مدرسه گواهی ریشه خود را بر روی کامپیوتر نصب شده است، آنها هنوز هم قادر خواهید بود برای دیدن ترافیک رفتن را از طریق شبکه اختصاصی مجازی?
12 دیدگاه برای “مدرسه گواهی ریشه خود را بر روی کامپیوتر نصب شده است، آنها هنوز هم قادر خواهید بود برای دیدن ترافیک رفتن را از طریق شبکه اختصاصی مجازی?”
دیدگاهها بسته شدهاند.
They would be able to decrypt https traffic if they played mitm with you. Encryption over vpn is handled using a different certificate so that traffic is safe from them.
Can someone ELI5 root certificates please?
They would be able to decrypt your HTTPS traffic.
[deleted]
They will not be able to see if you use OpenVPN with certificates on client AND server side to prevent man in the middle attack which is basically what (I’m guessing) the schools firewall does by having a root certificate installed on the computer. This works because most https etc uses the client cert to verify encrypted websites using a certificate authority. Generally openvpn has self signed certificates and should be able to bypass this.
yes they would be able to deccrypt your https traffic and any other VPN traffic.
That depends on a lot of different factors. Ideally, a well done VPN configuration wouldn’t allow this (it would just fail to connect instead.) But, not all VPNs are configured well. Some things to consider:
1) What type of VPN? The answer is more likely to be “yes” if it is an SSL VPN.
2) What certificates does the VPN client trust? Ideally, it could be locked down to a private certificate store for JUST your VPN provider, as opposed to using the OS store
3) Are you connecting through their network?
Ideally, you would have some sort of VPN, utilizing a custom certificate store with ONLY the certs needed to connect. If that is the case, it will fail to connect instead of giving you a false sense of security.
That being said if THEY have setup their network properly, and they need to do SSL inspection…they will just block any SSL traffic they can’t inspect (and ALL IPsec/PPTP traffic.) If you need to know, just connect to your VPN, go to any site starting with “https”, double click the padlock and look at the certificate chain.
Assume yes. An adversary that injects false root certificates would also be willing to inject other tracking methods. If you are using their computer, assume it compromised.
Would using a virtual machine on said computer along with the vpn software within the VM be a resolution?
I can’t say if they’d be able to decrypt your VPN traffic but they’ll certainly notice it if they look. At my school we specifically block VPN traffic for students.
Someone correct me on this if I’m wrong, but just having “root certificates” installed would not be enough to do MITM attack, I think. They would then have to make their own fake certificate for each site you’re sending traffic to. So your browser asks for a cert to encrypt to site X, trusts root cert which leads it to a fake cert for X, your browser uses fake cert for X, they decrypt traffic and save it, then re-encrypt with real cert for X, and send traffic out. School would have to be running its own DNS and custom firewall/router/translator, essentially, and making lots of fake certs. They’d have to be doing lots of work. Do I have this right ?
They could but likely aren’t. Run a test, connect VPN, go to an https site, check the certificate validation chain. If it points to the school CA, they are decrypting the traffic.