> You can't just install a root cert over the network. It requires machine admin approval, which is implicit if you've joined a NT domain [..]

You said "implicit" and I think that's the key word here. I'm imagining the user clicked on "join NT domain" and I imagine there were no warnings that this is a very dangerous thing to do. It's perfectly conceivable that people will do this without realising how dangerous it is.

In essence, you give up control of your laptop and say to the NT domain "do what you will". In this case, it involved installing the school's root CA, but it could equally install trojan software or other activity to compromise the security of laptop.

Joining an NT domain is, perhaps, the right thing to do under some circumstances; however, it should come with a hefty warning that you must completely trust the admins of this NT domain and that the future security of the laptop is dependent on this trust.

My impression is that no such warning was issued; this is the elephant.

In theory at least, Verisign would never issue a certificate for "amazon.com" to the school --- at least, they try very hard not to. Verisigns business is based on people trusting them to vet who they give certificates to. If they gave an "amazon.com" certificate to a school then they would be out of business pretty quickly. There are examples of CAs going out of business for exactly this reason: no longer being trustworthy.

The point here is that, when using the school's WIFI, your browser will receive a certificate signed by the school's CA saying it's "amazon.com". A normal off-the-street laptop would scream blue murder at this point (or should) as something fishy is going on. A "school administered" laptop would simply accept the certificate and show the web-page.

I think you need to review you understanding of X.509. If your client trusts a Certificate Authority then it trusts certificates issued by that CA. This allows anyone who can intercept the network traffic to conduct Man In The Middle attacks. Read up on it on Wikipedia.

This is not limited to the school website.

If what is reported is true then this isn't limited to the school's website and it is a big deal.

No, this explanation doesn't pass muster.

If you can't allow secure web-browsing then don't allow it.

There is no excuse for breaking the security system used for online banking.

Apart from any moral issues, consider the liability if someone else gets hold of your private key and empties everyone's bank accounts.

All the comments I've read so far have been on whether or not the school is morally right in deploying a Man-In-The-Middle attack. While an interesting question, for me this is missed the big point: which OS/Web-browser is so insecure that it accepts a root certificate from the network like this?

When a Web-browser or OS accepts a new Certificate Authority certificate there is an tacit acceptance of trust: you trust that whoever holds the corresponding private key will behave responsibly --- given online banking is secured via the same security infrastructure, that's some level of trust! There's no reasonable way this can happen automatically: you, personally, must indicate that you trust the CA involved. This normally this happens transitively: by installing Firefox, or using your OS you trust the people to have selected trust-worthy CAs.

While people can point to this as another nail in the SSL/TLS coffin, it doesn't help when software is so broken like this. Any Web-browser or OS that accepts a new Root CA (either automatically or without warning the user exactly how dangerous is accepting it) is so broken that you should immediately stop using it for any secure interactions.

Not forgotting (seeminly multiple) countries closing their airspace on the chance that you might be on board.

I have to say I have always generally been impressed with the /. redesigns and this is no exception. Well done team, thanks again not just for a great site but for continuing to make it look and work better for all the users.