r/techsupport Jul 16 '22

Can I install my school's SSL Certificate in a VM? Open | Networking

Title says it all.

My school is requiring that all students install a SSL certificate to access the school network. They claim that it's to 'keep us safe online', but as far as I'm concerned, my school would be able to monitor all my network traffic, and that isn't ideal.

It is expected of me to have a Windows laptop. I have a M1 Macbook, so I can't just dual boot Windows and use that installation solely for school. I'm guessing I have to use a VM.

What are my options? This isn't college, so hotspots aren't allowed. Is it possible to connect to School Wi-Fi on my host machine and isolate the certificate in the VM so that they can only spy on me in there? Does Windows for ARM run normal x86 Win32 apps?

I don't think my school supports MacOS, so a VPN or proxy, whether they provide protection or not, would not be suitable.

I currently have one of the school provided laptops right now, so if further information if needed, I may be able to pull some data off that. Those school laptops are rental devices, and I have to return them soon.

More Information

  • School uses WPA2 Enterprise. Attempts to access the internet without this certificate will result in a message prompting you to install 'BYODclient.exe', which I assume contains the Certificate.
  • Attempting to access the school website when connected to School Wi-Fi and with the certificate installed brings me to some Windows Server page with 'Welcome' printed in different languages. Clicking 'Welcome' leads me to Windows Server Documentation. Accessing the school website at home brings me to the normal website. I don't know if this is related.
  • School SSL Certificates are provided by this company called Cyberhound (also known as Superloop, not much information is available about this company).
  • There's not much 'experimenting' that I can do with my school laptop. I am not an Administrator.

**

I don't want this spyware on my main machine.

Thanks for reading. Don't know if this is the correct subreddit. I apologize in advance if my knowledge of this stuff is seriously mistaken.

86 Upvotes

23

u/george_toolan Jul 16 '22

FYI BYOD = Bring Your Own Device

which should allow to connect your own netbook to the school's network.

1

u/LoganDark Jul 20 '22

Here's the deal with BYOD: Whereas work-provided devices are typically already locked down and preinstalled with monitoring software, your personal computer isn't. That's a problem, in the eyes of the school.

BYOD is a way of locking down and monitoring your personal device. You DO NOT want to install that on your computer. You definitely want to install it in a VM that you don't use for anything else.

Also, read the OP, they said they have a Mac, so they need a VM anyway.

64

u/Smokescreen690 Jul 16 '22

Cyberhound is an Internet Filtering tool, you can bet its a custom CA (ie intercept SSL traffic). I've went to their site and downlaoded the certificate, its a CA.

With a CA (Certificate Authority) they can absolutely monitor SSL traffic that isn't making the use of SSL cert pinning.

This is a typical setup in an enterprise environment for company owned devices or for gov devices.

The whole "to keep us safe" statement made by the school sounds to me like they want to intercept traffic with a custom CA.

34

u/adamski234 Jul 16 '22

It's not about safety, it's about control. As it has always been.

23

u/loosebolts Jul 16 '22

It’s about stopping minors seeing inappropriate material on the school network. If schools didn’t have web filtering they’d be failing their duty of care towards the students.

As school IT guys, we couldn’t give a shit what you look at online, but if you manage to view inappropriate material and a teacher sees, then you can bet your life we’d get it in the neck for not filtering properly.

5

u/SoulCheese Jul 16 '22

Absolutely. This is common sense.

2

u/MGR_Raz Jul 17 '22

do you guys have a firewall? could just block it off the wifi/boh network. i block nodes on a few of the properties i manage

1

u/loosebolts Jul 17 '22

Of course, but content filtering goes a lot deeper than blocking via firewall.

Enforcing Safesearch, different web policy rules for staff and student accounts, disabling QUIC, blocking in line ads - it all requires decrypting the SSL traffic.

The only difference is that on the schools internet connection you should be advised not to do your online banking or other things as part of the AUP.

We’re not looking to spy on anyone, we are literally upholding our duty of care to the students.

1

u/MGR_Raz Jul 17 '22

I guess it’s a big difference considering they’re school kids

9

u/Smokescreen690 Jul 16 '22 edited Jul 16 '22

What makes this worse is these are BYOD's not issued devices.

3

u/loosebolts Jul 16 '22

Yeah so we could turn off HTTPS interception on the BYOD VLANs, but you’d see an insecure site warning when trying to load the block page.

0

u/KaitRaven Jul 17 '22

They said it's a laptop rented from the school

0

u/Smokescreen690 Jul 17 '22

Why doesn't it come pre deployed with their software then?

