Do you have a source for how this would cause you to be in breach of a third party website's TOS (e.g. a sample of a typical TOS clause)? From a legal point of view it's hard to imagine how the end user could be considered liable in this context - all they've done is use an internet connection that they have ever reason to presume is secure from such a breach. – Jon Bentley Nov 07 '15 at 14:57
  • 7
    @JonBentley: They do not "have every reason to presume is secure"; in fact, quite the opposite. They are explicitly installing a backdoor that somebody else has instructed them to install. – R.. GitHub STOP HELPING ICE Nov 08 '15 at 01:35
  • 2
    @R I disagree completely. You and I, by the fact that we are on this site, have a statistically high chance of realising that. The average user, told by his university to install some software before he can access the network, is unlikely to have even a vague understanding of the security consequences. On the contrary, the most likely response is to trust that the university know what they are doing. – Jon Bentley Nov 08 '15 at 01:45
  • 6
    @JonBentley I'd assume that the college at least made it clear that they were spying on the encrypted traffic. If they didn't make that clear, then a reasonable expectation of privacy would likely exist, which opens up a whole new can of worms for the college in terms of legal liability (at least civil and perhaps criminal.) I'll try to edit in some TOS excerpts tomorrow. For a quick example, though, StackExchange's own TOS states that the user shall indemnify StackExchange for any liability arising from the user or anyone else using their account. – reirab Nov 08 '15 at 08:11
  • 4
    @JonBentley I think that all reirab is trying to say is that many sites require you to keep your credentials safe in their TOS, and the college's requirements explicitly violate this. Whether you or the college is held responsible isn't the point; the point is that you can't follow both policies and that it will be a huge mess if your accounts get compromised because of it. – jpmc26 Nov 10 '15 at 02:18
74

Your college is providing the "network connection" service under some conditions, one of them being the ability for the college system administrators to inspect all the traffic. While it is tempting to defeat the nosiness of such sysadmins with some technical gimmick (e.g. a VPN, as was suggested in another answer), this would be an explicit attempt at defeating the "security systems" of the college network and this can land you in a huge heap of trouble. The wisest course of action would then not to do that, and instead use your own Internet (e.g. through your personal phone).

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/31116/discussion-on-answer-by-thomas-pornin-my-college-is-forcing-me-to-install-their). – Rory Alsop Nov 04 '15 at 19:01
  • What makes it a "gimmick"? – Paul Draper Nov 06 '15 at 04:09
  • 1
    @PaulDraper "workaround" would be a synonym here. – djechlin Nov 06 '15 at 06:49
  • 7
    Unless the conditions prohibit the use of a VPN then you probably aren't breaking them. The security systems are _probably_ there so that if law enforcement want to know who is visiting a specific page or site then they can be located. If you were going over a VPN then law enforcement wouldn't end up at the University connection, but instead wherever your VPN terminates, meaning the University wouldn't have to do anything. – Matthew Steeples Nov 09 '15 at 11:44
  • @MatthewSteeples Unless the VPN provider told them the connection originated from the university. – user253751 Nov 10 '15 at 23:29
  • 1
    @immibis The VPN provider wouldn't need to though. If law enforcement goes to a VPN provider and asks who was using this IP address, then they already have the user's details because they'll have used a username and a password. They won't deflect the responsibility of identifying the person to someone else. Chances are if law enforcement are chasing you for something, being in breach of the university regulations is low down your list of worries! – Matthew Steeples Nov 11 '15 at 10:05
  • @MatthewSteeples A username is not sufficient to identify someone, in general. (It sometimes is, like this one) – user253751 Nov 11 '15 at 22:18
  • 1
    @immibis True, but I'm working on the assumption that the VPN provider is not free, so therefore knows more about you than just your username. Granted you could have used stolen card details, prepay credit card or whatever else, but I'm not approaching this from the point of view of how to get away with something, merely illustrating that the university may just be doing this to cover their own backsides – Matthew Steeples Nov 12 '15 at 22:30
62

Don't use their network for anything personal. That's the best way to protect your privacy from them.

