Ask HN: Gather proof of MITM on college wifi

2 points by deftturtle ↗ HN
My college requires installing certificate profile for accessing wifi in some circumstances. HTTPS sites and apps that use cert pinning (banking stuff) reject the network without the cert; however, G Maps and HTTP sites work fine w/o using cert. I never installed anything, but a guy in IT who did use it confirmed that even with the cert, his banking app rejects the network (due to cert pinning). So, it sounds like the college is doing decryption of everyone's traffic, but I need advice on how to prove or dig deeper.

The campus website downplays the change as if it's related to piracy and stuff, but staff told me it had to do with FBI compliance and subpoenas. I guess the college has enough people using network to be considered an ISP by the gov. And the cert is supposedly only for authorizing students to the network so we don't need to enter passwords anymore. But if it's only for network auth, why does it break cert pinning? Or is that just a consequence of network auth, where everything breaks? That seems unlikely, but I'm fairly clueless here. Anyway, what the heck should I do? I'm somewhat familiar with Wireshark and the Charles proxy but haven't grasped using Fiddler very well. Thanks for any tips.

4 comments

[ 3.5 ms ] story [ 20.4 ms ] thread
You can, using openssl on the commandline, retrieve the certificate details for every site you suspect is MITMed.

If there is any evidence of MITM, go to the ACLU or EFF.

A lot of corporate companies have a mitm or some form of network monitoring in place. There are a ton of products out there to do this, for example Microsoft forefront TMG. I never access personal stuff on corporate internet at work for this reason.

When I was in school, there was always some acceptable use policy for accessing the internet. While it didn't prevent some people from watching porn on the network, etc, It was implied that you should only use it for educational purpose and I doubt there is much urgency to fix something that is not school related.

If I were in your shoes, The best way to get it fix is simply raise an issue to someone in IT that you can't access a certain website/app and ask them to fix it. Bonus points if you can find a website/app that you need for school.

If there is a mitm in place, I doubt you can get them to remove it. However maybe you can get them to whitelist gmail, banking sites, etc.

Inconvenience aside, I'm more concerned about the unconstitutional surveillance that's probably being performed on all students at the college. Sure, it'd be nice to check finances, but I can do personal stuff at home if I need to. If the FBI/college is monitoring stuff in violation of 4th amendment,it should be exposed to the press. But I don't want to look like an idiot if it turns out I'm entirely wrong. Is the command line OpenSSL thing the best way to go? HTTPSeverywhere has the SSL Observatory thing where you can submit certs; maybe I'll have a look there, too. Thanks for the comment!