Recently, the organisation that provides our traffic filtering through the school I manage the network for had a problem — Google had switched all traffic to TLS, and searches could no longer be filtered.
This company’s solution was to create a root certificate that schools install that masquerades as Google’s, much like the recent fury with GoGo and in-flight filtering.
This is obviously a ridiculous idea, and breaks the whole concept of certification, but I had little choice than to comply for the moment, as with no access to Google services, I may as well resign.
Whilst muttering to myself that I should have stood up for the good of tech, and refused to go along with this madness, I had to install the certificate on the iPads we have here.
And oh my, it was easy.
Bearing in mind this is a certificate that allows decryption of all traffic to Google servers, I was shocked. It’s as simple as:
Click the link to the .crt in Safari.
Click Install.
Is that really OK? How often do the general public need to install certificates manually? I cannot see a usability reason for the ease of install that comes anywhere close to the security implications.
Am I the only frustrated, worried sysadmin out there that thinks this?