If you don't have any choice, then use a Virtual Machine, and install the certificate on the virtual machine instead of your main machine. It may allow you to protect your privacy.

Personally, I always used a separate computer for these kind of issues. No way would I allow a company/educational institution install anything on my own equipment, unless I planned on nuking it from orbit later.

Community
  • 1
Mark Buffalo
  • 22,498
  • 8
  • 74
  • 91
  • 6
    +1, though "Don't use their network at all to the maximum extent you can avoid it" might be even better advice. – reirab Nov 04 '15 at 16:44
  • 75
    This is bad advice. Once you've installed the certificate, you're vulnerable **even when not using their network**. Most of these MITM products use the same private key everywhere, or weak key generation, meaning an attacker on any third-party network you connect to could equally be MITM'ing you using the fact that your browser trusts the malicious CA cert from your college. – R.. GitHub STOP HELPING ICE Nov 04 '15 at 17:11
  • 23
    This isn't really feasible for students who live on campus. – Michelle Nov 04 '15 at 17:13
  • 8
    Use an ssh-based VPN and connect the first time from some other network and establish a key auth. They *can't* breach that. – Joshua Nov 04 '15 at 20:00
  • 14
    +1 million for the Virtual Machine idea. Install the cert there, use it only for schoolwork, and never! do anything sensitive inside it. You might also (not instead) do the same trick for sensitive activity (like banking) - have a VM just for secure things, and only boot it up off-campus and with a VPN. – willoller Nov 04 '15 at 22:30
  • 1
    @MarkHulkalo - Under what circumstances would the VPN not protect him if he's never installed their SSL cert on his computer? – Johnny Nov 05 '15 at 00:15
  • @Johnny, at that point, I was assuming he chose to install it, but use a VPN too. – Mark Buffalo Nov 05 '15 at 00:22
  • 2
    @R.., Michelle - offending advice was removed. – Mark Buffalo Nov 05 '15 at 21:34
  • 1
    Using a VM for this is quite overkill. You can create a separate Firefox account and install the MITMing certiricate only there. I'd add a special theme in order to recognise the session easily: you do not want to log into any external remote account (or do personal stuff) with this Firefox account (but you can use the college account from there). – ysdx Nov 06 '15 at 12:31
  • 2
    I disagree that it's overkill. Even with a theme, I wouldn't want to use the wrong installation by accident. Plus it'll protect you against most web-based malware. – Mark Buffalo Nov 06 '15 at 12:35
  • 1
    @ysdx instead of just using a different browser profile and theme, I'd advise using a different browser all together for stronger differentiation and to make using the wrong one harder by accident. If you don't have a strong commitment to one browser over the other, FF instead of Chrome (or vice versa) would work. If you do, both of those browsers have multiple forks available. – Dan Is Fiddling By Firelight Nov 07 '15 at 17:06
  • @Mark: Well I was thinking about a theme like this one: https://addons.mozilla.org/fr/firefox/addon/danger/ or maybe this https://addons.mozilla.org/fr/firefox/addon/virus-warning/ – ysdx Nov 08 '15 at 22:36
45

If ssh is not filtered out, then you can use ssh to produce a SOCKS proxy running over an ssh tunnel. You need not install any software to make this work. You do not need VPN software. The following will will work on a Linux machine or a Mac (and can probably be able to be made to work on Windows):

  • Get a shell account (or a VM, but that's over the top) somewhere

  • Check you can log into it with ssh from outside your institution and accept the host key (outside the institution to ensure they aren't MTiM'ing ssh - unlikely)

  • In a terminal ssh -D 8080 -N username@host.name.here (note this will appear to hang)

  • Now use 127.0.0.1:8080 as your SOCKS proxy

Once this works, you can (optionally) use autossh in place of ssh and it will keep the tunnel up - you will probably need to install that.

Untested Windows instructions (requiring download of PuTTY) here.