Also why does OP think that OS X is not supported by the school if they rented out the Mac?

Why does the school expect OP to have a Windows device when they rented out a Mac?

I'm pretty sure there is a miscommunication issue somewhere.

1

u/LoganDark Jul 20 '22

They didn't "rent out" the Mac it's literally their device, check the OP. "I have an M1 MacBook"

1

u/Smokescreen690 Jul 20 '22

Which is what I assumed considering I called it BYOD in an earlier post but someone decided to throw a mini fit that the Mac is rented so I've asked said commenter a couple of questions which would debunk their theory.

Then they got mad, downvoted and didn't even bother replying.

1

u/LoganDark Jul 20 '22

I think the downvote was me but I must've misunderstood your comment, sorry. Retracted.

-3

u/hunterkll Jul 16 '22

Large business here.... SSL inspection/decryption is primarily a security tool.... (we do allow things to bypass it like known banking sites and specific vendors, but otherwise everything is intercepted for malware scanning and other security tool purposes). Yea, we have content filtering too - but first and foremost it's for security. In this case, they're doing content filtering first and security second, but either way - it's security/safety

2

u/Savings-Narwhal4756 Jul 17 '22

interesting. so referring back to my original question, is it possible to isolate the certificate in a VM?

in what circumstances wouldn't this be possible?

would it be possible to circumvent the certificate as a whole and access the internet without it?

7

u/Smokescreen690 Jul 17 '22

If I was you, I would download FireFox and install the CA certificate locally to just FireFox (as FF doesn't use system wide CA's). You'd then treat FF like an un trusted browser as anything you browse on it could be intercepted by anyone who has the CA's private key.

Make sure the CA is not installed system wide (can be easily confirmed by just opening a different browser, you should get SSL errors or some other warning message if the filter does detection) and no applications are installed (such as that executable they gave you)

A VM would work too.

2

u/Savings-Narwhal4756 Jul 17 '22

i will look into this.

thank you!

31

u/squished18 Jul 16 '22

You mention that you are not an Administrator on your "school laptop". Just to clarify, is this a laptop that is owned by the school and they are the Administrator? Or is your parent the Administrator?

12

u/wojtekpolska Jul 16 '22

they said the laptop is rented from school, so the school is the administrator (prob to prevent students from installing funny stuff on their laptop)

-1

u/Savings-Narwhal4756 Jul 17 '22

dont think it matters anymore but

a. it is a school rented laptop, so the school does own it;

b. its like domain joined and all students are standard users while all staff are administrators.

3

u/Jay_JWLH Jul 17 '22

If you don't own the device, then don't go trying to act like you do. Whether it be for work or for school, if you don't own the device then treat it like you are being monitored. If you want to do your own private thing, then use your own device. If you want to use your own device on THEIR network, then respect how you use their network or don't use it at all (maybe even use mobile data).

1

u/Savings-Narwhal4756 Jul 17 '22

i think you misunderstood my original post.

read the original post first, i merely mentioned that i have a school-owned laptop. i did not say that i wanted to circumvent anything on that.

24

u/Titanium125 Jul 16 '22 edited Jul 16 '22

Can you access the internet while on the school WiFi? Oh and the answer to your question is yes, you can install it on a VM leaving your host machine untouched.

Edit: This assumes it is for an https proxy and that you can access the wifi. Reading your post more closely it appears you may be getting a Proxy certificate and a WiFi certificate for lack of a better word. If you are off the school network then they will do nothing. There is always the possibility that the school will set your pc to use their proxy for all traffic no matter what. I recommend purchasing a cheap laptop to take to school with you.

17

u/EdwardTennant Jul 16 '22

Yes this is important. The certificate could either be a cert for wireless authentication using radius (a more secure version of a preshared key essentially) or it is to allow for them to decrypt your ssl traffic at a proxy or firewall.

If you can connect to the WiFi without accepting the certificate then it is the latter. If you can't connect then it is likely just for the former

7

u/Titanium125 Jul 16 '22 edited Jul 16 '22

We already know they are using 802.1x for the WiFi. One does not generally install the SSL cert for 802.1x, you just trust it when connecting to the Network. That is different. RadiusOP mentioned that in his post. As for the https proxy, I am asking how it works. If OP can connect to the internet it changes the equation. If it is a transparent proxy then all traffic is already being decrypted, and your web browser just won’t allow you to access the site. So it changes the equation a bit.

