First time accepted submitter paddysteed writes "I go to secondary school in the UK. I went digging around the computers there and found that on the schools machines, there was a root CA from the school. I then suspected that the software they instruct windows users to install on their own hardware to gain access to the BYOD network installed the same certificate. I created a windows virtual machine and connected to the network the way that was recommended. Immediately afterwards I checked the list of root CA's, and found my school's. I thought the story posted a few days ago was bad, but what my school has done is install their certificate on people's own machines — which I think is far worse. This basically allows them to intercept and modify any HTTPS traffic on their network. Considering this is a boarding school, and our only method of communicating to the outside world is over their network, I feel this is particularly bad. We were not told about this policy and we have not signed anything which would excuse it. I confronted the IT department and they initially denied everything. I left and within five minutes, the WiFi network was down then as quickly as it had gone down, it was back up. I went back and they confirmed that there was a mistake and they had 'fixed' it. They also told me that the risk was very low and the head of networks told me he was willing to bet his job on it. I asked them to instruct people to remove the bad certificate from their own machines, but they claimed this was unnecessary due to the very low risk. I want to take this further but to get the school's management interested I will need to explain what has happened and why it is bad to non-technical people and provide evidence that what has been done is potentially illegal."