The reason why this works is that your HTTPS traffic no longer flows over port 443. It flows (re-encrypted) over port 22. By assumption, they aren't intercepting the ssh protocol. And if they are, you can tell. Your traffic looks like ssh traffic (because it is ssh traffic) - though detailed traffic analysis might suggest it is ssh traffic carrying proxied web requests. It thus is not immediately identifiable as VPN traffic. Moreover, your college is likely not to block ssh traffic as it will be used by CS students.

An alternate route would be to tether to your cell phone and use a data plan.

abligh
  • 2,026
  • 11
  • 12
  • 1
    I would change the command to be `ssh -f -D 8080 -N username@host.example.com`. The `-f` will put it in the background such that the command will not appear to hang. – kasperd Nov 05 '15 at 22:38
  • "By assumption, they aren't intercepting the ssh protocol. And if they are, you can tell." - could you explain how you can tell if they are doing a MiTM on the ssh traffic? – Floris Nov 09 '15 at 21:36
  • 8
    @Floris it is entirely possible to know if they are intercepting SSH, but you have to know the fingerprint of the server's key *before* trying to connect through the compromised network. This is called "trust on first use," and SSH saves the fingerprint of the key it sees the first time it connects to a server (this can be disabled, of course). On subsequent connections, if the fingerprint changes, it prints [a very nasty notice](http://stackoverflow.com/q/20840012/1830736). – thirtythreeforty Nov 09 '15 at 22:26
  • 1
    @thirtythreeforty ah yes - I have seen that notice... Definitely makes you sit up and pay attention. So the trick is to make this connection first when there is no possibility of a MiTM attack, and then not blindly dismiss warnings. Thanks for the clarification! – Floris Nov 09 '15 at 23:04
18

Read the T&C's.

See if you are allowed to use a VPN (some protocols may be forbidden, VPNs may be too).

If you are, then use a VPN, and never connect to any site directly through their network. (Unless you are using certificate pinning, but then the connection is likely to fail because the certificate won't match). Precise routing tables can help you with that. You may not even have to install the certificate (you may need it to install the certificate to log into something when connecting to the network, though).

If you are not allowed to, well...

  • Don't install the certificate on any computer you use for personal stuff. Use a different machine or a VM. Never do anything personnal on that computer/VM.
  • Talk about this with fellow students. Raise awareness on this issue around you.
  • Take the matter to whichever authority has competence. May be ask on http://law.stackexchange.com for advice on whether you can protest against this.

Don't do anything against the T&Cs, that's the best way to be simply banned from the network, or worse.

njzk2
  • 332
  • 2
  • 9
11

Don't use the network.

That's pretty much your only option. Any attempt at circumventing their "security" measures would most likely be considered "unauthorized access" under the CFAA (assuming US jurisdiction) and could result in many many years of prison time.

You could try taking them to court, but your chances are pretty slim. Public and private institutions have been doing this sort of network monitoring and interception for many years without running afoul of the law.

tylerl
  • 82,225
  • 25
  • 148
  • 226
  • I don't really think you will go to jail for using VPN or SSH tunnel in the US. In some other jurisdictions (e.g. UAE), maybe. – ximaera May 28 '19 at 10:15
10

is forcing us to install Cyberoam Firewall SSL certificate so that they can view all the encrypted traffic to "improve our security".

Malware is sent over HTTPS too, so it probably is really their intention to improve the security by analyzing encrypted traffic for malware. If they just want to block access to some sites they could probably do it without SSL interception.

SSL interception is very common in companies for exact the same reason, i.e. to protect the company against malware.

Will using a VPN be enough to hide all my traffic or there are other ways?

That depends on their network configuration. If they are smart enough the will block the usage of VPN etc. And I would imagine that they explicitly forbid bypassing the firewall using such technologies, because this means bypassing the protection and making the network less secure. Thus expect to loose the network connection if you use a VPN.

If I don't install the certificate than I won't be able to use their network.

