How does having a custom root certificate installed from school or work cause one to be monitored?

I was reading an article which said that if you install custom root cert from a third party then they can decipher all communication between you and others.

I have no idea what you were reading (citations would be helpful). But you are right in that it is not sufficient to just have a custom root CA certificate installed as trusted - the school/work also has to be an active man in the middle in the traffic and use this CA certificate for SSL interception.

So either by installing malware on the computer or monitoring internet traffic.

Not only malware installed on the computer can monitor the traffic. It is actually common that trusted programs like antivirus or parental control software do this.

And when being directly inside the company (or school) network the path to the internet is usually through the companies firewalls and proxies anyway. Even when connecting from remote with a VPN or other access software the traffic is routed and inspected through company controlled firewalls/proxies, either in the company directly but more often also somewhere in the cloud.


If you use https for example to buy stuff from Amazon, Amazon will send you a certificate to prove it’s them, and that works because nobody other than Amazon can get an “Amazon” certificate from one of the companies whose root certificates your device trust.

But if you let me install a root certificate on your device that I created, then I can create an “Amazon” certificate signed by this root certificate, and since your computer installed my root certificate, it would trust this certificate. With a little bit of hacking I can redirect all request intended for Amazon to my site, and because of the root certificate on your device your computer would trust it. Without the root certificate your computer would refuse to touch the fake Amazon site.

And of course that applies to any website. The root certificate makes your computer trust any site I redirect you to.


Unless the same org is also install software that acts as a proxy for all internet traffic. It requires active intercepting, decrypting, and re-encryption of all traffic.

Why else do you think they want you to install their root cert? If it was for a legitimate purpose (securing their own properties), they could obtain certificates from a trusted third-party CA. If they want to become a root, with the ability to sign anything, it's because they want to operate outside of the rules of a legitimate CA — that is, they want to impersonate other sites on the internet in order to monitor your traffic. Software to do so is readily available to all kinds of businesses and organizations. In short, someone who asks you to install their root cert is MITMing you, at least some of the time, and probably at all times when you are connected to their network.

Tags:

Certificate Authority

Tls

Related

Could receiving a URL link, not clicking on it, ever pose a security problem? Trojan "Win32/Tnega!MSR" found by Windows Defender - aliases used by other antiviruses? How do hackers trick frontend validation? Qualys SSL Scan weak cipher suites which are secure according to ciphersuite.info How does one take advantage of unencrypted traffic? Why do password requirements exist while limiting the upper character count? Is there any hope of getting my pictures back after an iPhone factory reset some day in the future? Security implications of granting non-root access to privileged ports (<1024) Alternatives for sending plaintext password while login Why is email often used as the ultimate verification? Why does HTTPS not support non-repudiation? Can password managers read my secure data? If no, how does sharing work under the hood?

Recent Posts