And I never said it wasn’t important, so not sure where that first sentence came from. (:

2

u/hunterkll Jul 16 '22 edited Jul 16 '22

One does not generally install the SSL cert for 802.1x, you just trust it when connecting to the Network.

While in this case it appears it's for SSL decryption for content filtering/inspection security appliance, you're wrong on that fact!

802.1x authentication can work with a machine certificate on the local device presented to the network to authenticate. (You can also use less secure methods such as user/password, but it appears that is not the case here. You can also use current logged in user on AD joined machines).

https://www.securew2.com/blog/wpa2-enterprise-authentication-protocols-comparison

The specific WPA2-Enterprise protocol/802.1x setup you're looking for if you're interested in the cert based (installed certificate on the client machine) is EAP-TLS.

I currently manage such a deployment and have in the past - as small as a 150 user network and the current systems I manage configuration of have 40k endpoints, all of which in both scenarios use certificate authentication to connect to the wireless (Though each machine has its own unique certificate).

So all you needed was a valid internally issued machine certificate installed on your machine (our systems do this automatically, but we can manually generate and install a certificate if we needed to for connecting an unmanaged device)

So yes, if you have an unmanaged machine and it's using certificate authentication for the WPA2-Enterprise 802.1x auth, you would have to install a valid machine certificate issued by the network to authenticate, however, that's all it could be used for (if installed properly and not put in trusted root cert store).

WPA2-Enterprise is 802.1x authentication, and while many types of auth (AD user account, certificate, user/pass) can be used, certificate is one of the most common ones.

0

u/Titanium125 Jul 16 '22

Every 802.1x WiFi authentication I have seen simply asks you to trust the certificate when you connect. No need to actually download and install it like with an https Proxy.

2

u/hunterkll Jul 17 '22

Yea, there's a server certificate involved that as well must be trusted by the client machine.

But most common WPA-Enterprise/802.1x deployment scenarios when using managed devices are EAP-TLS which is authentication using a certificate on the client device (and already trusts the CA that issued the server certificate) for best user experience. The other two (user session & user/password) are less used, but have some usage in some scenarios.

WPA Enterprise/802.1x can be configured in a wide variety of ways.

1

u/Savings-Narwhal4756 Jul 17 '22

Sorry, I may be misinterpreting your post but don't all WPA2 Enterprise networks prompt for a username and password when trying to connect?

2

u/hunterkll Jul 17 '22 edited Jul 17 '22

Nope! EAP-TLS configuration uses the machine certificate (or other specified one) to authenticate as opposed to prompting for credentials - the certificate IS the credential.

MSCHAP ones use the current user login (account you're logged into the machine) as the credentials instead of prompting you to manually enter in user/password

PEAP is the one configuration that asks for user/pass

With us using EAP-TLS, you are *never* prompted for credentials of any kind - the machine automatically connects, even before login, without having to configure/store any alternate credentials. Every machine automatically receives its own unique certificate from our internal CA infrastructure.

1

u/Savings-Narwhal4756 Jul 17 '22

interesting

my school network first asks for username and password, then assuming that the certificate isn't installed, it redirects the user to one of the screens listed here: https://cyberhound.com/byod/

the page above provides some documentation on how my school handles the authentication process. i encourage you to read it.

so i'm assuming my school uses PEAP?

i'm also curious, why is it that when i try to access the school website when connected to school wifi, the website becomes some windows server webpage with 'welcome' printed in different languages. when not connected to school wifi, accessing the website takes me to the normal school website. why is this? how is this possible?

2

u/hunterkll Jul 17 '22

the website becomes some windows server webpage with 'welcome' printed in different languages. when not connected to school wifi, accessing the website takes me to the normal school website. why is this? how is this possible?

How?

Some idiot doesn't know how to configure IIS bindings on windows server properly, that's how. :) Simple misconfiguration.

In your case, it looks like it might be an agent running in the background to validate the presence of the CA trust certificate for SSL inspection.

1

u/[deleted] Jul 16 '22

[deleted]

1

u/Titanium125 Jul 16 '22

I presumed this was an https proxy cert.

13

u/_STY Jul 16 '22

I've set up firewalls for K12s before, if I had to guess they are asking you to trust the PKI used for deep packet inspection on the firewall to be able to decrypt your SSL traffic.

A certificate is not "spyware", it allows your device to trust services hosted by your school, such as the firewall. If you were at home or on a cellular connection or something the certificate does nothing.

BYODclient.exe sounds really suspicious though.

The Welcome Website thing just sounds like a default IIS page. They likely have an IIS app installed and never replaced the placeholder page.