If you own the network there are enough ways to attack the computer or invade the privacy of the users, even without the use of SSL interception. If you don't trust them don't use their network, no matter if they use SSL interception or not.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • 1
    Not only is malware sent over HTTPS, some of it will use SSL to phone home. – Iszi Nov 04 '15 at 17:48
  • 3
    Unless the university is also providing the computers, comparing this to what a company does to their own equipment is an apples to oranges comparison - unless you have examples of a company installing a cert on a personal computer? – user2813274 Nov 04 '15 at 23:05
  • 6
    I think it's more likely that they are using content filters to stop "forbidden" content like pirated movies, music and software than stopping malware. If they wanted to stop malware, they could just offer free anti-virus that will help protect users even when they are not on the college network. – Johnny Nov 05 '15 at 00:34
  • 1
    @user2813274 Chances are the university does provide computers, but *also* allows students to use their personal devices (as a "bonus feature" that it's not necessary for them to provide). In this case, if the asker does not want the university network's policies to apply to his/her personal device, he/she should simply not connect his/her personal device to the university network, and use the provided computers instead. – user253751 Nov 05 '15 at 04:02
  • @Johnny: filtering which hosts can be accessed can often already be done without SSL interception. And the is a huge difference between offering a free anti-virus and making sure that everybody is using it. Apart from that lots of today's anti-virus come with their own SSL interception. – Steffen Ullrich Nov 05 '15 at 05:24
  • "and making the network less secure" -- less secure for the person using the VPN, that is. Everyone else is about equally at risk regardless of whether some are using VPNs or not, since people are perfectly free to get infected at home or in a cafe, then attach their compromised device to the network. – Steve Jessop Nov 06 '15 at 19:55
5

How would they be able to verify whether or not you had/had not installed their SSL certificate? Are they also running software on your local machine? Otherwise I would think the adverse effects would just be you having to deal with a lot of certificate errors on your end.

What I'd do if I were you is either dual-boot or virtualize. Have your unsafe OS where you install all their "security tools" and certificates and (and don't use anything you don't want someone to see), and then when you want privacy, move back over to your secure OS. If you live on campus and will pretty much always be using their network, then just have your secure OS use a VPN by default, which should skirt their requirements. There are ways they can notice that, but you can always tell them you have a job or something and need it for work, and they might believe you and leave you alone.

Alternatively I'd say get an cellular hotspot. But I know that when I was in college I couldn't afford the kind of data plan that would need.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Justin Beale
  • 79
  • 1
  • 6
    If it works the same way as the bluecoat monitoring system my employer uses; without their cert installed you won't be able to access any HTTPS sites that aren't white listed. It's been long enough since the last time I had to load a new cert that I don't remember if the failure mode was BC blocking the outbound request, or intercepting the handshake MITMing it and returning a result protected by the BC cert instead of the sites normal cert and triggering the invalid cert error in the browser. – Dan Is Fiddling By Firelight Nov 04 '15 at 16:57
  • 1
    " the adverse effects would just be you having to deal with a lot of certificate errors on your end." - well yeah, you'd run into a certificate error for *every single website*, and bypassing the certificate errors has the same effect as installing the certificate. – user253751 Nov 05 '15 at 00:47
  • 1
    Cert errors are the minimum hassle. If they configure the equipment to block all non-compliant SSL, then no SSL sites will work. If they go even further and require all web traffic to proxy via SSL, then potentially all web traffic could be blocked. Basically, if you want to use their gateway, you're going to have to follow their rules. – GuitarPicker Nov 05 '15 at 19:40
3

Proposed solution: Use a virtual machine with the Certificate installed when you want to use their network. This way it will be very clear to you when you are using their network and when you are not. You can also discard the VM when you no longer need to use their network.

sixtyfootersdude
  • 530
  • 3
  • 11
  • 1
    This doesn't protect him/her from having his e-mail password sniffed, or his bank details, or his private conversations, or, or, or... – J.J Nov 04 '15 at 20:23
  • 1
    @J.J - That is true, however it prevents him from accidentally accessing his email/bank/privateInfo while connected to their network. It is a very clear UX trigger that will remind the user not to access private data. – sixtyfootersdude Nov 05 '15 at 19:45
2

Do not bypass the firewall. Some other answers have already covered the technical options, but this is inadvisable - all of the filtering products I have seen will either block bypass, or allow it but notify an administrator, which will get you in to trouble. It may seem like a smart hack to do something that you aren't allowed to do, but the authorities will stomp on you - either by banning you from the network, which will make your studies difficult, or expelling you from the college. Either way, the potential impact on your long term life isn't worth the short term gain of having an unfiltered internet connection at college.