If your school provided you a laptop to use you're kind of stuck, it's their stuff they can do what they want with it even if you use it. It sounds like the school never intended to support Mac devices for students and you're seeing the sad end of that.

2

u/Savings-Narwhal4756 Jul 17 '22

CyberHound's website provides some documentation on the process:

https://cyberhound.com/byod/

so it looks like mac devices are supported, and they are requiring me to install byodupdater.pkg which i assume contains the certificate to access the internet.

1

u/_STY Jul 17 '22

I see. Any time a client is installed all bets are off, an agent running locally can basically decide whatever it wants to do.

If you're interested in the Deep Packet vs. Certificate Inspection you can take your laptop they gave you and try connecting to any SSL protected website and examine the cert in the browser. If it was issued from cyberhound or your schools PKI that means they can completely decrypt the traffic, basically performing a MITM attack. If the cert shows as issued from a publicly trusted CA they are not using deep packet inspection, rather just examining the certificate presented by the website and stripping that data off (as it is unencrypted) and using that to determine where you're going.

Someone with more virtualization experience might be able to chime in here but even if you did manage to spin up a Windows VM your virtual network adapter on the host would still need internet access which is being prevented by not having the package installed on the host. Maybe theres some fancy configuration that could be done here?

Sad to say it sounds like you either have to install the agent if you want to use the school network or use their loaned devices to keep yours out of the picture. I can understand why you don't want the school to be able to see your traffic but at the end of the day it's their stuff and they can do what they want.

0

u/hunterkll Jul 16 '22 edited Jul 17 '22

In this scenario, an 'enterprising' student who gets ahold of the CA certificate to trust the CA could have a whole lot of fun if you're trusting the school filtering CA on your personally owned machine :)

(edit to clarify: entire export including private key, not just the public portion that you install in the trusted root certification authorities cert store on a windows machine... well, technically you could install it there with the private key too but that'd be a major gaff on someone's part)

I know that's damn sure something I would have attempted while I was in highschool .... if I hadn't already achieved most network access and domain admin.... ;)

2

u/_STY Jul 17 '22

No, CA certificates are meant to be distributed. You might be thinking of holding the private keys associated to that cert. A public cert associated to private keys is the foundation of all PKI used by every government/organization.

1

u/hunterkll Jul 17 '22

That's what I meant - not just the public portion of it. the entire pem export with private key included....

I'd hope I understand PKI being in charge of a smart card issuing system in a F100 defense contractor LOL

1

u/_STY Jul 17 '22

Having also worked for an F500 managing smartcards I do not envy you haha.

1

u/hunterkll Jul 18 '22

Bah! With the right software stack and such, my only real involvement is upgrading the CMS and occasionally teaching people how to use it to issue credentials and whatnot. No big deal! :)

I mean sure, the initial deployment required a deep understanding of PKI and all that jazz, but after that it runs itself (unless the CA is down, or network breaks communication, or someone tris to use an old version of the admin software, etc etc..... heh)

3

u/cheesycheesehead Jul 17 '22

There are a lot of wild comments in this thread. For anyone not familiar with CIPA go look it up. K-12 orgs are required to keep students safe and filtered from adult materials when they are utilizing their services...this includes a BYOD network. The school is using the certificates to decrypt any SSL traffic to monitor what you are doing on their network. Yes a firewall does provide content filtering on the network however there are so many ways to bypass these filters that ssl decryption just provides an extra layer of security.

The certificate doesn't provide any additional information while off their network, it's just used for the decryption process while utilizing their network services.

I see some comments about this being about "control" or snooping...no its just about the employees covering their ass since it's a legal requirement.

5

u/[deleted] Jul 16 '22

[deleted]

4

u/Smokescreen690 Jul 16 '22

If they are asking for users to install a CA (Certificate Authority) they can absolutely monitor SSL traffic that isn't making the use of SSL cert pinning.

This is a typical setup in an enterprise environment for company owned devices or for gov devices.

The whole "to keep us safe" statement made by the school sounds to me like they want to intercept traffic with a custom CA.

Cyberhound is an Internet Filtering tool, you can bet its a custom CA (ie intercept SSL traffic)

3

u/Savings-Narwhal4756 Jul 16 '22

Interesting. I read on StackOverflow that SSL certificates can monitor network activity. Forgive me if I'm wrong. Perhaps it's a different kind of certificate that they install? There's a million other possibilities.

The BYODclient.exe thing that they install seems quite shady as it's running in the background at all times.