The only real technical option is to use your own internet connection via a 3G mobile or similar technology. You could install a local proxy, and route your HTTPS connections over the 3G link, and everything else over the college network.

SSL interception by internet filters in education institutions is becoming a widespread practice. If you want to take a stand against this, investigate your legal options. In many jurisdictions, interception of private communications without the consent of both parties is a violation of wiretap law. Even if the argument holds that you wilfully consented to the interception by installing the SSL certificate, it is certainly the case that the remote web site did not. As far as I know, no student has ever challenged SSL interception on this basis, but someone has to be the first. I was once told by senior staff at a filtering company that if SSL interception is illegal, it's not their problem - it's their customer who is breaking the law - and they have to offer it as an option or else they will lose sales.

The security on these internet filters/firewalls is often appallingly bad:

  • Some use the same SSL certificate for all of their customers. Trivial to extract with admin or physical access. If one firewall is compromised, every firewall is.

  • Use of old software with known security vulnerabilities. I know of one commercial provider with a current product line based on software released in 2004. If you can get user access, root access is trivial.

  • Insecure remote access. Support teams typically use the same installation and remote maintenance password for all customers. An attacker who knows that password can remotely access any customer system.

  • There is a "white list" of sites that SSL interception is not supposed to be done on (such as major banks). However, if you have access to the system it is trivial to modify the software to ignore or drop the white list.

  • I know of at least one case where an external attacker managed to gain access to the development server holding the source code for a major firewall product. The lead developer told me, "we have no idea how far they got in the internal network, or what they did once they were in."

The take home message is that these devices are quite vulnerable to a determined hacker, and once access is gained, they could trivially intercept every password of every SSL connection of hundreds of thousands of users. I'm surprised that we haven't heard anything yet about this kind of attack being carried out, but perhaps it already has and the hackers are too busy emptying bank accounts to brag about it. Public knowledge of such an attack would be hugely damaging for any firewall/filter supplier, and they would do everything they could to cover it up.

Update Dec 2015: Backdoors found in Juniper firewall, present since 2012.

bain
  • 231
  • 1
  • 5
  • "The lead developer told me, "we have no idea how far they got in the internal network, or what they did once they were in."" <- well yeah, presumably network security is not their job. – user253751 Nov 10 '15 at 23:32
  • @immibis _"We"_ as in _"the company"_, not _"I personally"_ – bain Nov 11 '15 at 12:29
1

You can use their certificate, and use a VPN on top of that.

You can create a custom routing table, routing everything but the internal network traffic through the VPN. This way they can only decrypt the connections between you and the systems on the college network. Everything else will be routed via your VPN connection, and will be safe.

But using a VPN will make all your traffic be directed for a single server (your VPN provider), and will surely look very suspicious on the logs. If your college does not allow VPN connections, it's best not use one, or use it only for specific tasks (like email checking, for example). Using FoxyProxy on Firefox can help you with that.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142
1

I believe you can safely use a Chrome OS device, with a dedicated "school" Google account that you use solely for access to the school network. Switching to a different account (e.g. your personal account) will no longer use the school's certificate or any of that user's settings, and Chrome OS is designed to securely isolate accounts.

This help article (written for domain admins, not users) mentions that this is possible, and also notes that it only applies while the domain user is logged in.

dimo414
  • 231
  • 1
  • 8
0

I looked for a way to use Tor over HTTP (without the proxy CONNECT command) when I first read your question but older answers all said it was currently impossible (I only found one proposal from 2013 that never got anywhere). Now I just stumbled across this, not sure it's what you need but it totally looks like it:

https://trac.torproject.org/projects/tor/wiki/doc/meek

meek is a pluggable transport that uses HTTP for carrying bytes and TLS for obfuscation

Luc
  • 31,973
  • 8
  • 71
  • 135