Correcting the original post: MacOS is supported by my school. I don't know how the process works on a Mac since I haven't connected it to the school network.

7

u/RWTF Jul 16 '22 edited Jul 16 '22

I believe it’s probably a certificate specifically for WIFI encryption. More details on the top comment here.

https://security.stackexchange.com/questions/102550/what-are-wifi-certificates-used-for-what-are-they

Also to add, if your on school wifi, regardless of certificate or wifi or hardwired, assume they can view your network traffic in some way.

3

u/Rainmaker526 Jul 16 '22

It's probably a client certificate for authentication to wifi or VPN.

A "shady client application" can of course do monitoring or spying. But it's got nothing to do with an SSL certificate.

1

u/hunterkll Jul 16 '22

SSL certificates in and of themselves cannot.

If this is indeed for content filtering... then here's how it works:

Aa device on their network has all the traffic funneling through it.

It will act as the client device talking to the remote system for the purposes of the HTTPS/SSL connection, thereby being able to decrypt all the traffic.... which then re-encrypts it and is now signed with that device's certificate.

What installing the certificate as a trusted root means is that you now trust that device's signing and thereby browsers show the SSL certificate as valid, whereas without it you'd have to click on "proceed anyway" or other SSL warnings about invalid certificates to proceed further to websites.

In both scenarios, the school is already intercepting/scanning all traffic - there is no way around that - what changes here is that applications accept the re-signed content happily or display warnings on everything you attempt to access that you then have to bypass.

2

u/LoganDark Jul 20 '22

If you use "bridged" networking, your VM should be able to connect to the network as if it was its own machine, with its own IP address and everything. I'm pretty sure this is the default for VirtualBox and VMWare, so you should be good there. Not sure about Parallels.

But yes, use a virtual machine. You don't want to install their certificate on your device - it will allow them to decrypt every HTTPS site you visit. Even if you found a way around their "BYODclient.exe" spyware.

3

u/General-Stryker Jul 16 '22

Wild that this is legal. For a company, sure, but a school? Insane.

4

u/CumbersomeNugget Jul 16 '22 edited Jul 25 '22

Schools are accountable for students' well-being.

It's not really much different than having a teacher on yard duty making sure everything's all right.

-11

u/Better_Freedom_7402 Jul 16 '22 edited Jul 17 '22

but even without the certificate, they would be able to monitor your traffic and see what websites you are going to.

edit: not sure why im being downvoted, if you're on a public network dont expect privacy. If they have somethinglike Cisco firepower, they will see the name of your device, the ip address and the websites that you go to

6

u/wojtekpolska Jul 16 '22

every website these days uses HTTPS, so (without cert) they will only see the website URL.

1

u/hunterkll Jul 16 '22

This is a content filtering solution as well as other features - so every https website will be showing invalid cert unless he trusts their root CA certificate (which is what they are providing).

So regardless of installing that certificate or not - they already see all the traffic. The only difference is that not installing the certificate means everything will throw SSL warnings for untrusted certificate, and installing their CA certificate on your machine will make those warnings go away. Nothing else to it.

1

u/CakeDanceNotWalk Jul 17 '22

Actually they can't even see the url. Url is part of the http request header. https operates on the higher level, hence encrypting the url too.

1

u/LoganDark Jul 20 '22

They will only see the IP address. Sometimes they can perform reverse DNS on it or perform correlation with DNS servers they control, but other than that, they don't know shit.

3

u/ANAL_SHREDDER Jul 16 '22

They would be able to see DNS requests but they wouldn't be able to see anything beyond that. They wouldn't be able to see anything if you were using a VPN.

I'm curious if installing this certificate would render a VPN useless in the privacy sense.

1

u/hunterkll Jul 16 '22

It wouldn't, but at the firewall level there's probably application policies blocking it.

Primarily though, if they're using SSL decrypting content filtering solutions, then it doesn't matter - if he doesn't install the cert, every https site will just show an untrusted certificate (since the content is decrypted by the device/solution and re-encrypted using the device's CA certificate which obviously isn't installed on every machine in the world).

1

u/CaptainScrambles Jul 17 '22

It should go without saying but your school will be able to monitor your network traffic regardless of the security certificate on any device you connect to their wifi.

1

u/InspectorRound8920 Jul 17 '22

Create a second account?

1

u/Savings-Narwhal4756 Jul 17 '22

will it be isolated in there?

1

u/InspectorRound8920 Jul 17 '22

What if you sign in as a guest?

0

u/OGChodBone Jul 16 '22

If you set up a VM you might need to also equip a virtual stabilizer.